You re hired! Privacy issues when onboarding new employees. Ann Bevitt, Morrison & Foerster. John Gevertz, ADP. 19 April 2013 Presented By

Transcription

1 2012 Morrison & Foerster (UK) LLP All Rights Reserved mofo.com You re hired! Privacy issues when onboarding new employees Ann Bevitt, Morrison & Foerster 19 April 2013 Presented By John Gevertz, ADP

2 Agenda Notice and consent Sensitive personal data Collecting new data Retaining/deleting data previously collected Access to data Training staff Third parties Addendum: background checks

3 Notice & Consent C.f. notice and consent for applicants Notice: Ensure workers are aware of nature and source of their personal data, how they will be used and to whom they will be disclosed Inform workers of rights, e.g., right of access?notice is sufficient unless processing sensitive data Validity of employee consent:

4 Sensitive Personal Data E.g.: Health data (e.g., medical questionnaires and sick/fit notes) Equal opportunities monitoring data Trade union membership Religious beliefs Financial information (e.g., bank account, salary and benefits) Ensure security measures take account of risks associated with unauthorised access to/accidental loss of/destruction of/damage to sensitive personal data

5 Collecting New Data Identify business need Ensure data collected meets need Delete extraneous requests for data/data

6 Retaining/deleting Data Recruitment records Business needs: Identify need Ensure data retained meets need Provide workers with/allow workers to view online copy of, e.g., personal details, ask them to check for accuracy and update as necessary

7 Access to & Use of Data Limit access to staff data to those with legitimate business need to see data: Remove/restrict rights of access Manual records: locked rooms/filing cabinets Electronic records: passwords Check audit trails to detect unauthorised/suspicious use Limit use of staff data to uses notified to staff: WP29 03/2013 Opinion on purpose limitation

8 Training Use of company systems, e.g.: Tech Use Policy Social Media/Blogging Policy Confidential Information Policy Appropriate handling of company data Company s handling of their data

9 Third Parties If company engages third party to process personal data on its behalf as part of onboarding it must enter into a written contract which contains appropriate data protection provisions, e.g.: Limitation on use Information security (access controls, encryption, etc) Transfer and disclosures Data Breach Audit Destruction/return on termination

10 Top 5 Onboarding Takeaways Review records held after recruitment process Is there a business need to retain? Has notice been given/consent obtained? Securely delete all other records Ensure data collected meets identified business need Train/inform staff on: Use of company systems Appropriate handling of company data Company s handling of their data Comply with local labour/employment laws One size does not fit all countries!

11 Addendum: Background Checks Company must: Balance business needs v. applicants privacy rights Use least intrusive check Use reliable sources which are likely to provide relevant information Ensure check/examination/testing is necessary and justified, e.g.: To assess fitness to do job To provide benefits, e.g., pension or life insurance Allow applicant to make representations regarding information that will affect hiring decision

12 Medicals & Drug/Alcohol Testing Identify business purpose for examination or testing Make it clear to applicants early on in recruitment process that they may be subjected to medical Consider less intrusive ways of meeting objectives, e.g., medical questionnaire v. examination Risk of exposure to disability discrimination claims

13 References, Credit Checks and Court Judgments Explain to applicants the nature of and sources from which information might be obtained Only permissible: Where particular and significant risks and no less intrusive and reasonably practicable alternative As at late a stage as is practicable If made clear early on in recruitment process that vetting will take place Where used to obtain specific information, not as means of general intelligence gathering When sources are reliable and likely to provide relevant information Only approach family and friends in exceptional cases

14 Google and Social Networking Sites Where permitted: Explain to the applicant the nature of and sources from which information might be obtained and, if necessary, get consent Only Google to obtain specific information, not as a means of general intelligence gathering Allow applicant to make representations regarding information that will affect hiring decision Risk of exposure to discrimination claims

15 Top 10 Background Check Takeaways Give notice to applicants Have a legal basis for processing information Get applicants consent to processing of sensitive data Review (and, if necessary, revise) third party contracts Comply with local labor/employment laws Use reliable sources Ensure each check is necessary and justified in each case Use least intrusive form of check Allow applicant to make representations One size does not fit all countries!

16 Resources UK: ICO s Employment Practices Code, Employment Practices Code A Quick Guide and Supplementary Guidance Germany: Draft Employee Privacy Bill (in German) - zestexte/entwuerfe/entwurf_beschaeftigtendatenschutz.pd f? blob=publicationfile France: French Data Protection Guide to Employers: Les Guides de la CNIL: Guide pratique pour les employeurs

17 Questions Ann Bevitt Morrison & Foerster (UK) LLP, London John N. Gevertz VP, Office of Privacy, Risk and Governance Global Chief Privacy Officer ADP, Inc. +1 (973) This is MoFo. 17