Workplace Investigations and Information Privacy

Privacy and information protection are issues addressed during the planning stages of the investigative process.

Posted by Joe Gerard in Corporate Security, Information Security on April 28th, 2010

Privacy and information protection are issues addressed during the planning stages of the investigative process. Cases involving top level executives, multiple employees or cases dealing with legal violations are sensitive matters requiring the highest level of confidentiality. Some workplace investigations require that access is restricted within the investigative unit itself.

Security and privacy are also important issues when information is transferred across borders within an organization, as the level of security over personal and corporate information differs, further complicating workplace investigations.

Investigations and Personal Information Security

In many countries, information can only be exported out of the country if federal laws approve of the security standards established in the destination country. In the GRC 360 blog post “Resolve: Part of Internal Investigations for Control and Compliance Violations (5 of 5)” they touch on the issue of global considerations related to personal information transfer during investigations:

“Rules governing how personal information must be handled are different all around the world. For example, the European Union’s Directive on Data Protection restricts the transfer of personal data to non-EU nations that do not meet the European Union’s ‘adequacy’ test for privacy protection– namely the United States. As such, any information gathered in the EU before or during an investigation may or may not be allowed to be transmitted to a U.S. location for analysis or follow-up.”

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

In 2001, Canada established the Personal Information Protection and Electronic Documents Act (PIPEDA). On December 20th, 2001, the EU recognized PIPEDA as providing sufficient protection of certain pieces of personal information when transferred between Canada and the EU. This recognition allows information to be transferred between the two areas without additional safeguards to be put in place within specified industries.

Executives and investigation managers of multinational companies need to understand the different laws and regulations governing the transfer of information across borders to begin implementing channels for “cross-border data transfers”. In the White & Case Newsletter “Global HR Hot Topic: Conducting Internal Employee Investigations Outside the US (part 1) ,” they discuss the importance of cross-border data transfers and the need to establish information channels before investigations begin:

“In cross-border investigations, information identifying employees almost inevitably gets transmitted back to headquarters. Before undertaking a specific investigation, build channels allowing the legal ‘export’ of investigation data. This is a keen issue in jurisdictions like Belgium and the Netherlands where laws impede cross-border transmissions of workplace accusations specifically. In Europe these channels include ‘model contractual clauses,’ ‘safe harbor,’ and ‘binding corporate rules.’ If existing channels fail expressly to cover ‘investigation’ data, expand them. In Hong Kong an appropriate data-export channel can be employee-signed data-transfer consents. Start early: Building these channels takes time, and it will be too late after a specific allegation or suspicion sparks an actual investigation.”

Investigation Privacy with i-Sight

Most countries have laws that govern how personal information is collected, handled and used.  Since many companies operate in multiple jurisdictions, i-Sight has policies and procedures in place that ensure compliance with global privacy laws.

  • In Canada, (PIPEDA) Personal Information Protection and Electronic Documents Act of 2000, governs this.
  • In the US, two acts come into play: (HIPPA) Healthcare Insurance Portability and Accountability Act and (GLB) Financial Modernization Act of 1999 or Gramm-Leach-Bliley
  • The EU has two pieces of privacy legislation as well, the EU Data Protection Directive and the EU E-Privacy Directive.

The following is a list of some of the principles that are built into i-Sight Software to ensure compliance with privacy laws:

Consent for the Collection, Use, and Disclosure of Personal Information- The knowledge and consent of the individuals are required for the collection, use or disclosure of personal information, except where inappropriate.

Limiting Collection of Personal Information- The collection of personal information will be limited to that which is necessary forthe purposes identified by Customer Expressions (CEC), the company behind i-Sight. Information will be collected by fair and lawfulmeans.

Limiting Use, Disclosure and Retention of Personal Information- Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by contract or law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.

Ensuring Accuracy of Personal Information- Personal information will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

Ensuring Safeguards for Personal Information- Security safeguards appropriate to the sensitivity of the information will protect personal information. Administrative, physical, and technical safeguards are provided to ensure that all personal information is readily available at all times to those that have access rights to the information. CEC Information Technology Policy (ITP) Manual outlines those safeguards.

Openness about Personal Information Policies and Practices- CEC will make readily available to individuals upon request specific information about its policies and practices relating to the management of personal information as outlined in this manual.

Individual Access to their own Personal Information- Upon request, an individual will be informed of the existence, use and disclosure of his or her personal information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

To learn more about our commitment to world class security and reliability at i-Sight, please review our “i-Sight Security and Reliability” manual.


Joe Gerard
Joe Gerard

VP Sales & Marketing

Spend my days showing off the i-Sight investigative case management software and finding ways to help clients improve their investigations. Usually working with corporate security, HR & employee relations, compliance and legal teams.

Visit My Website