Archives for February 2016

Are You Concerned About Global Privacy? You Should Be!

Are You Concerned About Global Privacy? You Should Be!You likely believe that your organization’s data – operating, financial, human resources – is a key resource and you have policies and processes in place to mitigate any risk.

Whether or not your organization operates in just one province, or just within Canada, you should understand that the principles and guidelines of data management are not grounded in geographic jurisdiction.  Data management, and the security and privacy of that data, is a global issue.

Goodbye Safe Harbor

In October 2015, the “Schrems” decision by the European Court of Justice ruled that the “Safe Harbor” structure between the US and the European Union (EU) is invalid.1

The US has no federal privacy law (a source of serious concern to many organizations), and Safe Harbor was the means by which US-based firms could previously get blanket approval regarding the movement of personal data, including HR data, between the US and all EU member countries.

This decision is a direct result of the considerable suspicion of the global community regarding the extent of US government surveillance of personal information (via The Patriot Act, and others).  The US‘s National Security Agency (NSA) has taken the position that non-US citizens have no rights regarding an expectation of privacy.

Further, US law requires US-based organizations to comply with surveillance orders, so the concept of data privacy becomes almost moot.2

US Swarm Regulation

The lack of countrywide legislation in the US has spawned an industry-based approach to the regulation of data privacy.

Companies face multiple state and federal regulators on an industry-to-industry basis, producing an ever growing swarm of regulation that is simultaneously inconsistent, conflicting, and full of gaps.  Major US-based technology companies (Apple, Microsoft, and Google, to name three) have been outspoken about this problem since diverse legislation is both frustrating and costly.3

Hello EU/US Privacy Shield

Schrems fired a shot across the bows of the US intelligence and business communities by opening the door for each European country to apply its own regulations for organizations moving personal data to the US, and possibly forcing organizations to host personal data exclusively within Europe. It also created the foundation for a pan-European General Data Protection Regulation (GDPR) that takes full effect in 2018.

On February 4, 2016, the European Commission and the United States announced a new framework agreement for transatlantic data flows: the EU-US Privacy Shield.  It is intended to protect the fundamental right of privacy of European citizens while at the same time providing legal certainty for the thousands of US-based businesses that serve them.

As always, the devil will be in the details and the evolution of the full draft complete with regulations will be of considerable interest through the remainder of 2016.

Oh Canada

The good news is that (so far) Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has been considered adequate to protect personal privacy, and an agreement similar to Safe Harbor has been unnecessary.

But the Canadian Communications Security Establishment (CSE), the lesser known of Canada’s two spy agencies which focuses on electronic surveillance, may give rise to concern as well.

The Canadian Anti-terrorism Act gave the CSE expanded use of electronic surveillance, authorizing it to intercept foreign communications that begin or end domestically, as long as one party is outside Canada. CSE shares information with intelligence agencies in the so-called “Five Eyes” group of countries — namely the US, UK, Australia, New Zealand and Canada.  The European Union’s success in challenging the NSA could easily mean that attention shifts to the CSE.

Canadian Model Leads the Way

The EU/US Privacy Shield announcement includes an Ombudsman-style redress mechanism similar to Canadian Federal and Provincial Privacy Commissioners.

This may be one of the more interesting aspects of the agreement as it seems to mean that the US could FINALLY, actually create some form of “Privacy Czar” (a.k.a. office of data protection or privacy.)

Global Data Management Rules

History has shown us that concepts and laws in one jurisdiction rapidly spread. Recall the 2002 advent of the US’s Sarbanes-Oxley (SOX) Act regarding securities and financial controls.  That law almost immediately spawned corresponding Canadian legislation.

Data management legislation will likely closely follow SOX in significantly increasing the legal responsibilities of executive management with regard to the privacy and security of personal data. Organization policies and procedures will follow directly. This strikes a major blow against organizations that try to consolidate data into an effective and efficient single database (look out Big Data!!) and creates enormous uncertainty surrounding global data management.

If your organization’s operations transcend national borders the challenge will be to construct a data privacy and security strategy, as well as processes that maximize data utility and minimize risk of loss or misuse.

The growth of technology and the impact on data management has spread like an epidemic across the world and the concept of national boundaries has become largely meaningless.  Expecting that a national border will change the nature or flow of data is as realistic and probable as expecting it to stop the spread of the flu. In that regard, the EU-US Privacy Shield is a positive step in the global data management challenge since it helps provide some structure to the swarm reality of the US’s current approach.

Data sharing can’t be taken for granted any more. Companies and their cloud providers are more responsible than ever for data sovereignty, and this responsibility is only going to increase when the European General Data Protection Regulation (GDPR) is adopted, leaving organizations with a two-year time limit to comply. The penalties for wrongdoing are well publicized and severe for companies that fail to adapt to the new data privacy landscape.4

Canada-US Data Management Challenges

Data management challenges are not just true with respect to privacy and security.  Canadian users of services such as Netflix or Apple’s iTunes will have experienced the frustration of Canadian licensing laws limiting access to content.  These laws are as much based on nationality as on geography. For example, a Canadian in the US cannot buy US content if the devices being used for access are linked to Canadian IP addresses or cell-phone carriers.  Meanwhile the data flows illegally across the border through a variety of innovative technical end-arounds.

Looking Forward

Individual consent seems to be increasing in importance although that process is the most administratively burdensome, in part because it can be revocable, and because adequate tools to manage that process are in very short supply.

That places pressure on a variety of management activities – such as business analytics – which will clearly be effected by the trend to recognize individuals’ notice rights, including third-party protection (naming names), retention periods, the right to be forgotten, purpose and transfers.

Trying to analyze and act on collective data will be very complex.  For example, profiling based on sensitive data can only be done with explicit consent.

International agreements to deal with these realities are expected.

 

About the Author

Ian TurnbullIan Turnbull is a Director of The Canadian Privacy Institute, formerly a subsidiary of Laird & Greer Management Group Corp. A former Chair of the Canadian Council of Human Resource Associations (CCHRA) and of the International Association of Human Resource Information Management (IHRIM) his latest book (Carswell 2014) is HR Manager’s Guide to Managing Information Systems.  Ian has a BA and MBA from Western University (The University of Western Ontario) and obtained his professional human resource designation, the CHRP, in 1992.

 

———————————————-

1 The author gratefully acknowledges the early reporting and ideas of Jon Neiditz of Kilpatrick Townsend & Stockton of Atlanta GA, US, and Kevin Duggan, President & CEO of Camouflage Software.

2 Roberts, D. & Ackerman, S. (2013, June 7). Anger swells after NSA phone records court order revelations. Retrieved February 7, 2016, from http://www.theguardian.com/world/2013/jun/06/obama-administration-nsa-verizon-records.

3 Neiditz, J. (2015, November 14). No Harm, Big Foul: Why Yesterday’s LabMD Decision is Stunning and Important. Retrieved February 12, 2016, from http://datalaw.net/no-harm-big-foul-why-yesterdays-labmd-decision-is-stunning-and-important/.

4 Help Net Security. (2014, March 17). EU sets huge fines for firms who violate users’ privacy Retrieved, February 22, 2016, from https://www.helpnetsecurity.com/2014/03/17/eu-sets-huge-fines-for-firms-who-violate-users-privacy/.

Help Wanted: HR Analysts

 HR AnalystsGet ready to see this job ad a lot in the near future. 2016 seems to be the year when HR Analytics hits the windshield of our corporate bus. There is an increasing demand from organizational leaders for evidence-based decision making.

Unfortunately I think it will take a while for our certification programs in HR to fully integrate these needs into the supporting training.

At present we can end up with a situation where we have lots of data but unfortunately, it isn’t the data we need, or it isn’t accessible in a meaningful way.

So, to be successful at HR analytics what do we need?

  1. We need a real business problem to work on. Sometimes people work on a problem because it is one that we have data for, but it doesn’t really solve an organizational need. To be successful, the first thing you need is a business or organizational problem where analyzing data would help provide a solution.
  2. We need to choose the right tools. Unfortunately if the only tool we have is a hammer, all problems can look like nails.  So it is necessary to have several analysis methods in our tool chest and know which one to use in which circumstance.
  3. We need the analytical skills to select the data we need and draw conclusions from it.
  4. We need to be able to decide how to present the information to people who haven’t been living with it.
  5. Lastly and very importantly, we have to be able to use the data to tell a story. Data without a story will not be acted on.  A story without data won’t be believed.

If all this sounds daunting, it shouldn’t. It is a matter of breaking it up into small enough bits to not be intimidated, and then putting the bits together in a coherent way.

The ability to do HR analytics work is soon to be an essential part of every HR professional’s toolkit.

Want to learn more? Check out the new Queen’s IRC HR Metrics and Analytics program.

About the Author

Paul Juniper, Director, Queen's IRCPaul Juniper (MA, Geography (York); CHRL; SPHR; SHRM-SCP; Honourary Life Member, HRPA) is the Director of the Queen’s University IRC. As a leading and respected figure in Canada’s HR community, Paul has over 30 years of experience in human resources and association leadership. Paul is particularly sought for his views on the future of the human resources profession. He speaks regularly at conferences on trends in human resources, and the ways in which individuals and their organizations can continue to raise the bar on HR. Paul developed and designed the Queen’s IRC Advanced HR Certificate to meet the increasingly complex professional

Hunter Harrison and the Transformation of Canadian National Railway

Hunter HarrisonWhen Hunter Harrison joined the recently-privatized Canadian National Railway (CNR) in 1998 as Chief Operating Officer, the company was generally acknowledged as one of the worst railroads in North America, highly indebted, perpetually in the red, and losing market share to the more efficient, flexible and newly deregulated U.S. railway and trucking industries. Recruited by Chief Executive Officer, Paul Tellier, for his skills and experience at Illinois Central, Harrison along with Tellier moved swiftly to transform CNR into a “scheduled precision railway” and to introduce needed efficiencies. Soon thereafter the company shed over 11,000 employees and thousands of miles of track.

After Tellier left the company in 2003, Harrison was appointed as his successor. The challenge was enormous. A cultural overhang still existed from the railway’s public sector days when it was more of an employment generation device than a business, complete with regionalism, isolation from commercial pressures, formal chains of command, hostile unions and a culture of entitlement. Would Harrison be able to complete the transformation or would the company sink back into mediocrity? Fast forward to 2008 and CNR was then widely recognized as the most efficient railway in North America. How he accomplished this cultural transformation is nothing short of miraculous.

An effective change leader needs five skills which I call the five Ps: Passion, Plan, Persuasion, Partnering and Perseverance, and Harrison had all of them in abundance.

>> This paper is one chapter from Dr. Carol A. Beatty’s e-book, The Easy, Hard & Tough Work of Managing Change. The complete e-book is now available on our website at no charge: Download

Queen’s University IRC 2015 Workplace in Motion Summit Proceedings

Queen's University IRC 2015 Workplace in Motion Summit ProceedingsThe world of work is changing, and the most successful organizations and practitioners are those that understand how these changes impact the way they do business. To help them do so, and to foster further dialogue, Queen’s IRC hosted the Workplace in Motion Summit in Toronto on April 16th, 2015. Over 100 human resource, labour relations, and organizational development professionals from across Canada attended the Summit. Chaired by IRC facilitator Brenda Barker Scott, the Summit provided a forum to stimulate new ideas and new perspectives on the dynamic new world of work.

The Summit focused on a variety of questions of interest to today’s human resource, labour relations, and organizational development professionals. More specifically, it helped participants:

  • Identify issues and best practices related to current trends and practices in human resource manage­ment, labour relations, and organizational development.
  • Explore how rapidly emerging technologies are shaping and re-shaping modern workplaces and the way we work.
  • Investigate the impact of changing demographics on contemporary organizations.

This was all done with the intent of identifying how they can better lead change and promote excellence within and beyond their organizations and professional networks.

Over the course of the Summit, several themes emerged that were particularly critical to today’s human resource, labour relations, and organizational development professionals. These included the need to:

  • Manage change and transformation in order to advance organizational and professional interests with as little disruption as possible.
  • Create the physical space, infrastructure, technologies, and systems necessary to support a collaborative, open, and innovative workplace and work culture.
  • Engage, retain, and motivate the new generation of employees and to bridge inter-generational gaps in the workplace.
  • Think outside the box in order to appropriately encourage risk-taking and innovation.

This report elaborates on the most important questions, issues, and themes identified by Summit participants going forward.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.