ItechLaw 9th International Asian Conference

ITechLaw 9th International Asian Conference
Privacy Issues Relating to Employee Data

February 14 and 15, 2013
Introduction
EU Directive on Data Protection and Privacy as it applies to employee data Compliance with the EU Directive from a German perspective and in a global environment when employee data often crosses borders in cyberspace) BYOD - Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security with an additional focus on employee data A brief overview of the Indian perspective Panel discussion Audience Q & A
Contd.
Introduction
Laws that regulate the collection, use and handling of an employees personal data in India, France and Germany Restrictions on the acquisition, use and maintenance of employee data Period of retention of employee data Transfer of employees' data to third parties and/or overseas Consequences of breaching the regulations
ITECHLAW BENGALORE CONFERENCE 14th and 15th February 2013
Employee data protection issues: Privacy issues relating to employees
1. Overview of the European regulations
Overview In Europe common legal basis is: Directive 95/46 of 24th October 1995 Purpose of this Regulation :
strengthen citizens' rights of privacy and, modernize the existing legal framework to take into account new challenges of the development of new technologies and the effect of globalization.
Overview
EU countries may locally implement other rules as long as they respect the minimum provisions of the EU Directive.
Such 1995 Directive should be replaced probably in 2014-2016 by a Regulation that will be automatically and identically applicable in each European countries.
2. Scope of the Directive
Scope of the Directive

WHICH PERSONAL DATA IS CONCERNED?
The notion of personal data is very wide: It may involve important data: social security number, family status, etc., as much as innocuous data, such as the name, the date of birth, the address of the employee, etc. Definition of " personal data " by the Directive: personal information relating to an identified or identifiable person, directly or indirectly, by reference to an identification number or to one or more specific factors (physical, physiological, mental, economic, cultural or social identity). Employee s data collected by employers are most often needed in the daily management of employees within a company (social security number, surname, name, date of birth, address, etc.) The employer can not generally collect sensitive data i.e. data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual life.
Scope of the Directive
WHICH PROCESSING OF FILE OF EMPLOYEES DATA IS CONCERNED?

ANY AUTOMATED PROCESSING of personal data contained on ANY FILE is likely to be concerned by the Directive. Examples: Excel file: any data base ; Word file: any list (eg. employees career record) ; Online business directory ; Any type of file on computers, phone or any electronic device ; GPS ; Biometric systems ; Video recording; Etc.
General rule: ANYONE can not collect ANYTHING.
For employees data the employer, called the controller, is required to to proceed with the formalities.
Role: controller determines the purposes and means of personal data processing. Liabilities: controller is in charge of the compliance with the EU Directives provisions.
HOW ARE THESE DATA COLLECTED AND PROCESSED?

Principle of proportionality and purpose Protection of the legitimate interests. Proportionality to the goals.
Principles of privacy and security
The employer, as a controller, is bound by an obligation of safety. He must take the necessary measures to ensure the confidentiality of data and prevent its disclosure to unauthorized third parties.
EMPLOYEES RIGHTS
Right to information Right of access and rectification Right of objection: Except if local laws request the employer to collect and use it, Objection must be lead by valid reasons.
WHICH FORMALITIES? Notification to the Data Protection Authority prior to the implementation of a processing of personal data. Exemptions or simplifications of notification can be defined by Member States.
ITECHLAW BENGALORE CONFERENCE February 14 and 15, 2013
3. Maximum period of conservation of employees personal data
Maximum period of conservation of employees personal

data
EU: for no longer than necessary to achieve the purposes for which datas are collected or processed. France: period of conservation depends on the purpose of each file.
10
Maximum period of conservation of employees personal data
Type of personal data Human ressources and managment data (social security number, name, surname, DOB, address, personnal situation of the employee) Video recordings Recruitment, candidates data GSM/GPS data
Period of conservation No longer after the termination of employement contract
Few days to 1 month maximum after recording No longer that 2 years after the last contact with the person Usually 2 months 11
!! Burden of proof and status of limitation
4. RESTRICTION OF INTERNATIONAL TRANSFER OF EMPLOYEES PERSONAL DATA
International transfer of employees data
IS THERE ANY RESTRICTION TO AN INTERNATIONAL TRANSFER OF PERSONAL DATA?

From one European Country to another European Country : YES
From an European Country to a non European Country : NO Exception: if an adequate level of protection is granted.
In any case, the employee must have given prior consent to the international transfer of his/her personnals data.
12
5. CONTROL OF COLLECTION AND PROCESSING OF EMPLOYEES PERSONAL DATA
Control of collection and processing of employees data
By the local Data Protection Authority.
By a designated person who ensures the process is carried out lawfully (other than the controller). This appointement is not mandatory in each Member State.
By the employee.
13
6. SANCTIONS FOR VIOLATION OF THE EMPLOYERS OBLIGATIONS
Sanctions
Civil sanctions: the employer s liability is incurred and compensation for damages suffered may be seeked by the employee. Criminal sanctions: the Directive refers to Member States to provide criminal sanctions.
14
Specific sanctions provided by French Labor law: Inadmissibility of evidence obtained Cancellation of the disciplinary sanction imposed Abusive dismissal Offence of obstruction if employees representative organization are not informed and consulted Possible civil action of a union / elected employees
15
Thank you for your attention!
Frdrique David Partner - TLD Legal fdavid@tldlegal.com
Privacy Issues relating to Employee Data in Germany

EU Employee Data Protection
Roland Falder Bird & Bird LLP Munich
Bangalore, February 14th, 2013
General Concepts of Privacy

Historical background Government/State
Right to determine which information is available about
Private Individuals/ companies
Individual
page 28
Art. 12 Universal Declaration of Human Rights:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks. Government/State: Europe: Fascism, Communism UK/US: Cold War, War on Terror Authoritarian Regimes Private Individuals/Companies: Free market approach vs. consumer protection approach
page 29
Current legal situation in EU

Data Protection Directive (Directive 95/46/EC)
Requires member states to enact laws that observe the limits set by the Directive
National Data Protection Laws

Directive itself only marginally relevant for employee data protection
page 30
New Proposal
Data Protection Regulation January 25th, 2012
Replaces and supersedes EU-Directive Self-executing (directly applicable in member states) but: special rules for employee data in national laws possible (Art. 82 Draft Regulation) Previous initiative 2011/2002 for employee Data Protection Directive abandoned
page 31
General Purpose and Highlights

a) Harmonization of the rules throughout EU to make compliance easier for Non-EU-countries but: stricter compliance regime with severe penalties
b) - Extended scope: if personal data of EU-residents are processed outside EU - European Data Protection board coordinates DPAs (of which only one is responsible for each company) - New rules on Privacy by design and default, Data Protection impact assessments, Data Protection Officers - Consent base approach (Employment law exemptions) - Heavy fines (up to 2 % of annual global sales revenue)
page 32
- Right to be forgotten - Data Portability
Time schedule:
First vote in April/May 2013 Negotiations Final Vote in 2014 Implementation 2015
page 33
Germany
Date Protection Law (since 1978) without specific rules for employee data before: 1st data protection law (worldwide) 1970 in Hessen 2008/2009 Surveillance scandal at Deutsche Bahn and Deutsche Telekom => 01.09.2009 additional Article 32 restricted employer access to employee data New draft for specific employee data protection postponed, but a number of issues already clarified by court decisions
page 34
Issues in Germany
Consent and Shop Agreements Control of Telecommunication at work place/private us Video Surveillance Transfer of employee data Co-Determination by works council BYOD
page 35
Outlook
Globalisation
Borders no barrier for information flow legal challenges
page 36
Thank you
Roland Falder Bird & Bird LLP Munich
Bangalore, February 14th, 2013
Legal Barriers for BYOD Strategies A Holistic Approach to Legal Compliance and Security With a focus on Employee Data
Martin Wiechers Detecon International GmbH
We make ICT strategies work
Frame Legal Template Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
BYOD Introduction and Overview

Introduction

Bring Your Own Device: Permitting employees to use personally owned devices to perform official tasks Consumerization of IT has reshaped traditional IT landscape Traditional lines between work and personal life blur Trailblazer for BYOD: Intel in 2009 Significant number of employees worldwide already uses own devices for work
Businesses simply can't block the trend.
Detecon
PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX
39
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
BYOD as Worldwide TrendingTopic

BYOD
Detecon
40
BYOD Market Overview and Perception

Global Internet Device Sales Devices Used to Access Business Applications
IT Leaders Opinion
Company IT Support for Employee-Owned Devices
Detecon
41
Frame Template

Global Internet Device Sales Global Internet Device Sales Devices Used to Access Business Applications
IT Leaders Opinion
Detecon
42
Frame Template

IT Leaders Opinion
Detecon
43
Frame Template

Global Internet Device Sales Devices Used to Access Business Applications Devices Used to Access Business Applications
IT Leaders Opinion
Detecon
44

IT Leaders Opinion
Detecon
45
Frame Template

Global Internet Device Sales IT Leaders Opinion Devices Used to Access Business Applications
IT Leaders Opinion
Detecon
46
Frame Template

IT Leaders Opinion
Detecon
47
Frame Template

Global Internet Device Sales Devices Used to Access Business Applications Company IT Support for Employee-Owned Devices
IT Leaders Opinion
Detecon
48
BYOD The Pros and Cons

+ Reduced Capital Expenditure (CAPEX) + Lower administration costs / management efforts + Familiarity with Device = Increased employee acceptance + Productivity increase: Willingness to use device in spare time (risk: claims for overtime compensation) + Access to business applications independent from employees location Possible Disadvantages
Increase in operational expenditure (OPEX) Incompatibilities due to heterogeneous device landscape Security risks Taxation issues
Possible Advantages
Works council involvement

Germany / EU: Company remains responsible entity for data processing; technical and organizational measures difficult to establish on device Germany / EU: Access restrictions due to secrecy of telecommunications and data protection
Detecon 49
Designing BYOD-Strategies Initial Thoughts

Management Goals
Internal Compliance
Security Requirements
IT Requirements
Legal Framework
Detecon
50
BYOD A Legal Minefield?

BYOD-Strategies have a Multitude of Legal Implications Data Protection Issues
e.g. access to employees personal data
Copyright Infringements
e.g. use of unlicensed Apps for work
Labor Law
e.g. overtime, involvement of works council
Retention Periods
e.g. storage of business documents on device
BYOD
Detecon
51
Recovery of Possession
e.g. audit or suspicions of offences
Device Replacement
e.g. defect occuring during work PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX
BYOD vs. Employee Data Protection Employer Access to Data from Different Spheres
Private Email Account Info & Passwords Company Data Personal Data Browser History Photos Chat Protocolls Spare Time Location Data
Detecon 52
Business Email Account Info & Passwords Sensitive Documents Business Secrets
Personal Data vs Company Data
Frame Template
BYOD vs. Employee Data Protection Basic Systematics of German Data Protection
German Data Protection in a Nutshell
Sec. 3 para.1 BDSG (Federal Data Protection Act):
Personal data shall mean any information concerning the personal or material circumstances of an identified or identifiable natural person (data subject). Permitted directly by statutory law
Sec. 4 para. 1 BDSG: Processing of personal data only if
Approval from affected person, Sec. 4a BDSG
Everything is prohibited unless expressly allowed.
Detecon
53
Frame Template
BYOD vs. Employee Data Protection Specific Provisions on Employee Data Protection are Generally Affected
BYOD generally affects Personal Data
Generally every private device contains personal data Personal data affected by most IT-adminstrative tasks Specific Provision for employment relationship Sec. 32 para. 1 BDSG:
An employees personal data may be collected, processed or used for employmentrelated purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract. Assessments of performance and behaviour Measures to prevent criminal offences and other violations of law
Every state of employment relationship covered:

Detecon
54
Frame Template
BYOD vs. Employee Data Protection Employees Consent Required

Necessity:
Collection/processing/use of personal data permitted if directly necessary for employment relationship

Task impossible without data BYOD processing of personal data is mostly not necessary in legal sense Generally consent of employee required to perform IT admin tasks on device
Narrow interpretation of necessity:
Consequence:

Violation of personal data is no acceptable collateral damage of BYOD!

Detecon PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX 55
Frame Template
BYOD vs. Employee Data Protection but Consent Unlikely to be granted

Prerequisites of a valid consent (Sec. 4a BDSG):
Declaration of the affected individual that is

voluntary for the specific case Is given in complete awareness of the individual circumstance
Issues:

Voluntariness in employment relationship questionable Employees freedom of choice de facto limited by existential meaning of employment relationship Presumption that consent of employee is seldom voluntary Employee will not provide consent as extensive access rights to private device are not favourable
PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX 56
Detecon
Implementing BYOD Strategies Works Council Involvement

Works Council has Right to Participate
Right to Control according to Sec. 80 BetrVG (Works Constitution Act):
The works council shall have the following general duties: 1. to see that effect is given to Acts, ordinances, safety regulations, collective agreements and works agreements for the benefit of the employees; *+
(1) The works council shall have a right of co-determination in the following matters in so far as they are not prescribed by legislation or collective agreement: 2. the commencement and termination of the daily working hours including breaks and the distribution of working hours among the days of the week; 6. the introduction and use of technical devices designed to monitor the behavior or performance of the employees;
Right of co-determination according to Sec. 87 para. 1 no. 2 & no. 6 BetrVG:
Detecon
57
BYOD vs. Employee Data Protection Special Case: Private Email Use
Private Email Use

If private use is permitted/tolerated employer is Provider of telecommunication services Consequence: telecommunications secrecy applies regarding email account Access can be criminal offence (Sec. 206 Criminal Code) Telecommunications secrecy protects all communication partners
Sender (internal and external) and receiver Control of private communication Death, illness, absence, leave of absence, dismissal
Problems:

Detecon
58
Succesful Implementation Requires Holistic Approach Based on Applicable Legal Framework

Combination of Technical and Policy Solution Preferable
Container Solution:
Business related applications in dedicated container on device, business data only stored in this shell
Only this container can be accessed and administrated by employer E.g. Blackberry 10
Private Apps and Data
Work Apps and Data
Strict technical separation between different working environments

Detecon PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX 59

Client Solution:

Cloud/client-server-based solution with mobile device as client Device is only used as interface for access to network No business related data is stored permanently on device After disconnecting from server all data is wiped E.g. Hewlett Packard Permission to participate in BYOD should depend on signing respective policy and giving respective consents
Detecon
60

Technical Solution minimizes risk of access to employees personal data In case of container solution private use of device has to be prohibited for container
Employer retains full control and access rights
Permission to participate in BYOD should depend on signing respective policy and giving respective consents
Detecon
61
BYOD Strategies: Conclusion

Conclusion
International perspective: BYOD is todays reality
Legal framework must be basis for strategy development
Security, Internal Compliance, IT and Business has to align
BYOD does not rise genuinely new legal issues Multinational Enterprises: Strategy should be adjusted to weakest link
Implementation requires multidisciplinary knowledge/team

Good Understanding of big picture opens potential for massive increase of revenues for legal advisory
Detecon
62
Contact Legal sheet Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Thank you very much!

Martin Wiechers Detecon International GmbH Sternengasse 14-16 50676 Cologne (Germany) Phone: +49 221 9161-1899 Mobile: +49 151 46718873 Martin.Wiechers@detecon.com
Detecon
63
The Indian Scenario

India does not have specific laws to protect an individuals privacy including data privacy Courts have upheld privacy rights under Article 21 of the Indian Constitution vis--vis the government The Information Technology Act, 2000 provides some protection for electronic data Consumer courts have upheld privacy rights against individuals and entities No specific laws to protect employee data
The Indian Scenario

No need for employers to issue a privacy policy applicable to employee data Employers should retain employee data for at least three years laws of limitation Income Tax (IT) laws allow the IT department to initiate proceedings within 7 years of a relevant assessment year so companies usually retain employee data for 8 years No restriction on transferring data to third parties or overseas Courts have sometimes placed restrictions on the transfer of health related employee data
The Indian Scenario

Employees could make tort claims for breach of data privacy Employees could also stake a claim for breach of data in electronic records under the Information Technology Act, 2000 Last year the Shah Committee, appointed by the Indian Government released its report on privacy. The Shah Committee Report recommends some significant changes which may be implemented in laws to come
Panel Discussion
Audience Q & A
Thank You

ItechLaw 9th International Asian Conference

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

ItechLaw 9th International Asian Conference

Transféré par

Droits d'auteur :

Formats disponibles

ITechLaw 9th International Asian Conference

Privacy Issues Relating to Employee Data

ITECHLAW BENGALORE CONFERENCE 14th and 15th February 2013

Employee data protection issues: Privacy issues relating to employees

1. Overview of the European regulations

2. Scope of the Directive

Scope of the Directive

Scope of the Directive

WHICH PROCESSING OF FILE OF EMPLOYEES DATA IS CONCERNED?

General rule: ANYONE can not collect ANYTHING.

HOW ARE THESE DATA COLLECTED AND PROCESSED?

Principles of privacy and security

ITECHLAW BENGALORE CONFERENCE February 14 and 15, 2013

3. Maximum period of conservation of employees personal data

Maximum period of conservation of employees personal

Maximum period of conservation of employees personal data

Period of conservation No longer after the termination of employement contract

!! Burden of proof and status of limitation

4. RESTRICTION OF INTERNATIONAL TRANSFER OF EMPLOYEES PERSONAL DATA

International transfer of employees data

IS THERE ANY RESTRICTION TO AN INTERNATIONAL TRANSFER OF PERSONAL DATA?

5. CONTROL OF COLLECTION AND PROCESSING OF EMPLOYEES PERSONAL DATA

Control of collection and processing of employees data

By the local Data Protection Authority.

6. SANCTIONS FOR VIOLATION OF THE EMPLOYERS OBLIGATIONS

Thank you for your attention!

Frdrique David Partner - TLD Legal fdavid@tldlegal.com

Privacy Issues relating to Employee Data in Germany

General Concepts of Privacy

Private Individuals/ companies

Art. 12 Universal Declaration of Human Rights:

Current legal situation in EU

National Data Protection Laws

General Purpose and Highlights

- Right to be forgotten - Data Portability

Martin Wiechers Detecon International GmbH

We make ICT strategies work

BYOD Introduction and Overview

Businesses simply can't block the trend.

PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX

BYOD as Worldwide TrendingTopic

PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX

BYOD Market Overview and Perception

Company IT Support for Employee-Owned Devices

PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX

BYOD Market Overview and Perception

Company IT Support for Employee-Owned Devices

PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX

BYOD Market Overview and Perception

Company IT Support for Employee-Owned Devices

PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX

BYOD Market Overview and Perception

Company IT Support for Employee-Owned Devices

PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX

BYOD Market Overview and Perception

Company IT Support for Employee-Owned Devices

PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX

BYOD Market Overview and Perception

Company IT Support for Employee-Owned Devices

PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX

BYOD Market Overview and Perception

Company IT Support for Employee-Owned Devices

PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX