Avoiding some of the most common legal pitfalls.
Outsourcing your HR functions can be a step toward improving HR costs and services. But it could also be a step down a slippery slope of snowballing legal concerns. Here’s how to avoid some of the most common legal pitfalls of HRO
As more and more companies seek to outsource and offshore business activities, employees and employee organizations are becoming increasingly concerned. Among other things, employee organizations might seek to use the emerging data privacy rights to stem the tide of these outsourcing and offshoring activities. One situation where such privacy rights are particularly relevant is where the transaction relates to the collection, use, or disclosure of personal information about the employees themselves, such as in the case of HR business process outsourcing (BPO). Employees who remain with the employer or who are transferred to the HR service provider may have privacy rights that can be used to directly interfere with the transaction, because it is their personal information that will be disclosed to the provider. In order to help address the regulatory requirements, a global employer who is looking to outsource or offshore all or part of its HR business function should take at least the following steps:
1) Establish a Privacy Contract with the HR Service Provider. Many privacy laws expressly require the employer to establish a specialized privacy contract with the provider, often called a data processing contract. The required contents of the data processing contract will vary depending on the jurisdictions at issue, but they generally include confidentiality and use limitations, obligations to provide appropriate technical or organizational security, and other provisions.
4) Consider the Rights of Employee Representative Bodies. The employer should also consider the rights of any works councils, trade unions, or other employee representative bodies. In many jurisdictions, the employer will have obligations to engage in prior consultations with these bodies with respect to the privacy issues associated with the transaction, and seek their non-binding recommendations. The rights of these bodies might be enhanced, however, if the transaction involves the cross-border transfer of personal information (as discussed below), or if the employer will ask individual employees to provide express consent.
5) Consider Any Cross-border Transfer Restrictions. Many privacy laws restrict the transfer of personal information to foreign jurisdictions, unless there is adequate protection for such data in the place where it is received. There are generally several approaches to addressing these issues. For U.S. providers, one option would be for the provider to join the U.S.-E.U. Safe Harbor Data Privacy Arrangement. However, this might be only a partial solution, because some form of data processing contract would probably still be required.
6) Penalties and Practical Issues. As noted above, affected employees and/or their representative bodies may have direct rights to pursue actions against the employer for the failure to meet these obligations, as well as to file complaints with local data protection authorities (who have powers to investigate and take other enforcement actions). Moreover, privacy laws generally contain significant potential consequences for violations, such as fines, injunctive relief, and even potential criminal penalties for corporate officers. All these potential penalties could pose significant obstacles to the transaction, as well as affect employee relations and other business concerns. Therefore, it is worthwhile to take the time to address these issues properly.