Ogilvy Renault, a Canadian law firm released the following article which explores the differencies in data security and data privacy rules, depending on the juristiction. It is really useful background information for any company that works with personal and/or sensitive data across boarders.
________________________________________________________
04 November 2009
Article by Christine Carron and Martha A. Healey
The protection of personal information is an important issue as business operations become increasingly global in nature. Coupled with the Internet enabling personal data to be distributed almost instantaneously across the globe, privacy has quickly become a critical international concern that can often be confusing due to a global patchwork of laws and regulations. A US organization conducting business in multiple foreign jurisdictions must be aware privacy laws are not equal everywhere. Unless the most restrictive regulatory regime is adopted, country by country procedures may be necessary.
CANADA
Canada While Canada is often assumed to be similar to the US with respect to business practices, privacy regulation is another matter. The Canadian approach to confidentiality and the transfer of personal information is much more in line with the European model than that of the US. (It was, in fact, designed to be this way.) The federal personal information protection regime in the Canadian private sector is mainly governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), which became effective in 2004 and extends privacy protection to all personal data collected by companies on individuals in the course of commercial activity, except employees other than those of a federal undertaking. It follows that, in most cases, personal information of employees is regulated by applicable provincial law. Only Alberta, British Columbia and Quebec have enacted privacy legislation. That provincial legislation, however, is substantially similar to PIPEDA. Ontario has enacted privacy legislation but only with regard to personal health information.
It is important to note that when transferring personal information outside of Canada, the transferring organization has an obligation to provide a comparable level of protection meaning the level of protection provided by the third party must be comparable to the level of protection afforded the personal information within Canada. The Privacy Commissioner of Canada has ruled that, not withstanding the USA PATRIOT Act, personal information transferred to the US can benefit from protection similar to that enjoyed in Canada. She added, however, that notice must be given to individuals alerting them to the fact their information will be stored in the US where it becomes subject to the USA PATRIOT Act.
Another recent, high-profile example involved Facebook, the hugely popular social networking site. On July 16, 2009, Canada's Privacy Commissioner ruled that Facebook was in breach of Canadian privacy laws on several fronts, particularly with respect to the circumstances surrounding consent to the disclosure of personal information to third party application developers and the retention of personal information of users who had closed their accounts. Initially, Facebook resisted complete compliance with the Privacy Commissioner's recommendations. However, given the Commissioner's ability to submit the matter to the courts, Facebook ultimately proposed solutions satisfying Canadian privacy laws.
As Facebook learned, a "global" approach to privacy works only where the privacy policy is written so as to comply with all jurisdictions in which an organization does business. Facebook recently indicated that it plans to amend worldwide practices to implement Canadian privacy requirements globally.
Another recent example illustrating this is the case of Abika.com, a US-based online data broker. On July 31, 2009, after a nearly five-year investigation, the Privacy Commissioner ruled Abika had violated Canadian privacy laws by disclosing the personal information of Canadians without their knowledge or consent to third parties.
EUROPE
The EU has developed a very sophisticated personal information protection regime with stringent standards that has influenced the adoption of privacy laws throughout the world. Directive 95/46 sets out the general principles with regard to the processing of personal information, which are now implemented in the national law of every EU member state. The underlying principles of Directive 95/46 were largely based on those of international bodies, like the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
The EU's privacy legislation closely resembles that of Canada, however, how this legislation is interpreted can lead to some surprising differences, particularly with respect to the validity of consent given to the collection, use and disclosure of personal information.
Consent is in the lynchpin of Canadian privacy legislation. In the EU Directive, persons from or about whom data is collected must unambiguously grant their consent before such data is collected, after having been informed about the purpose(s) for which the data will be used. The interpretation of the validity of consent may impact a US business processing personal information of European customers or employees. For example, relying on employee consent to the collection of certain personal information can prove to be difficult since some European countries question whether that consent is "freely given" given the desire to be employed or to keep employment.
Another key tenet of the EU privacy directive is that it prohibits the transfer of personal information to non-EU countries, including the US, unless those countries provide adequate protection for the information. While the US has not been, officially, deemed to provide adequate protection, the two jurisdictions are negotiating so as to facilitate normal business relations. The Safe Harbor Agreement allows US companies to avoid sanctions imposed by the EU if they voluntarily embrace a somewhat less stringent version of the EU privacy directive.
THE REST OF THE WORLD
Once you move out of Canada and Europe, all bets are off with respect to the extent that privacy legislation exists or is enforced. In many jurisdictions there is no one law or regulatory framework governing privacy. Instead, laws or regulations relating to privacy are often found as a sub-set of sector-specific or constitutional laws.
Asia-Pacific: Regions that have recently adopted privacy legislation include Australia, Hong Kong, Japan, Macao, New Zealand, South Korea and Taiwan. China, Malaysia, the Philippines and Thailand are currently in the process of drafting legislation. Indonesia, Singapore, Vanuatu and Vietnam only have privacy provisions in sector-specific laws. Still, many Asia-Pacific regions do not have privacy legislation, including Brunei, Cambodia, Laos, Myanmar and the majority of the small Pacific island countries.
India: India does not have comprehensive privacy laws in place. The right of privacy is not expressly recognized in the Constitution of India, although the Supreme Court of India has implied it from article 21 of the Constitution, which states that, "No person shall be deprived of his life or personal liberty except according to procedure established by law." However, this right is not absolute and can be restricted under procedures established by law or if a superior interest commands it. Laws that do exist relate to the privacy of data held by public financial bodies (e.g. banks) and electronic data (the Information Technology Act of 2000). India is moving to bring their privacy laws in step with Europe and other jurisdictions. The Personal Data Protection Bill, based primarily on foreign privacy legislations, was introduced in 2006 and is currently still pending.
Latin America: Currently, very few Latin American regions have any privacy legislation and there is no cohesive framework for the region. However, the importance of a harmonized privacy legal framework for the region has been recognized and many countries in this region are currently working on developing it.
CONCLUSION
Although efforts are underway in many regions to harmonize legislation, privacy laws around the world still differ in many respects. Outside of Canada and Europe, privacy legislation is either non-existent or a patchwork of sector-specific laws and regulations. US organizations conducting business in these regions should use the most stringent legislation as the lowest common denominator in order to establish an effective privacy policy.
About Ogilvy Renault
Ogilvy Renault LLP is a full-service law firm with close to 450 lawyers and patent and trade-mark agents practicing in the areas of business, litigation, intellectual property, and employment and labour. Ogilvy Renault has offices in Montréal, Ottawa, Québec, Toronto, and London (England), and serves some of the largest and most successful corporations in Canada and in more than 120 countries worldwide. Find out more at www.ogilvyrenault.com.
Friday, 27 November 2009
Friday, 20 November 2009
The FSA presents it's agenda for fighting economic crime
In a speech to the British Bankers' Association, Margaret Cole, Director, Enforcement and Financial Crime Division, FSA, highlighted the FSA's agenda for fighting economic crime. She touched on a range of issues; here are some highlights of interest to HR:
"We are the gatekeeper of the UK financial system. Firms or individuals wishing to operate in the UK must meet our 'fit and proper' standard. Those who don't, stand to be rejected during our authorisation, approval or change of control processes. There are numerous aspects to fitness and properness – competence, integrity and the ability to establish the right culture and tone at the top are important features.
A murky past, a reputation for unscrupulous business methods or sailing close to the wind will also call fitness and properness into question. Applications from countries where personal histories are obscure or controverted, or corruption is endemic in business life, add to the challenge.
We address these challenges by building stronger links with overseas law enforcement and regulatory agencies, by devoting more people and resources to the cases that call for heightened due diligence and, above all, as you would expect from an intrusive regulator, by a sceptical, questioning approach that does not shy away from making decisions that will be contested. In this we are aided by the fact that the burden of proof is on the applicant to satisfy us of their integrity. That puts us in a strong legal position to take robust decisions, and we have been doing so.
People seeking to bypass the FSA as gatekeeper can expect little sympathy. In September this year we brought our first prosecution against an individual for acquiring a controlling interest in a regulated firm without giving the FSA prior notice and for making false and misleading statements – and we obtained a conviction. A second prosecution is under way.
But we don’t or shouldn’t perform the gatekeeper function in isolation – we do expect authorised firms to work with us in the fight against financial crime and to assist us in keeping undesirable companies and individuals away from UK authorised firms and their customers."
On data security she stated:
"And data security is another area where we can, and will, use enforcement action to support the work of our supervisors. We expect firms to consider how their actions or failures leave others open to the threat of fraud. We continue to learn of data security lapses that put customers’ personal information at risk. This summer’s enforcement action against three units of HSBC saw substantial fines paid for weak controls over the security of customer data. And we will follow up with further enforcement cases to demonstrate the importance of this subject."
"We are the gatekeeper of the UK financial system. Firms or individuals wishing to operate in the UK must meet our 'fit and proper' standard. Those who don't, stand to be rejected during our authorisation, approval or change of control processes. There are numerous aspects to fitness and properness – competence, integrity and the ability to establish the right culture and tone at the top are important features.
A murky past, a reputation for unscrupulous business methods or sailing close to the wind will also call fitness and properness into question. Applications from countries where personal histories are obscure or controverted, or corruption is endemic in business life, add to the challenge.
We address these challenges by building stronger links with overseas law enforcement and regulatory agencies, by devoting more people and resources to the cases that call for heightened due diligence and, above all, as you would expect from an intrusive regulator, by a sceptical, questioning approach that does not shy away from making decisions that will be contested. In this we are aided by the fact that the burden of proof is on the applicant to satisfy us of their integrity. That puts us in a strong legal position to take robust decisions, and we have been doing so.
People seeking to bypass the FSA as gatekeeper can expect little sympathy. In September this year we brought our first prosecution against an individual for acquiring a controlling interest in a regulated firm without giving the FSA prior notice and for making false and misleading statements – and we obtained a conviction. A second prosecution is under way.
But we don’t or shouldn’t perform the gatekeeper function in isolation – we do expect authorised firms to work with us in the fight against financial crime and to assist us in keeping undesirable companies and individuals away from UK authorised firms and their customers."
On data security she stated:
"And data security is another area where we can, and will, use enforcement action to support the work of our supervisors. We expect firms to consider how their actions or failures leave others open to the threat of fraud. We continue to learn of data security lapses that put customers’ personal information at risk. This summer’s enforcement action against three units of HSBC saw substantial fines paid for weak controls over the security of customer data. And we will follow up with further enforcement cases to demonstrate the importance of this subject."
Friday, 13 November 2009
Employee fraud; should we be re-checking current employees?
FSA fines and bans former UBS employee for helping conceal unauthorised trading losses
This is a case of a trusted, current employee who betrayed their employer and caused them untold grief, loss of reputation and financial penalties. Andrew Cumming, a former client adviser at the London branch of UBS AG (UBS), was fined and banned by the FSA for his role in the activities that led to the firm receiving an £8 million fine earlier this month for systems and controls failings.
According to the FSA's press release "Cumming has been fined £35,000 and prohibited from performing any regulated function for a minimum period of five years on the grounds that he is not fit and proper.
Paperwork signed by Cumming, who worked in UBS’ international wealth management business, helped to document false loans which were used to conceal losses arising from unauthorised trading.
Customers whose funds were used were told they were providing loans to other UBS customers with promises of high rates of interest. To make these ‘loans’ appear official, documents were produced using UBS headed paper and sent to customers stating that the ‘loans’ were guaranteed by the firm.
The FSA’s investigation concluded that Cumming signed these documents on seven occasions between October 2005 and October 2007 having been asked by a senior colleague to do so, even though he knew the ‘loans’ were not authorised by UBS.
By late 2007, Cumming was fully aware that the ‘loans’ were being used to conceal losses which had arisen as a result of unauthorised transactions but he failed to escalate this knowledge. Instead, Cumming signed a further ‘loan’ and allowed the ruse to continue.
Margaret Cole, FSA director of enforcement and financial crime, said:
“Cumming deliberately misled UBS and its customers. Although he did not stand to make a personal gain, his complicity allowed a colleague to continue making unauthorised trades, while the losses continued to mount up.
“We are committed to deterring behaviour of this kind by banning and fining anyone found to have committed such misconduct.”
In setting the financial penalty, the FSA took into account the fact that Cumming did not initiate the circumstances which led to his misconduct, nor did he conduct any of the unauthorised transactions. Because he agreed to settle at an early stage of the FSA’s investigation he qualified for a 30% discount in respect of his financial penalty. Cumming also proved to the FSA that he is in serious financial hardship, entitling him to a further discount.
If it wasn’t for the settlement discount and Cumming’s hardship, the FSA would have imposed a financial penalty of £100,000.
Cumming worked at UBS’ London branch from 1999 until March 2008, when he was dismissed for gross misconduct relating to this case.
Earlier this month, the FSA fined UBS £8 million for systems and controls failures that allowed employees to carry out unauthorised transactions with customer money. UBS has since repaid the affected customers in excess of US$42 million by way of redress. "
The issue for compliance and HR departments is to decide whether they should be re-checking current employees, what they should be re-checking and how often. Our view is that annual credit checks, especially for approved persons would help alert the employer if the employee was facing financial pro(a threat to their fitness and propriety for a role). Annual criminal checks should be done more selectively, since a court case would not easily go undetected by the employer.
Obviously, no decision should be taken without input from the risk management department, but as a minimum, firms should be asking employees to fill out and sign an annual declaration stating that they have not gotten any criminal convictions or judgments since their last declaration.
This is a case of a trusted, current employee who betrayed their employer and caused them untold grief, loss of reputation and financial penalties. Andrew Cumming, a former client adviser at the London branch of UBS AG (UBS), was fined and banned by the FSA for his role in the activities that led to the firm receiving an £8 million fine earlier this month for systems and controls failings.
According to the FSA's press release "Cumming has been fined £35,000 and prohibited from performing any regulated function for a minimum period of five years on the grounds that he is not fit and proper.
Paperwork signed by Cumming, who worked in UBS’ international wealth management business, helped to document false loans which were used to conceal losses arising from unauthorised trading.
Customers whose funds were used were told they were providing loans to other UBS customers with promises of high rates of interest. To make these ‘loans’ appear official, documents were produced using UBS headed paper and sent to customers stating that the ‘loans’ were guaranteed by the firm.
The FSA’s investigation concluded that Cumming signed these documents on seven occasions between October 2005 and October 2007 having been asked by a senior colleague to do so, even though he knew the ‘loans’ were not authorised by UBS.
By late 2007, Cumming was fully aware that the ‘loans’ were being used to conceal losses which had arisen as a result of unauthorised transactions but he failed to escalate this knowledge. Instead, Cumming signed a further ‘loan’ and allowed the ruse to continue.
Margaret Cole, FSA director of enforcement and financial crime, said:
“Cumming deliberately misled UBS and its customers. Although he did not stand to make a personal gain, his complicity allowed a colleague to continue making unauthorised trades, while the losses continued to mount up.
“We are committed to deterring behaviour of this kind by banning and fining anyone found to have committed such misconduct.”
In setting the financial penalty, the FSA took into account the fact that Cumming did not initiate the circumstances which led to his misconduct, nor did he conduct any of the unauthorised transactions. Because he agreed to settle at an early stage of the FSA’s investigation he qualified for a 30% discount in respect of his financial penalty. Cumming also proved to the FSA that he is in serious financial hardship, entitling him to a further discount.
If it wasn’t for the settlement discount and Cumming’s hardship, the FSA would have imposed a financial penalty of £100,000.
Cumming worked at UBS’ London branch from 1999 until March 2008, when he was dismissed for gross misconduct relating to this case.
Earlier this month, the FSA fined UBS £8 million for systems and controls failures that allowed employees to carry out unauthorised transactions with customer money. UBS has since repaid the affected customers in excess of US$42 million by way of redress. "
The issue for compliance and HR departments is to decide whether they should be re-checking current employees, what they should be re-checking and how often. Our view is that annual credit checks, especially for approved persons would help alert the employer if the employee was facing financial pro(a threat to their fitness and propriety for a role). Annual criminal checks should be done more selectively, since a court case would not easily go undetected by the employer.
Obviously, no decision should be taken without input from the risk management department, but as a minimum, firms should be asking employees to fill out and sign an annual declaration stating that they have not gotten any criminal convictions or judgments since their last declaration.
Tuesday, 10 November 2009
Right to Work - What to check and how?
Right to Work is an area that always puzzles HR departments. There are so many permutations and the rules keep changing. Below is a helpful article published in the Recruiter Magazine on November 4th, 2009. Read on..
____________________________________________________________
Companies that supply staff should be wary of the reputation risk to their clients of using staff with no right to work in the UK.
Kenneth Hanslip, head of professional standards at NSL Services, a company that provides traffic wardens (civil enforcement officers) to many local authorities, said that whenever a traffic warden was discovered to be working in the UK illegally there were stories in the press about “terrorist or Taliban traffic wardens”. This would lead to calls from concerned clients.
Other risks of employing illegal workers are a civil penalty of £10,000 per person employed as well as the risk of those individuals carrying out fraud and other criminal activity within the company, said Hanslip.
In one case, he said NSL (formerly part of National Car Parks) lost £43,000 when an accounts clerk committed fraud. “We still do not know who that accounts clerk was, because the person disappeared,” Hanslip told HR and recruitment professionals at a Symposium Events forum on Employing and Vetting Non-UK Nationals in London.
Hanslip said that around 30% of the company’s staff are foreign nationals from outside the European Economic Area (EEA), with many coming from West Africa, but also Afghanistan and Iraq.
Hanslip recommended a number of actions that recruiters could take to reduce the risk of taking on staff without a legal right to work in the UK:
- close liaison with local UK Border Agency immigration teams
- regular National Insurance number payroll sweeps to identify discrepancies
- avoid temporary National Insurance numbers
- if in doubt about the authenticity of a document, seek assistance from document validation services at the UK Border Agency
- don’t take documents at face value - always speak to the person face-to-face
- don’t rely on photocopies of documents provided by the applicant, but check the original and then photocopy it yourself
- don’t assume that those with no right to work in the UK won’t target your company, or industry. People often pick out unsuspecting employers and industries to build up a work history that they can then use to get work elsewhere
____________________________________________________________
Companies that supply staff should be wary of the reputation risk to their clients of using staff with no right to work in the UK.
Kenneth Hanslip, head of professional standards at NSL Services, a company that provides traffic wardens (civil enforcement officers) to many local authorities, said that whenever a traffic warden was discovered to be working in the UK illegally there were stories in the press about “terrorist or Taliban traffic wardens”. This would lead to calls from concerned clients.
Other risks of employing illegal workers are a civil penalty of £10,000 per person employed as well as the risk of those individuals carrying out fraud and other criminal activity within the company, said Hanslip.
In one case, he said NSL (formerly part of National Car Parks) lost £43,000 when an accounts clerk committed fraud. “We still do not know who that accounts clerk was, because the person disappeared,” Hanslip told HR and recruitment professionals at a Symposium Events forum on Employing and Vetting Non-UK Nationals in London.
Hanslip said that around 30% of the company’s staff are foreign nationals from outside the European Economic Area (EEA), with many coming from West Africa, but also Afghanistan and Iraq.
Hanslip recommended a number of actions that recruiters could take to reduce the risk of taking on staff without a legal right to work in the UK:
- close liaison with local UK Border Agency immigration teams
- regular National Insurance number payroll sweeps to identify discrepancies
- avoid temporary National Insurance numbers
- if in doubt about the authenticity of a document, seek assistance from document validation services at the UK Border Agency
- don’t take documents at face value - always speak to the person face-to-face
- don’t rely on photocopies of documents provided by the applicant, but check the original and then photocopy it yourself
- don’t assume that those with no right to work in the UK won’t target your company, or industry. People often pick out unsuspecting employers and industries to build up a work history that they can then use to get work elsewhere
Powerchex Wins Innovation Award Second Year in a Row
We are absolutely delighted to have been recognised again in the innovation category of the Thames Gateway Business Awards. Below is the press release
________________________________________________________
In the midst of the recession, Powerchex innovates and wins award at the Thames Gateway Business Awards
Powerchex, the leading pre-employment screening firm for financial services, has again won recognition at the prestigious Thames Gateway Business Awards.
This year, Powerchex was praised in the Innovation Category for its new service ‘Know Your Supplier’ (KYS). Judges were looking for businesses that could demonstrate that they had successfully introduced a new idea, technique or practice that had improved their business, how the idea was implemented and how it had impacted upon the business.
The glittering awards ceremony took place at the Troxy on Friday evening with more than 700 people in attendance. Judges paid tribute to Powerchex, recognising the bravery and forward-thinking of an SME prepared to innovate in a recession.
“I am absolutely ecstatic that our achievement has been recognised on such a scale,” stated Alexandra Kelly, Managing Director of Powerchex. “Not only have we shown that we are prepared to innovate and look at something completely new, but also have the confidence to put resources behind the project at such a difficult time for many small businesses.”
This is the second year running that Powerchex has been successful in the Innovation Category of the Thames Gateway Awards. Last year, Powerchex won praise for its pioneering staff training and development programme, which lowered costs by reducing staff turnover and increasing the output per person.
“It is extremely important to invest in your workforce, even in times of economic difficulty,” continues Kelly. “While it can be easy to concentrate only on the front-line of your business, keeping staff motivated and your cost-per-unit as low as possible maximises your chances of not just surviving, but actually growing your market share as markets recover.”
Enzo Testa, Executive Managing Director of Archant London commented; “We are proud to do all we can to support, encourage and promote businesses within the many local areas we cover. The rich mix of successful businesses across The Thames Gateway region make our communities, places we can be proud of. To this end, we are pleased to have organised this event.”
________________________________________________________
In the midst of the recession, Powerchex innovates and wins award at the Thames Gateway Business Awards
Powerchex, the leading pre-employment screening firm for financial services, has again won recognition at the prestigious Thames Gateway Business Awards.
This year, Powerchex was praised in the Innovation Category for its new service ‘Know Your Supplier’ (KYS). Judges were looking for businesses that could demonstrate that they had successfully introduced a new idea, technique or practice that had improved their business, how the idea was implemented and how it had impacted upon the business.
The glittering awards ceremony took place at the Troxy on Friday evening with more than 700 people in attendance. Judges paid tribute to Powerchex, recognising the bravery and forward-thinking of an SME prepared to innovate in a recession.
“I am absolutely ecstatic that our achievement has been recognised on such a scale,” stated Alexandra Kelly, Managing Director of Powerchex. “Not only have we shown that we are prepared to innovate and look at something completely new, but also have the confidence to put resources behind the project at such a difficult time for many small businesses.”
This is the second year running that Powerchex has been successful in the Innovation Category of the Thames Gateway Awards. Last year, Powerchex won praise for its pioneering staff training and development programme, which lowered costs by reducing staff turnover and increasing the output per person.
“It is extremely important to invest in your workforce, even in times of economic difficulty,” continues Kelly. “While it can be easy to concentrate only on the front-line of your business, keeping staff motivated and your cost-per-unit as low as possible maximises your chances of not just surviving, but actually growing your market share as markets recover.”
Enzo Testa, Executive Managing Director of Archant London commented; “We are proud to do all we can to support, encourage and promote businesses within the many local areas we cover. The rich mix of successful businesses across The Thames Gateway region make our communities, places we can be proud of. To this end, we are pleased to have organised this event.”
Subscribe to:
Posts (Atom)