Avoiding some of the most common legal pitfalls.
Outsourcing your HR functions can be a step toward improving HR costs and services. But it could also be a step down a slippery slope of snowballing legal concerns. Here’s how to avoid some of the most common legal pitfalls of HRO
As more and more companies seek to outsource and offshore business activities, employees and employee organizations are becoming increasingly concerned. Among other things, employee organizations might seek to use the emerging data privacy rights to stem the tide of these outsourcing and offshoring activities. One situation where such privacy rights are particularly relevant is where the transaction relates to the collection, use, or disclosure of personal information about the employees themselves, such as in the case of HR business process outsourcing (BPO). Employees who remain with the employer or who are transferred to the HR service provider may have privacy rights that can be used to directly interfere with the transaction, because it is their personal information that will be disclosed to the provider. In order to help address the regulatory requirements, a global employer who is looking to outsource or offshore all or part of its HR business function should take at least the following steps:
1) Establish a Privacy Contract with the HR Service Provider. Many privacy laws expressly require the employer to establish a specialized privacy contract with the provider, often called a data processing contract. The required contents of the data processing contract will vary depending on the jurisdictions at issue, but they generally include confidentiality and use limitations, obligations to provide appropriate technical or organizational security, and other provisions.
2) Review the Employee Privacy Policy. Many privacy laws require employers to provide privacy policies or notices to employees that explain how and why the employer collects, uses, and discloses personal information about them. In some jurisdictions, such as parts of the European Union, the notice must provide the actual identities of the third parties that may access the information. The employer should therefore review such privacy notices, and make sure they are properly updated where appropriate to reflect the planned outsourcing activities.
3) Consider Whether Employee Consent Is Required. Under many privacy regimes, the transaction can probably be completed without obtaining the express consent of individual employees, as long as the employer has established an appropriate data processing contract with the provider, and other conditions are met. However, there are several situations where consent might be required. For example, consent might be required under local law if the employers privacy policy is overly restrictive or otherwise inappropriately drafted, especially with respect to disclosures to third parties.
4) Consider the Rights of Employee Representative Bodies. The employer should also consider the rights of any works councils, trade unions, or other employee representative bodies. In many jurisdictions, the employer will have obligations to engage in prior consultations with these bodies with respect to the privacy issues associated with the transaction, and seek their non-binding recommendations. The rights of these bodies might be enhanced, however, if the transaction involves the cross-border transfer of personal information (as discussed below), or if the employer will ask individual employees to provide express consent.
5) Consider Any Cross-border Transfer Restrictions. Many privacy laws restrict the transfer of personal information to foreign jurisdictions, unless there is adequate protection for such data in the place where it is received. There are generally several approaches to addressing these issues. For U.S. providers, one option would be for the provider to join the U.S.-E.U. Safe Harbor Data Privacy Arrangement. However, this might be only a partial solution, because some form of data processing contract would probably still be required.
6) Penalties and Practical Issues. As noted above, affected employees and/or their representative bodies may have direct rights to pursue actions against the employer for the failure to meet these obligations, as well as to file complaints with local data protection authorities (who have powers to investigate and take other enforcement actions). Moreover, privacy laws generally contain significant potential consequences for violations, such as fines, injunctive relief, and even potential criminal penalties for corporate officers. All these potential penalties could pose significant obstacles to the transaction, as well as affect employee relations and other business concerns. Therefore, it is worthwhile to take the time to address these issues properly.
