employee privacy in a global company sandra kelman privacy manager (asia pacific) privacy issues...
TRANSCRIPT
Employee privacy in a global company
Sandra Kelman
Privacy Manager (Asia Pacific)
Privacy Issues Forum
30 March 2006
Context
• BP is of one of the world's largest energy companies, providing its customers with fuel for transportation, energy for heat and light, retail services and petrochemicals products for everyday items
• Over 100,000 people work in 100 countries across six continents
• Exploration activities cover 26 countries
• 27,800 service stations serve around 13 million customers each day
• “Mega data centres” in Singapore, Houston & London
Structure
Digital Communications & Technology
• Digital Security Strategy – Compliance (Privacy & Data Protection)
• Compliance Manager
• 4 Privacy Managers (UK & Western Europe, Germany & Eastern Europe, Americas, MoW)
• Data Privacy Co-ordinator in each country (Privacy Officer)
Foundation Documents
• Privacy & Data Protection Policy & Security of Information Policy
• International Intra-Group Data Protection Agreement
• Codes of Practice (applied globally)
• Fair Processing Statements
• Employee Code of Conduct
Privacy & Data Protection Policy
• Applies where no local legislation
• Ties in with IGA
• Based on EU Data Protection Directive
• Principles for information processing
• Rights and responsibilities
• On Intranet – provided in induction phase
Security of Information Policy
Retention Guidelines/Schedules
International Intra-Group Data Protection Agreement (IGA)
• Signed off by Country President
• Permits individual BP operations to meet legislative obligations where data transfers are regulated
• Allows trans-border data flows via gaining the consent of individuals through the issue of a Fair Processing Statement (FPS)
• Commits businesses to respect relevant local legislation
• Creates a common business standard through implementing the Global Data Protection Policy.
Implementation
• Designate a Country Data Protection Coordinator (full or part-time)
• Education & Support
• Compliance through monitoring
Codes Of Practice
CCTV
• Consistent application
• Model signage
• 40 pages
Employment
• UK model
• Suggested standards
• 91 pages (plus supplementary guidance)!
Fair Processing Statements
• Information for employees about information collected, held and its uses
• Authority to process information as described
• Explanation of data held in HR systems
• Third Party Processor’s privacy notice (UK)
• Campaign to issue one to each BP employee – new and existing!
Code of Conduct
• “Our Commitment to Integrity”
• Specifically refers to privacy
– “…there should be no gap between what we say and what we do…”
– Misuse of information
– Privacy and employee confidentiality
– Data quality
– Protecting BP’s assets (includes information)
– Intellectual property
– Security
Privacy Quiz
Privacy Quiz 2
Privacy Quiz 3
Privacy Compliance Audits
• Use UK Information Commissioner’s methodology
• Adapted for local legislation or BP Privacy Policy
• “Heavy” and “Light”
• Monitor privacy compliance at that time
• Interviews with staff – functions or processes
• Audit report – non-compliances and observations
• Risk Register – checks follow up actions