140 likes | 341 Vues
Employee privacy in a global company. Sandra Kelman Privacy Manager (Asia Pacific) Privacy Issues Forum 30 March 2006. Context.
E N D
Employee privacy in a global company Sandra Kelman Privacy Manager (Asia Pacific) Privacy Issues Forum 30 March 2006
Context • BP is of one of the world's largest energy companies, providing its customers with fuel for transportation, energy for heat and light, retail services and petrochemicals products for everyday items • Over 100,000 people work in 100 countries across six continents • Exploration activities cover 26 countries • 27,800 service stations serve around 13 million customers each day • “Mega data centres” in Singapore, Houston & London
Structure • Digital Communications & Technology • Digital Security Strategy – Compliance (Privacy & Data Protection) • Compliance Manager • 4 Privacy Managers (UK & Western Europe, Germany & Eastern Europe, Americas, MoW) • Data Privacy Co-ordinator in each country (Privacy Officer)
Foundation Documents • Privacy & Data Protection Policy & Security of Information Policy • International Intra-Group Data Protection Agreement • Codes of Practice (applied globally) • Fair Processing Statements • Employee Code of Conduct
Privacy & Data Protection Policy • Applies where no local legislation • Ties in with IGA • Based on EU Data Protection Directive • Principles for information processing • Rights and responsibilities • On Intranet – provided in induction phase Security of Information Policy Retention Guidelines/Schedules
International Intra-Group Data Protection Agreement (IGA) • Signed off by Country President • Permits individual BP operations to meet legislative obligations where data transfers are regulated • Allows trans-border data flows via gaining the consent of individuals through the issue of a Fair Processing Statement (FPS) • Commits businesses to respect relevant local legislation • Creates a common business standard through implementing the Global Data Protection Policy. Implementation • Designate a Country Data Protection Coordinator (full or part-time) • Education & Support • Compliance through monitoring
Codes Of Practice CCTV • Consistent application • Model signage • 40 pages Employment • UK model • Suggested standards • 91 pages (plus supplementary guidance)!
Fair Processing Statements • Information for employees about information collected, held and its uses • Authority to process information as described • Explanation of data held in HR systems • Third Party Processor’s privacy notice (UK) • Campaign to issue one to each BP employee – new and existing!
Code of Conduct • “Our Commitment to Integrity” • Specifically refers to privacy • “…there should be no gap between what we say and what we do…” • Misuse of information • Privacy and employee confidentiality • Data quality • Protecting BP’s assets (includes information) • Intellectual property • Security
Privacy Compliance Audits • Use UK Information Commissioner’s methodology • Adapted for local legislation or BP Privacy Policy • “Heavy” and “Light” • Monitor privacy compliance at that time • Interviews with staff – functions or processes • Audit report – non-compliances and observations • Risk Register – checks follow up actions