Information Privacy and Workplace Investigations

Tuesday, August 17, 2010

Lindsay Walker


Privacy and information protection are issues addressed during the planning stages of the investigative process. Cases involving top level executives, multiple employees or cases dealing with legal violations are sensitive matters requiring the highest level of confidentiality.

Some workplace investigations require that access is restricted within the investigative unit itself.

Security and privacy are also important issues when information is transferred across borders within an organization, as the level of security over personal and corporate information differs, further complicating workplace investigations.

Investigations and Personal Information Security

In many countries, information can only be exported out of the country if federal laws approve of the security standards established in the destination country. In the GRC 360 blog post "Resolve: Part of Internal Investigations for Control and Compliance Violations (5 of 5)" they touch on the issue of global considerations related to personal information transfer during investigations:

"Rules governing how personal information must be handled are different all around the world. For example, the European Union’s Directive on Data Protection restricts the transfer of personal data to non-EU nations that do not meet the European Union's ‘adequacy’ test for privacy protection-- namely the United States. As such, any information gathered in the EU before or during an investigation may or may not be allowed to be transmitted to a U.S. location for analysis or follow-up."

In 2001, Canada established the Personal Information Protection and Electronic Documents Act (PIPEDA). On December 20th, 2001, the EU recognized PIPEDA as providing sufficient protection of certain pieces of personal information when transferred between Canada and the EU.

This recognition allows information to be transferred between the two areas without additional safeguards to be put in place within specified industries.

Executives and investigation managers of multinational companies need to understand the different laws and regulations governing the transfer of information across borders to begin implementing channels for "cross-border data transfers".

In the White & Case Newsletter "Global HR Hot Topic: Conducting Internal Employee Investigations Outside the US (part 1) ," they discuss the importance of cross-border data transfers and the need to establish information channels before investigations begin:

"In cross-border investigations, information identifying employees almost inevitably gets transmitted back to headquarters. Before undertaking a specific investigation, build channels allowing the legal 'export' of investigation data. This is a keen issue in jurisdictions like Belgium and the Netherlands where laws impede cross-border transmissions of workplace accusations specifically. In Europe these channels include ‘model contractual clauses,’ ‘safe harbor,’ and ‘binding corporate rules.’ If existing channels fail expressly to cover ‘investigation’ data, expand them. In Hong Kong an appropriate data-export channel can be employee-signed data-transfer consents. Start early: Building these channels takes time, and it will be too late after a specific allegation or suspicion sparks an actual investigation."

Investigation Privacy with i-Sight

Most jurisdictions around the world have implemented legislation to govern the handling and use of personal information. We understand that many organizations operate across multiple jurisdictions and we follow a set of procedures to ensure compliance with all of the legislation listed below.

United States

  • (HIPPA) Healthcare Insurance Portability and Accountability Act
  • (GLB) Financial Modernization Act of 1999 or Gramm-Leach-Bliley


  • (PIPEDA) Personal Information Protection and Electronic Documents Act of 2000

European Union

  • EU Data Protection Directive
  • EU E-Privacy Directive

The following is a list of some of the principles that are built into i-Sight Software to ensure compliance with privacy laws:

Consent for the Collection, Use, and Disclosure of Personal Information- The knowledge and consent of the individuals are required for the collection, use or disclosure of personal information, except where inappropriate.

Limiting Collection of Personal Information- The collection of personal information will be limited to that which is necessary for the purposes identified by Customer Expressions (CEC), the company behind i-Sight. Information will be collected by fair and lawful means.

Limiting Use, Disclosure and Retention of Personal Information- Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by contract or law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.

Ensuring Accuracy of Personal Information- Personal information will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

Ensuring Safeguards for Personal Information- Security safeguards appropriate to the sensitivity of the information will protect personal information. Administrative, physical, and technical safeguards are provided to ensure that all personal information is readily available at all times to those that have access rights to the information. CEC Information Technology Policy (ITP) Manual outlines those safeguards.

Openness about Personal Information Policies and Practices- CEC will make readily available to individuals upon request specific information about its policies and practices relating to the management of personal information as outlined in this manual.

Individual Access to their own Personal Information- Upon request, an individual will be informed of the existence, use and disclosure of his or her personal information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

To learn more about our commitment to world class security and reliability at i-Sight, please review our "i-Sight Security and Reliability" manual.

Possibly Related Articles:
HIPAA Compliance
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.