News Archives

Consulting Services

Building data protection and privacy into HR systems and practices

Since its formation in 1999, HR Privacy Solutions has assisted over thirty major multi-national employers and employment service providers in the development and implementation of strategies, policies and programs to achieve compliance with global data protection and privacy laws.  These clients are recognized leaders in the pharmaceutical, consumer products, health care, medical device, financial services, publishing, computer networking, high-tech manufacturing, aerospace, and recruitment services industries.

Among the consulting services delivered to these clients have been the following:

Educational presentations and tutorials.   Many client engagements have begun with educational sessions designed to get staff from HR, HR systems, IT, and Legal, as well as senior executives, up to speed and on the same page in dealing with the complexities surrounding international data protection requirements.  These presentations typically run for two to three hours.

Assessment of information policies and practices.  Compliance can only be achieved in relation to specific practices involving employment-related personal information.  Determining what these current and prospective practices are can be challenging when an employer is large or operates in multiple jurisdictions.  HR Privacy Solutions has the experience and methodology needed to identify and evaluate – in a cost-effective manner - the policies and practices multi-national companies have for collecting and using employee information, including information resident outside the HR function.

Identification and description of regulatory requirements.  Data protection laws, employment codes of practice, labor laws, judicial rulings and other regulatory requirements in each country in which a company is located need to be identified before they can be addressed.  HR Privacy Solutions understands and continually monitors the global regulatory environment. Where detailed knowledge of local requirements is needed, HR Privacy Solutions can either carry out legal research on its own or use its international network to bring in a lawyer with the requisite local experience.

Risk assessment.  Through a gap analysis, comparing policies and practices with legal requirements, HR Privacy Solutions can identify and describe the risks and exposures a company faces in its handling of employment-related personal information.  It can prioritize the potential liabilities, and make recommendations for both short-term and long-term measures to minimize and eliminate them.

Development of compliance strategies.  HR Privacy Solutions helps clients determine which of the compliance options available to multi-national employers best meets their needs, through careful consideration of what they entail and an analysis of the advantages and disadvantages associated with each.  Once a strategy has been determined, HR Privacy Solutions works with the client to refine and apply the strategy to the company’s unique operations, systems environment, and plans.

Recommendations on system architecture, configuration and testing.  Based upon the interplay of legal requirements with system architecture, configuration, and transborder data flows, HR Privacy Solutions has advised clients on the regulatory implications of the geographic siting of servers, the selection of data elements to be transferred, and the determination of user access privileges.  HR Privacy Solutions has also advised clients on how to achieve compliance in the use of test data transferred across national borders.

Guidance and assistance with Safe Harbor certification.  HR Privacy Solutions provided the analysis of Safe Harbor requirements and created the policies and programs needed to meet those requirements, for the first major multi-national company to join the Safe Harbor Program for HR data, drawing upon past experience working with the Department of Commerce in the application of the Safe Harbor principles to Human Resources.  HR Privacy Solutions has guided six companies into the Safe Harbor Program, and also designed and carried out annual assessments needed for re-certification.

Development of model contracts.  HR Privacy Solutions has assisted some clients by preparing model contracts for transferring employee data from Europe to the U.S.

Assistance with European notification requirements.   European privacy laws require notification of data processing activities to regulatory authorities as well as to employees and applicants.  HR Privacy Solutions has assisted clients in completing and updating both types of notifications.
  
Development of worldwide employee privacy principles.  Based upon a comparative analysis of the principles of fair information practice found in leading international privacy codes, HR Privacy Solutions developed a comprehensive set of global employee privacy principles for many multi-national companies.  This set of principles, reflecting and capturing an emerging international standard for handling employment information, and adapted to each company’s needs, is designed to serve as the foundation for worldwide employee privacy policies and programs.

Development of worldwide employee privacy policies.  Once companies have charted their course with a high-level set of employee privacy principles, HR Privacy Solutions draws upon in-depth experience in HR and HR information systems to develop worldwide policies implementing those principles in key areas, such as notice, disclosure, access, and internal controls.

Development of privacy programs, guides and resources.   Implementing employee privacy principles and policies can require a wide array of supporting procedures, notifications, complaint resolution programs, implementation guides and toolkits, manager’s guides, and other resources referenced in the principles and policies.  HR Privacy Solutions creates these implementation documents and resources, needed to help institutionalize privacy protections within a corporate culture.

Awareness and training programs.  HR Privacy Solutions has assisted clients by developing privacy awareness and training modules, in online, PowerPoint, and print formats.

Development of audit programs.  HR Privacy Solutions designs employee privacy principles, policies and programs with audit and verification considerations, driven by requirements, clearly in mind.  HR Privacy Solutions has developed and carried out audit and review programs aimed at ensuring that a company’s practices are in conformance with its privacy commitments and obligations.

Examples of Client Engagements

Aerospace Company Data Privacy Assessment and Strategy
For a major aerospace company we designed and carried out a worldwide risk assessment, leading to the development of a three-tiered compliance strategy.  We guided and assisted the company in certifying for Safe Harbor, including privacy policy revision, implementation of notification requirements in Europe, revision of vendor contracts, and delivery of educational and training sessions.  We also carried out annual Safe Harbor re-certification assessments and provided ongoing advice on HR data privacy issues.

Health Care Company Global Employee Privacy Program
For a leading health care company, we developed a ground-breaking worldwide employee privacy policy.  We also designed the program and resources needed to implement the policy on a worldwide basis, and guided the company in becoming the first major multi-national employer to certify for Safe Harbor.  More recently, we conducted bench-marking on training and privacy impact assessments, and developed laptop security and data retention policies.

Medical Products Company Safe Harbor Certification & Training

For a small but market-leading manufacturer of medical products, we launched a data privacy initiative with a level-setting educational workshop, developed a model contract to meet an immediate compliance need of a French subsidiary, and then guided and assisted the company in meeting requirements for Safe Harbor certification.  We also created a Safe Harbor training module for U.S. staff, developed a privacy policy for a unit in British Columbia, and assisted the company’s European units in updating and completing notifications to data protection authorities and employees.  Recently we helped one of the firm’s divested companies in meeting its data protection compliance needs.