Mission Possible: Managing Investigation Information Privacy

Most of us wouldn’t think twice about emailing corporate documents or investigation information to an employee in another country. Depending on the information contained in the documents, you could find yourself treading in some pretty deep water.

Posted by Joe Gerard in Corporate Security, Ethics & Compliance, Human Resources, Information Security on January 11th, 2011

Most of us wouldn’t think twice about emailing corporate documents or investigation information to an employee in another country. Depending on the information contained in the documents, you could find yourself treading in some pretty deep water. Transparency and access to information are two things that are important in the workplace, but provide a number of challenges for multinationals. With privacy laws in place, being compliant can sometimes feel like a barrier to getting the job done. Your location and the destination of your information can sometimes limit what you are allowed to communicate.

New Land, New Rules

A lot of investigations require collaboration. For example, investigators at the company’s home office might be working together with investigators in another country where an incident took place.  In these situations, there must be safeguards in place to ensure the treatment of personal information is consistent with the laws of each country or region. The same rules apply for gathering evidence, as you might not be able to find all the pieces you need in local locations. In the article “Why Cross-Border Litigation is a Compliance Concern,” from the Sarbanes-Oxley Compliance Journal:

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

“Responding to cross-border e-discovery requirements can be a risky and complex procedure since it is not simple to transfer electronic data from one country to another.  In contrast to the U.S., where most emails and documents produced in the office belong to the company and can be used openly, Europe fervently protects the privacy of employees, restricting the disclosure of anything that could be considered personal data.”

In some cases, data privacy laws vary at local and regional levels. In the EU, data can only be transferred from the region to other countries that have been identified as having adequate laws in place, protecting the privacy of personal information – Canada is one of these countries. According to the Office of the Privacy Commissioner of Canada, privacy laws in Canada:

“PIPEDA uses an organization-to-organization approach that is not based on the concept of adequacy. PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing. However, under PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement. The OPC can investigate complaints and audit the personal information handling practices of organizations.”

Investigations

Investigations deal with a significant amount of personal information. In some cases, like the scenario I mentioned earlier, investigation information may have to be transferred across borders. Customizable case management software makes it easier to address privacy rules, as rules can be built into the system to help investigators remain compliant. As laws change, the software can be adjusted to reflect these new laws without having to bring in an entirely new system.

A lot of the privacy issues raised by internal investigations can’t be discussed properly in a single blog post- I want to give each issue the attention it deserves. Stay tuned for some upcoming posts where I’ll break down each of the privacy concerns affecting investigations and how to manage them effectively.


Joe Gerard
Joe Gerard

CEO, i-Sight

Spend my days showing off the i-Sight investigative case management software and finding ways to help clients improve their investigations. Usually working with corporate security, HR & employee relations, compliance and legal teams.

Visit Website