Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with James Michael

June 2007

James Michael

 

Interviewee: James Michael, Editor, Privacy Laws & Business International Newsletter

 

Interviewer: Terry McQuay, President of Nymity


Subject: Employee Privacy

 

Nymity: Do all countries in the EU have private-sector privacy laws for employee personal information?

 

Michael:  There are not only national data protection statutes that apply to employees, but there are other legal provisions for employees, such as laws implementing the Directive on Telecommunications and Data Protection. In some countries, such as Italy and Greece, negotiation with trade unions is particularly important when doing surveillance of employees. National labor law provisions work together with data protection law to strengthen workers’ consultation rights in France and in some other countries. In Germany, the workers councils have even stronger rights which extend to co-deternination regarding decision-making over issues which impact the employees.

 

Nymity: What are the requirements for transferring employee personal information outside of the country to Canada?

 

Michael:  Transferring employee information from an EU country to Canada is essentially the same as transferring customer information: the Canadian protection provided by PIPEDA is adequate by European standards, and the employees should be kept informed of this international transfer.

 

Nymity:  To the US?

 

Michael:  Avoid transferring EU employee information to the United States, which has not been found to provide adequate protection, and is not likely to obtain such a finding in the next few years. If it is absolutely necessary, transfer the personal data only to a company that has been approved for processing Human Resources data as part of the Department of Commerce’s Safe Harbor scheme. Write in contractual provisions permitting the transfer of employee data to third parties only for specific and relevant purposes, such as processing of personal data for payroll, stock options or pensions administration.

Nymity: What are the top risks to companies on employee issues related to the collection, use, retention and disclosure of personal information?

 

Michael:  The main risks are in covert or coerced collection. Informed employee consent is very important. In circumstances when that is no possible, or would defeat the purpose of collection, compliance with the relevant code of conduct approved by the national data protection authority is essential. The United Kingdom has such a code which you can find at http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/employment_practices_code.pdf

 

It covers:

 

    • What the Data Protection Act means to an employer
    • Recruitment and selection
    • Employment records
    • Monitoring at work
    • Information about workers' health
    • What rights do workers have?

 

A quick guide and supplementary guidance are also available. Although national laws differ in the 27 member countries in the European Union, this document will take you far in your attempt to grapple with the European data protection laws’ coverage of Human Resources issues.

 

Improper use of employee information is also a risk. Again, informed employee consent when the information is obtained is central.

 

Excessive retention in terms of amount and time are nearly as bad as improper use, if only because of the risk that the information will be used improperly, and the even greater risk that it will become outdated and inaccurate.

 

Disclosure to third parties is also risky, unless it has the employee’s consent, or is required by law. Refusal of employee rights of subject access and correction are also risky behaviour, and should not be resorted to unless there is a very good reason under the data protection statute, and not just because it could lead to awkward consequences for management.

 

Nymity: Are there major difference in privacy laws for employee privacy from one country to the next?

 

Michael:  The data protection laws are all pretty much the same, as they all implement the EU Data Protection directive. There are some differences in the involvement of labor unions in agreeing to collection of information, e.g. Italy and Greece. Also, there are differences in the rules on employers’ monitoring of employees’ use of e-mail and the Internet.

Some countries have specific guidance on use of closed circuit television in the work place. For example, Portugal has published in English on its website: Guidelines on the use of biometric data at the workplace – access control (2004) and Recommendations on the monitoring of employees at the workplace: phone calls, e-mail and Internet access (2002) – Resume Paper

You can easily gain access to just about every Data Protection Commissioner’s website via our Privacy Laws & Business website’s links tab at the top of the home page at www.privacylaws.com - please let us know if we are missing any!

Nymity: Does transferring employee information from Canada make it subject to privacy laws in the EU?
 

Michael:  Yes. So long as the processing is done within an EU jurisdiction, or with equipment located in the European Union, it is subject to the data protection law of that jurisdiction.

 

Nymity: What are some of the major considerations related to the retention of employee personal information?

 

Michael:  Two of the major issues are excessive retention in terms of amount and time, and security of data. The EU draft Data Retention Directive is likely to apply to some employee information, especially telecommunications traffic and location data. The Directive may, however, be subject to objection on similar grounds to those that led the European Court of Justice to find that the Agreement on transfer of European Passenger Name Records to the US to be invalid.

 

Nymity: How is employee consent handled in EU privacy laws?

 

Michael:  Employee consent is often handled through the contract of employment, so that the employee is informed at the beginning of employment how personal data will be collected and processed, the purposes it will be used for, and how long it will be retained. Often this will also be the subject of negotiation with the representative labor union. However, many Data Protection Authorities in the European Union take the view that consent in the employment context cannot be given freely, as the person’s job may depend on agreeing to a particular process.

 

Nymity: In closing, what privacy recommendations do you have for organizations based in Canada that have employees located in the EU?

 

Michael:  Comply with the terms of the EU Data Protection Directive and the data protection law or laws of the particular EU country or countries where the employees are located. Seek help and continue to monitor developments from a reliable information source. Many leading multinational companies and large law firms use Privacy Laws & Business as one of these sources.

 

Finally, keep up to date by keeping watch on the news on the home page of www.privacylaws.com and subscribe to the Privacy Laws & Business International and United Kingdom Newsletters (http://www.privacylaws.com/templates/Page.aspx?id=297). You can then ask us your own specific questions!

 

My contact details are at: ( http://www.privacylaws.com/templates/PLBTeam.aspx?id=395 )

 

 

 

 

Now Hiring

 

 

 

 

 

 


Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY