IT practices such as identity management, email and URL filtering, virus scanning and electronic monitoring of employees can get companies that do business globally into a heap of trouble if deployed without an understanding of global data privacy laws.
The warning was one of several alarms raised in a presentation on global privacy best practices by Gartner Inc. analysts Arabella Hallawell and Carsten Casper at the recent Gartner Risk Management and Compliance Summit in Chicago.
Always a thorny issue, the protection of personally identifiable information (PII) is made more complicated in a world where there is limited agreement on how best to do that.
According to the Gartner analysts, the world is divided into three parts when it comes to data privacy laws: countries with strong, moderate or inadequate legislation. The European Union, under the European Union Directive on Data Protection, possesses the strongest privacy regulations, followed by Canada and Argentina; Australia, Japan and South Africa have moderate to strong, recent legislation; laws in China, India and the Philippines are the least effective or laxly enforced.
The United States has the dubious distinction of occupying two categories -- the strong column, due to the 45 state breach notification laws on the books, and the weak column, because of the lack of a federal law.
Even among the three categories, nuances abound. Under the European Union Directive, member countries enact their own principles into legislation, and some laws (like Italy's) are more stringent than the directive's standards. Russia's very recent law is modeled after the strong EU laws, but how it will be enforced remains questionable. And in the U.S., state breach notification laws vary, with Nevada and Massachusetts proposing the most prescriptive data privacy legislation to date.
Obey the original purpose of personal data collection
While there is no universal definition for information privacy, most industry experts define the concept as the right of an individual to control how one's personal information is used. That right covers the collection, use, retention and disclosure of personal information.
One of the key principles of the European rights-based approach is that an organization must have a reason for processing personal data, and that purpose must remain the same. (You cannot collect personal data to deliver goods, then use the same information for a large marketing campaign.) Another key EU principle is the prohibition to transporting personal data of EU individuals to a country with inadequate data privacy laws (e.g., the U.S. because of its lack of a comprehensive law). The right of companies to monitor employee behavior, generally accepted in the U.S., is also constrained in Europe.
So while IT security tools can be leveraged to help develop a global privacy program, linking privacy and security tools must be done in consultation with privacy experts, or CIOs risk breaking the law, Gartner says. Here is the Gartner advice on two IT areas -- identity management and employee monitoring -- where companies can easily find themselves afoul of the law.
Identity management is about managing personal information.
"Obviously, there is a link between identity management and privacy management," Gartner's Casper said. "To some extent it is a matter of just making that link, bringing experts from both sides together and trying to see if there is a possibility to leverage investments on one side for the other side."
As a company's network of internal and external users expands, the need for an automated system to track who had access to what, when also increases. And companies are putting identity management systems to good use for compliance with regulations such as the Sarbanes-Oxley and Health Insurance Portability and Accountability acts.
On the privacy side, the number of individuals asking where their personal information is stored by an organization, while small, is increasing. In the wake of the Deutsche Telekom AG scandal, where the German phone giant admitted that it surreptitiously tracked thousands of phone calls to find sources of media leaks about its internal operations, employee requests for access to their personal information stored by the company doubled from 700 to 1,400 in a year, Casper said.
"How are you going to do that without a proper process for storing that information and getting access to that?" Casper asked.
Identity management tools can also prove useful in a merger or acquisition that adds employees from a European country. A natural point of linkage between identity and privacy management is at the "identity-proofing" stage, Casper said. After IT creates the identity for an employee, that would be a good time to notify that person about the personal data the company possesses. The process gives the individual control over how his or her information is used, one of the principles of the European Union Directive.
But there are big challenges to integrating privacy and identity management, Casper said. Identity and access management covers a wide range of technologies, and privacy covers a wide range of laws. Alignment can be difficult and systems under development are best tested with real data, but live test data raises privacy concerns. This use of the data extends beyond the purpose for which the identity was collected.
In addition, there is the issue of where the personal data is stored: Oftentimes there is conflict between the IT global location of the personal data and the legal location of the personal data. (Remember the prohibition against transport of personal data to countries that don't measure up to EU privacy standards.)
Bottom line: Bring in global privacy and legal experts before using identity management across borders.
Employee monitoring, Web filtering, data leak prevention
Employee monitoring is probably the biggest area where U.S. companies get into trouble, Gartner's Hallawell said. For the past decade, case after case has pretty much upheld a company's right to use enterprise IT systems to monitor an employee's behavior as long as the employee knows it is happening. The company owns the asset and it has a right to monitor usage.
"This is not to be taken for granted at all, particularly in the European Union but in other regions around the world," Hallawell said. "In the EU there are very strict HR and privacy laws around how you can and cannot monitor your employees."
IT departments that are using security tools like Web filtering and data leak prevention increasingly find themselves in hot water. Some points to remember: Blocking access to inappropriate websites is usually fine, but digging for how much time an employee is spending on Facebook is not. "That type of fishing trip gets you into a lot of trouble in the European Union," she said.
Indeed, Hallawell has seen "many a client" who has had to settle with a local EU tribunal for activities related to employee monitoring. Guidance on employee monitoring differs from country to country. Italy is the most prescriptive; in other countries, like Germany, you may actually have to get permission from the works council to do employee monitoring.
"Some works councils are fine, as long as you tell them what you are doing, but others will be much more cautious." France also takes employee monitoring intrusions extremely seriously, as evidenced by rulings by the French Supreme Courts in 2004 and 2005 that found employers could not read email or files regardless of business justification.
Hallawell strongly advised IT not to go it alone when implementing email and URL filtering, and no covert monitoring. "Make sure you work very closely with your HR departments in Europe, and legal, and don't just turn on a Web filtering in the U.S. and make it your global policy," she said. Look at member state data protection authority guidance carefully. For all the bad rap the U.S. gets for being a litigious culture, EU employees are "extremely proactive" in defending their privacy rights.
Let us know what you think about the story; email: Linda Tucci, Senior News Writer