Think before you send

With technology becoming increasingly sophisticated and the distribution of
information stretching worldwide, the issues of personal data are becoming more
prevalent. Bo Kremer-Jones talks you through the legal minefield that is data

A colleague tells you about a position opening up in their company. A
professional acquaintance of yours is looking for a new challenge and the new
job sounds like a perfect fit. You recommend him to your colleague and he asks
you to send on his CV before they contact him for an interview. You get back to
your desk and e-mail it across immediately. It seems so innocent and is so
easily done.

But, explains Jonathan Exten-Wright, a partner with legal advisers DLA,
"by pressing ‘send’, you are entering into a whole minefield of legal
issues. Simply by knowing that the person is looking for a new job doesn’t
necessarily mean you have his consent to share his personal details with a
third party. Is his consent implied or not?" he asks.

The legal minefield you are stepping into is covered by a whole contingency
of data privacy protection regulations either currently in force or at least
already put into draft form by governments around the world.

The issues surrounding personal data have become much more prevalent with
the development of ever-more sophisticated technologies allowing information to
be shared and distributed much more easily – and on a worldwide scale. Indeed,
if information is to be shared between colleagues, departments or other firms,
the geographic locations of both parties can mean a world of difference in the
legalities involved.

The UK, for example, is in the process of creating regulatory requirements
covering the protection of personal data. Based on EU legislation covering the
same issue, a first draft has already been distributed by the UK’s Information
Commissioner, Elizabeth Frances.

This first draft, says Veronica Dean, a partner in the employment department
of UK law firm Hammonds, "is challenging, to say the least". She
explains: "The UK Government is currently looking at the proposal to
determine whether the code is actually workable." Going into more detail,
she adds: "The code suggests how – in an ideal world – employers should
use information and undertake the monitoring of their employees. The most
important thing that an employer can do is ensure it has a policy in place that
deals with data protection and the handling of data."

According to Anna-Marie Norbury, of international law firm Baker and
McKenzie, the proposed data protection regulations in the UK are based on three
main strands:

– "Information, information, information. You cannot tell employees
enough about what data you are keeping and how it is being kept, and what you
are doing with it.

– "Proportionality. Although this is not mentioned in the legislation,
the principle stems from the idea of proportionality. By that, I mean only hold
the information you need, don’t keep data that you don’t need. If you are
holding too much then it could be leveraged against you. When information
becomes irrelevant or redundant, make sure someone in the company is there to
weed it out and destroy it.

– "Security measures. This is especially important when it comes to
databases. Firms must ensure they take adequate security measures, know who can
access the information and make sure that it is difficult to hack into."

And firms clearly aren’t following Norbury’s third point very well. A survey
of 1,000 companies in the UK, carried out by professional services firm
PricewaterhouseCoopers (PwC), revealed that 44 per cent of organisations that
took part in the research suffered some sort of security breach in 2001.

Indeed, the increasing usage of new technologies such as e-mail, the
internet and HR software mean that businesses are becoming much more
susceptible to this sort of crime. PwC’s Chris Potter, who co-authored the
report, says: "As they have embraced e-business, both through giving
employees access to the web and e-mail, this has opened up a whole new set of
risks." (see box right).

Similar risks are faced by firms operating elsewhere in Europe too. And like
the UK, many have or are in the process of drawing up their own data protection
regulations, also based on the EU Directive.

A set of principles covering privacy of information on a pan-European scale
is nothing new. The Convention for the Protection of Individuals with regards
to Automatic Processing of Personal Data was open for signature by member
states of the Council of Europe in 1981. The Convention, which according to the
Council "is the first binding international instrument which protects the
individual against abuses which may accompany the collection and processing of
personal data, and which seeks to regulate at the same time the trans-frontier
flow of personal data", came into force on 1 October 1985.

In addition, the Council continues, it provides "guarantees in relation
to the collection of personal data, and outlaws the processing of ‘sensitive’
data on a person’s race, politics, health, religion, sexual life, criminal
record, and so on, in the absence of proper legal safeguards. The Convention
also enshrines the individual’s right to know that information is stored on him
or her and, if necessary, to have it corrected.

"Restriction on the rights laid down in the Convention," it adds,
"are only possible when overriding interests – for example, state
security, defence and so on – are at stake." And it ends: "The
Convention also imposes some restriction on trans-border flows of personal data
to states where legal regulation does not provide equivalent protection."

Despite EU-wide legislation being put into place, some member states still
prefer to implement their own specific policies in addition to the European
Directive. DLA’s Exten-Wright explains: "France, for example, is very
strict when it comes to data protection. It also has local legislation in
addition to the European Union regulations ."

CMS’ Cameron McKenna, an international provider of legal and tax solutions,
notes: "Wherever the company [operating in France] employs at least 50
employees, the Works Council (Comitè d’enterprise) must be consulted prior to
implementing any system to control employees’ activities." And it goes on:
"Article L.121-8 of the Labour Code states ‘no information concerning the
person of an employee can be obtained by a method that has not been notified in
advance to the employee’."

One reason France advocates a strict data privacy control is the strong
union influence. This is also true in Germany, where the collection of personal
data as well as its storage, alteration, deletion and other amendments are
regulated by the German Federal Data Protection Act (Bundesdatenschutzgesetz or
BDSG). Hans-Ludwig Drews of engineering giant Siemens recalls that when this
new act came into force in May 2001, "the main issue…was transposing the
EU data privacy protection directive into German law."

Like the EU Directive, "The BDSG permits collection, storage, transfer
and utilisation of personal data – to meet the purposes of a contractual
relationship for instance. But Drews notes that the act also forbids "any
transfer of personal data from files to so-called third parties, for example
persons or data processing organisations that are not part of the same company."

To meet the needs of the EU Directive on personal data protection and also
the requirements of the BDSG, Siemens assigned a "data privacy protection
officer to a single board member, who represents the full board". It
considers this to have been the only feasible option. And in considering
"the consequences of the BDSG for the company", Siemens warns against
forgetting "the costs incurred by the company".

Data protection measures in other European nations are less severe. In The
Netherlands, for example, says CMS’ Cameron McKenna, "there is no separate
data protection/privacy law and the Privacy Act (Wet Bescherming
Persoonsgegevens) covers data protection". The Swiss Federal Data
Protection Commissioner (SDPC), on the other hand, it adds, "has issued
recommendations on the control and use of e-mail and the internet at work.
"Recently, the last point of the 1985 Council of Europe Convention –
‘restriction on trans-border flows of personal data to states where legal
regulation does not provide equivalent protection’ – has come to the forefront
of public attention, with reference to the US in particular.

More recently, the United States Mission to the European Union explains:
"In response to the European Commission Directive on Data Protection that
could interrupt transfers of personal information from Europe to countries
whose privacy practices are not deemed ‘adequate’, the US Department of
Commerce and the European Commission have developed a ‘safe harbour’ framework
that will allow US organisations to satisfy the European Directive’s
requirements and to ensure that personal data flows to the US are not

As the Initiative for Privacy Standardisation in Europe (IPSE) points out,
"Outside Europe, there is a greater reliance on self-regulation and on the
internal policies that such practices require. But, it adds: "This
situation is certainly changing as key players such as the US move to introduce
sectoral data protection law, particularly in the areas of financial and
medical information."

However, until such a law is formally adopted, it is vital that firms
operating in Europe properly control how information is sent to the US and how
it will be managed and shared by third parties there. Hammonds’ Dean explains:
"Let’s look at a company operating on a pan-European basis with a US
parent. It is normal that the US parent may ask for information regarding UK
and European employees. Yet, there is no guarantee that the US parent has
appropriate systems in place to ensure data privacy protection outside the
European Economic Area (EEA)." In these cases, Dean recommends that firms
ensure "individuals have consented to their information being sent outside
the EEA and that they also audit the recipient of the information to ensure
that it is dealing with it in a way that is compliant with UK and EEA

To facilitate this process, the EU and the US Government have agreed on a
number of ‘Safe Harbour’ principles. Based on two years of discussion, US
Secretary of Commerce William M Daley says: "The Safe Harbour arrangement
is a set of commitments given voluntarily by US companies to satisfy EU
concerns that information transmitted over the internet will not be divulged to
unauthorised parties."

He continues: "This is a landmark accord for e-commerce because it
bridges the differences between EU and US approaches to privacy

According to the United States Mission to the European Union in Brussels,
"the Safe Harbour is a mechanism, which through an exchange of documents,
enables the EU to certify that participating companies meet the EU requirements
for adequate privacy protection. Participation in the Safe Harbour is
voluntary. Organisations will need to adhere to the privacy requirements laid
out in the safe harbour documents for all information received from the
EU," it says.

It adds: "Data transfers are the life blood of many organisations and
the underpinnings for all the electronic commerce. Without the Safe Harbour,
corporations would find it difficult to run multinational operations. Basic
information about their employees would not be transferred to the US.
Accountants would not be able to perform consolidated audits for multinational
firms with offices in Europe and the US."

Secretary Daley believes that the accord "will enhance consumer
confidence by protecting European citizens’ privacy, reducing business costs
and keep data flowing across the Atlantic."

It is not just when sharing data with parent companies or third parties in
the US that firms need to think before pressing ‘send’. It is vital that any
party working in a country outside the EU be properly investigated before data
can be sent to the US. The European Commission is working on an ‘approved list’
of countries that provide adequate protection for personal data transferred
from the EU.

It states that to date: "The Commission has adopted a ‘Decision’ to the
effect that Switzerland and Hungary provide adequate protection for personal
data transferred to those countries from the EU." In addition, "In
relation to Canada a Commission Decision has been made in response to the
Canadian Personal Information Protection and Electronic Documents Act 2000.
This means that there is adequate protection in relation to the transfer of
personal data that would be covered by the provisions of this Act ( that is
personal information that an organisation which is federal work, undertaking or
business collects, uses or discloses in a commercial activity)."

Other nations are also looking into their data protection regulations too. Raymond
Tang, the privacy commissioner for personal data in Hong Kong, recently issued
a draft of the Code of Practice on Monitoring and Personal Data Privacy at
Work. Tang explains: "To the extent that information contained in
monitoring records amount to personal data, they should be collected in a way
that is fair in the circumstances and for lawful purpose related to the
function or activity of the employer."

In a presentation to the APEC E-commerce Steering group forum on privacy in
Mexico last February, he explained that although the burgeoning interest in
personal privacy issues may be normal in Hong Kong, in the Chinese context it
is a little surprising. "In Chinese society," he points out,
"the concept of privacy in a modern sense is relatively new. In Chinese
vocabulary, the word for ‘privacy’ connotes the notion of secrecy or that there
is something which an individual consciously wishes to hide. As a result,
"privacy relating to personal data, which is the principal concern of the
Office of Privacy Commissioner for Personal Data (PCO), is a novel
concept". However, he believes that despite Chinese cultural heritage,
this situation will change significantly. "From research undertaken by the
PCO, members of the community have come to regard the protection of personal
privacy as both an essential right and an important area of social
policy," he says.

Managing personal data

Why is proper management of personal
data so important and in need of such close scrutiny and control?

According to Donald Harris, president of HR Privacy Solutions
and one of the world’s leading authorities on HR data privacy: "The
promise of information technology to transform business practices in the new
networked global economy can only be realised if individuals have trust in
companies deploying it.

"Nowhere," he says, "is trust a greater issue
than when it comes to the sensitivity companies show towards the collection and
use of information about individuals. Whether that information be personal data
stored in a database, tracking an individual and his use of corporate
technology, or records of the individual’s communications, trust can only be
earned by companies which respect the individual’s right to privacy, in both
policy and practice.

"Fortunately," Harris adds, "there is strong
consensus, both domestically and internationally, as to what com-panies need to
do: apply the principles of fair information practice to their operations."

How safe is in-house information?

Cybercrime has rapidly increased over
recent years as employees spend more time surfing the web and hackers become
ever more accomplished at their task. This means the odds that personal
employee data held by a firm could be hacked into and shared with outside
parties have also risen significantly.

A spokesman for Radlan Computer Communications explains:
"The reality is that networks are more vulnerable than ever before. The
hacker’s life has never been easier and almost anyone can quickly become an
expert. He adds: "Intruders seek and take advantage of newly discovered
vulnerabilities in operating systems, network services and protocols. They
actively develop and use a number of utilities, freely available on the
internet, to rapidly penetrate systems."

To achieve the protection goal, more and more net managers are
setting up firewalls as the first line of defence against intruders. Properly
deployed, the firewall is an extremely effective security tool.

"However", warns Radlan, "too many companies
make the assumption that a firewall in itself guarantees security. It doesn’t.
Firewalls are set up to only guard against internet attack, for instance, but
do nothing to guard against internal intruders – approximately 60 per cent of
all network security breaches are made by users (both authorised and
unauthorised) already on the network, inside the firewall."

To avoid hacking, Michael Bywell, a partner with the
technology, media and communications group of legal advisory firm DLA,
recommends: "changing passwords on a regular basis and always closing down
e-mail accounts when employees leave the company".

If a hack attack has occurred, Bywell suggests :

– During investigations it is important to control any e-mails
concerning the investigation itself as the hacker may still have access to your

– Get third-party help from an expert – computer forensics, for
example. This will ensure any evidence is collected in the right way and that
an independent investigation is embarked upon. An independent expert will also
be able to perform tasks that in-house skills could not tackle (such as restore
‘deleted’ items)

– Approach the organisation that the hack attack is coming from
– if the attack has been sourced as coming from another organisation (rather
than a home PC or internet cafe), inform the company. You will often find that
it will be fully co-operative in your investigations

Increased security post-11

What happened in the US on 11
September has led to increased discussion of data privacy and the protection of
an individual’s own personal information, whether it is held by companies, the
Government or third parties.  

A Harris Interactive survey conducted for Privacy and American
Business (P&AB), an activity of the non-profit Center for Social and Legal
Research – a public policy thinktank – shows "signs of new post-11
September concerns: Most employees feel their employers should strengthen ID
procedures for entering premises and accessing computer systems, and undertake
more detailed background checks on job applicants." In addition, the report
on the survey says: "Thirty-five per cent felt their employer should do
more detailed background checks on current employees."

Although this runs counter to normal concerns about how
personal information is used, it appears that, since last September, US
employees are content for their data to be used in this way.

P&AB adds: "This attitude, formed by recent events,
may explain to some extent why Americans in this survey seem more accepting and
open-minded about their employer practices as they relate to privacy."

A clear example of this appears in the report, noting that:
"four out of five employees and managers say they would be willing to have
an ID card issued by their employer showing their photo, basic personal
information and a biometric identifier, such as a finger print to enhance
workplace security."

Although the events of 11 September clearly affected employees
in other countries too, their reaction to changes in data privacy regulations
has been less marked. Asked about changes in attitudes towards dataprotection
since the end of last year, Anna-Marie Norbury, of international law firm Baker
and McKenzie who works predominantly with UK organisations, says: "There
has been no effect at all since the event, at least none that we have experienced."

Jan Tielemanns, a pan-European employment lawyer operating from
Brussels concurs: "Although the terrorist attacks last year had a great
effect on how many of us live and work, in Europe, we have seen no real
difference in attitudes toward how employee data should be used and

One reason for this, he believes, is "the differences that
already existed in regulations about data privacy on both sides of the Atlantic
before the events occurred".

Whereas the European Union has been considering and creating
controls for data protection in the region for some time, it is only recently
that the US has had to consider regulating how data is managed (see main story).



Comments are closed.