Issue 3 2008 > Protecting Employees’ Personal Information
Protecting Employees’ Personal Information
Where were you when the Data Privacy Act (DPA) took effect? Exactly. So few of us recognize this potentially troublesome aspect of our daily transactions.
The Need for Data Privacy
The concept of data privacy is not new and the concern has existed in many countries since the early 1980s. However, in recent years the increased use of the Internet and the resulting prevalence of identity theft have made data protection a primary concern for governments, corporations and private individuals. Identity theft costs a lot financially and can create irreparable harm to individuals when their identity is stolen. It has been determined that identity theft occurs most when organizations that have a responsibility to secure information fail to do so. Various countries are imposing stiff penalties on companies that breach data privacy rules. In some cases, the employees of such companies can be criminally charged for violating data privacy laws. Such violation is punishable whether intentional or negligent.
Safe Harbor
“Safe Harbor” was created for U.S. organizations that had a need to freely exchange data with E.U. countries. Any organization that is certified as having complied with the U.S. Department of Commerce’s provisions of data privacy is deemed to have Safe Harbor with the E.U. data privacy directive. When an organization voluntarily certifies itself to Safe Harbor, it has agreed to follow the provisions of information handling and will be held responsible for adhering to those principles by the Federal Trade Commission and by other oversight schemes. For companies that subscribe to the Safe Harbor provisions of data privacy, and have offices in foreign countries, the same rules apply to all of their worldwide offices. Violation of the act subjects the company and the employee(s) to stiff penalties either by the U.S. Department of Commerce, the E.U. or some other data privacy-monitoring organization.
Employee’s Responsibility
Employees should be charged with maintaining all documents under secure lock and key when not working, not leaving personal data on a desktop or unlocked desk drawer/cabinets, logging out of computers when not working, verifying identity before disclosing any personal information, not disclosing personal information about others to third parties and immediately reporting to management any breach or possible breach of data privacy.
Management’s Responsibility
Management representatives of a corporation are responsible for creating the data privacy procedures that their employees should adhere to, and for making that information available to every employee who comes in contact with personal data. Procedures should ensure that every new employee understands the need and rules for data protection, that individuals responsible for handling all data privacy issues and policies are identified, that personal data is inaccessible to visitors and anyone without a need to know. A written contract of service should be in place that includes standard data privacy-contract language. In addition, all personal information should be used within the reasonable expectations of the individuals concerned.
DPA Directive
The Data Privacy Act (DPA) of 1998 is a result of the countries in the European Union agreeing that there was a need for enforceable data privacy laws. As a result, a set of rules grouped under the heading DPA were created to govern how personally identifiable information is stored and used. The DPA and the European Data Protection Directive provide that “member states shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.” It applies to all European countries and is immediately enforceable in those countries. The United States, in the absence of its own data privacy laws, adheres to the European rules. The staff members of the Crown Worldwide Group (and its subsidiaries) are often required to receive and collect personal information from transferees who are relocating around the world. The information is handled and managed confidentially according to the customers’ requests and in accordance with the rules specified by Safe Harbor. Crown has been a member of Safe Harbor since November, 2004.