Employee privacy in a global company

Sandra Kelman

Privacy Manager (Asia Pacific)

Privacy Issues Forum

30 March 2006

Context

• BP is of one of the world's largest energy companies, providing its customers with fuel for transportation, energy for heat and light, retail services and petrochemicals products for everyday items

• Over 100,000 people work in 100 countries across six continents

• Exploration activities cover 26 countries

• 27,800 service stations serve around 13 million customers each day

• “Mega data centres” in Singapore, Houston & London

Structure

Digital Communications & Technology

• Digital Security Strategy – Compliance (Privacy & Data Protection)

• Compliance Manager

• 4 Privacy Managers (UK & Western Europe, Germany & Eastern Europe, Americas, MoW)

• Data Privacy Co-ordinator in each country (Privacy Officer)

Foundation Documents

• Privacy & Data Protection Policy & Security of Information Policy

• International Intra-Group Data Protection Agreement

• Codes of Practice (applied globally)

• Fair Processing Statements

• Employee Code of Conduct

Privacy & Data Protection Policy

• Applies where no local legislation

• Ties in with IGA

• Based on EU Data Protection Directive

• Principles for information processing

• Rights and responsibilities

• On Intranet – provided in induction phase

Security of Information Policy

Retention Guidelines/Schedules

International Intra-Group Data Protection Agreement (IGA)

• Signed off by Country President

• Permits individual BP operations to meet legislative obligations where data transfers are regulated

• Allows trans-border data flows via gaining the consent of individuals through the issue of a Fair Processing Statement (FPS)

• Commits businesses to respect relevant local legislation

• Creates a common business standard through implementing the Global Data Protection Policy.

Implementation

• Designate a Country Data Protection Coordinator (full or part-time)

• Education & Support

• Compliance through monitoring

Codes Of Practice

CCTV

• Consistent application

• Model signage

• 40 pages

Employment

• UK model

• Suggested standards

• 91 pages (plus supplementary guidance)!

Fair Processing Statements

• Information for employees about information collected, held and its uses

• Authority to process information as described

• Explanation of data held in HR systems

• Third Party Processor’s privacy notice (UK)

• Campaign to issue one to each BP employee – new and existing!

Code of Conduct

• “Our Commitment to Integrity”

• Specifically refers to privacy

– “…there should be no gap between what we say and what we do…”

– Misuse of information

– Privacy and employee confidentiality

– Data quality

– Protecting BP’s assets (includes information)

– Intellectual property

– Security

Privacy Quiz

Privacy Quiz 2

Privacy Quiz 3

Privacy Compliance Audits

• Use UK Information Commissioner’s methodology

• Adapted for local legislation or BP Privacy Policy

• “Heavy” and “Light”

• Monitor privacy compliance at that time

• Interviews with staff – functions or processes

• Audit report – non-compliances and observations

• Risk Register – checks follow up actions