meeting employee data privacy requirements across multiple jurisdictions
TRANSCRIPT
STRICTLY CONFIDENTIAL
HR Services, Manila – the beginning
HR Service Desk went live with services in August 2010initial focus was limited to back office administrative tasksinitial service offering included employee data management and document generation for ANZ and ASIA regionsMacquarie’s approach
– getting the process rightManila our preferred location
2
STRICTLY CONFIDENTIAL
HR Services, Manila – where we are now
Doubled the number of HR Administrators, and introduced HR system administratorsCurrently recruiting for senior leader roles and support staffStaff are highly motivated and capableIncreased efficiency over the last few months
3
STRICTLY CONFIDENTIAL 4
HR Services, Manila – where we are now cont’d
FUNCTION REGION TIMEFRAME
Data management Australia, Asia August 2010
Document generation Australia, Asia August 2010
Employment Screening administration Australia, Asia September 2010
Salary Packaging expense reimbursements Australia September 2010
IT Contractor Management Australia September 2010
PeopleSoft HR System Administration Australia October 2010
Benefit Administration Australia October 2010
Repatriation relocation payment reconciliations Australia December 2010
Employment Screening – services extended Australia, ASIA December 2010
Standard employment contract generation for India & Philippines
Asia January 2011
Level 1 system support – selective HR systems Global February 2011
Data management Americas March 2011
STRICTLY CONFIDENTIAL
Employee (Personal) Data Privacy….what is it?
personal data – the Australian Privacy ActPersonal information means information or an opinion (including information or an opinion forming part of database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained from the information or opiniondifferences in definition of personal data across jurisdictions‘sensitive’ or specific identity data are referenced in some jurisdictions as requiring a higher level of controldata privacy considerations can be triggered by the transfer of personal data across:
– systems– individuals– entities– borders
each country has their own data privacy requirements and a number have regional variationscompliance generally requires some or all of the following components
– internal controls to manage access and security of the data– data processing agreements– registration with/permission from relevant data protection agencies/employee
representatives/works councils– employee consent
5
STRICTLY CONFIDENTIAL
And just when you thought it was straight forward….
data privacy regulations are high on the agenda of a number of countriesdata privacy requirements are under review/changing in many countries/jurisdictions with significant number and complex draft billssignificant interpretation is often requiredsignificant differences exist in current regulations, and regulations are often not reflective of current business environment of increased international data flows and electronic transfersComplex data privacy environment and corresponding processes/mechanismsreview our data privacy position
6
STRICTLY CONFIDENTIAL
Our approach
obtain professional legal advice:– what are the controls/constraints for each country/jurisdiction that we
operate in? for some countries this could be virtually nothingfor others substantial constraints apply
– what are the penalties for non compliance? Europe has substantial penalties
– we used both internal and external legal advice to understand the requirements in each country/region/jurisdiction and how to address gaps
review existing internal controls, this includes:– applicable policies– controls
7