Last week, we started looking at Safe Harbor data privacy principles and the purpose they serve in helping U.S. employers comply with EU privacy laws. The principles themselves are fairly straightforward as they apply to the workforce. They include the following:
Notice & Choice – Employers must notify job candidates, new hires, and employees when data is being collected and inform them of how it will be used. Individuals have the right to opt out of having their personal information collected and refuse to permit it to be forwarded to third parties. Obviously, there are situations where this would mean the employment relationship could not move forward; but the choice must still be presented.
Security & Distribution – Employers must take responsibility for implementing secure infrastructure, appropriate tools (such as software), and administrative processes to prevent the loss or theft of collected data. Employers must ensure that data transferred to a third party is handled following Safe Harbor data privacy principles as well.
Data Integrity, Access, & Enforcement – Employers must make an effort to ensure the data requested is pertinent to the purpose for which it is collected and that it is current and accurate. Employees must have the opportunity to review the information upon request so they can make corrections to data that is inaccurate. Employers must also institute practices and policies that ensure Safe Harbor principles are adequately enforced.
What’s Wrong with That?
Using these principles as a guideline is actually not a bad idea. However, there are some potential downsides to pushing “Safe Harbor” compliance as a required standard if you aren’t actually doing business in the EU. Some companies are using the Safe Harbor agreement in ways it wasn’t intended. For example, an employer doing business only in the U.S. might insist that certain vendors be certified under the Safe Harbor program even though it’s not really required.
Since there is currently no follow up being done by the Commerce Department to ensure that certifications of compliance are actually valid, pretty much any company can advertise itself as being compliant whether they are or not. There is no set way of going about meeting the Safe Harbor compliance requirements which makes it easy for any company to self-certify. At the same time, if the U.S. government does decide to start enforcing compliance with audits and penalties, any business claiming to be certified that isn’t really up to speed could be placing itself at unnecessary risk.
Emerald Software’s Approach
At Emerald Software Group, we like to stay at the leading edge of compliance with all the best data privacy practices. However, we never claim to be compliant if we can’t back the statement up with assertion documents that demonstrate how we meet the security and privacy requirements of a particular standard. This means when you do business with us, you’re not just putting your trust in a label – you understand the steps we are taking to keep your employee data secure.