When an employer wants to implement an international background check program and transfer data of a personal nature to another country, it should pause before clicking "send". What are the legal implications in moving such personal information to another country?
Background
Employers involved in the recruitment and selection of applicants to and from EU Countries should be aware of their responsibilities under relevant Data Protection Directives, the legal transfer of personal information across international boarders as well as local Employment legislation in these countries. An understanding of the structure and function of the European Union ("EU") and the “The European Directive on Data Protection 95/46/EC” is essential to any analysis of data protection laws of EU Member States as well as many other countries that have adopted EU modeled Data Protection Laws when implementing international applicant screening programs.
Privacy and Data ProtectionEuropean Directive on Data Protection
The 1998 Data Protection Act (Data Protection Act 1998 (the Act)) replaces and builds on an earlier 1984 Act which derived from concerns that the power of computers to manipulate information was threatening the privacy of individuals in Europe. The Act applies to all personal data held in a structured way in any medium (paper, computer, microfiche, tape etc). The Council of Europe adopted "The European Directive on Data Protection 95/46/EC" in 1995. The Directives have extended the scope of data protection in recent years to include all personal data held about individuals, however it is stored. It also places guidelines on the actual transfer of data outside the EU. See section Transfer of Personal Data to and from European Countries for additional information.
Guidelines for Managing Human Resource Data from European Countries
In the United Kingdom, the Employment Practices Data Protection Code Part 1: Recruitment and Selection (March 2002) as published by the Information Commissioner provides a starting point. The Code is intended to assist employers in complying with the Act and to establish good practice for handling personal data in the workplace. The Code also states that employers should only carry out pre-employment vetting/screening on applicants (e.g. references, criminal record checks etc) at an appropriate point in the recruitment process and comprehensive vetting/screening should only be conducted on successful applicants. The benchmarks outlined in the Code develop and apply the Act in the context of recruitment practices and are the Information Commissioner’s recommendations as to how the legal requirements of the Act can be met.
Transfer of Personal Data to and from European Countries
If your business receives and processes personally identifiable data about persons living in a European Union (E.U.) member nation using Applicant Tracking Systems or HRS Applicant Tracking systems, it is subject to data transfer restrictions set forth by the E.U. Data Directive. Unfortunately, many companies are not aware of the various data flows from Europe to their company in the U.S. and beyond. Consequently, they are at risk for stiff penalties, fines and possible transfer restrictions or interruptions. U.S. companies have three options for transferring data to the U.S. including human resources, research and, in general, any personal data:
- Transfer data under one of the exemptions allowed for in the Data Directive/national laws.
- Transfer data as part of a contractual agreement either through model contracts approved by the E.U. Commission or through ad-hoc contracts to be approved by the relevant national data protection authorities.
- Transfer data under the Safe Harbor Agreement.
Employment Legislation
Much like the United States, European countries have also enacted comprehensive employment legislation related to Discrimination, Racial Relations, and a multitude of others creating yet another unique situation.Employers such as those in the financial sector or with employees coming into contact with vulnerable individuals such as children and healthcare processions specifically in EU countries, background screening is a legal requirement. The Financial Services and Market Act 2000, for example in the UK, requires individuals working in controlled functions such as senior customer-facing roles to be "fit and proper", meeting honesty, competence and financial soundness criteria. Furthermore, individuals coming into contact with vulnerable individuals are required to undergo extensive criminal background checks through host country’s government authorities. Many European countries have also enacted what is called Rehabilitation of Offenders legislation that relates to concerns the employment of people with a criminal record. If a person has been convicted of an offense, provided they have not been re-convicted for a further offence during a specified period, his/her conviction becomes spent (should be treated as though it had never existed) for the purpose of employment.
Acquisition of Criminal Conviction Data in Europe
Europe does not provide the same level of accessibility to court records as the United States. Criminal conviction information is generally available only to government officials and the individual themselves. It is important to note that a complete register of criminal convictions can only be kept by a public authority. Data relating to offences, criminal convictions or security measures may only be processed under the control of a public authority except as may be authorized by regulations of a given country and are subject to additional suitable safeguards.
Each country has its own laws, procedures and customs. Issues with forced subject access and unauthorized access to personal records may be a significant risk for employers obtaining this type of information improperly by third-party vendor. Third-party direct access to police and many court records are strictly prohibited by most European Union countries as criminal conviction information is not considered a matter of public information.
Companies must now accept one essential truth: they must now become aware of how they use personal information, where they get it, how it is and may be used, and where it goes.
Source Links
[1] European Union Data Protection Directive (95/46/EEC) (the “Directive”) of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regards to the processing of personal data and on the free movement of such data, 1995 O. J. (L 281) 0031-0050. The Directive took effect in October 1998.[2] Data Protection Act 1998, 1998 Chapter 29 [3] Employment Practices Data Protection Code Part 1: Recruitment and SelectionFor more information about International Screening Solutions please visit our website.
No comments:
Post a Comment