What investigators need to know—and do—to adhere to data privacy laws relating during ethics and compliance investigations.
Investigations of potential misconduct can be taxing for any organization. But for organizations operating in multiple countries, the variability of data privacy laws around the globe present a special challenge. Indeed, in a 2013 survey conducted by KPMG, multinational organizations ranked data privacy and data protection related challenges as the single biggest challenge presented by cross-border investigations—ahead of lack of resources, cultural differences and the legal and regulatory environment.
The stakes are high: if investigators violate data privacy laws, not only do they expose their organization to reputational damage (“naming and shaming”) and sanctions, but individuals can also be held personally liable and criminally prosecuted.
Generally speaking, data privacy rules apply to the collection, processing (including virtually any use of the data, such as reviewing, analyzing and aggregating information), and cross-border transfer of information that may personally identify an individual (i.e. PII, personally identifiable information).
As a result, the potential to run afoul of data privacy requirements is almost unlimited, since these rules affect virtually every stage of an investigation, from initial coordination to evidence gathering to reporting.
In this post, we'll consider the data privacy issues raised by an investigation by an ethics and compliance officer we'll call Pascal.
Pascal is an investigator who has just been assigned to investigate an allegation of misconduct. The allegation states that Audrey, a regional senior vice president, has been receiving kickbacks from key suppliers and may have been using some of the funds received to entertain local government officials.
1. Challenges During the Initial Coordination and Communication Phase
Given the seriousness of the allegations and the seniority of the person involved, Pascal believes he is required by policy to alert his organization's headquarters, which is in another country.
If the information Pascal intends to share includes Audrey's name, the name of individual who raised the allegation, or information about either person (such as his/her position within the organization, work-site location, etc., such that the information would allow identification of the person, even if they are not named explicitly), then, in a number of countries, transferring the data across borders would be covered by data privacy rules. In such cases, the transfer of the information must comply with specific rules. Depending on the country involved, these might include:
- Providing notice to the individuals whose data is at issue that a matter involving them has been raised
- Obtaining consent from the individuals whose data is at issue
- Providing the opportunity for the individual to review the information submitted
- Promptly deleting information once it is no longer necessary for the investigation
- Ensuring that sufficient safeguards against unauthorized access to the data and confidentiality of the data are in place
The risk is that individual investigators like Pascal, if they are not aware of data privacy requirements, may transfer PII without a second thought—perhaps by simply sending an email to a colleague in the compliance or business conduct office. A similar risk exists whenever the investigator communicates with colleagues in other counties, for instance, to give updates on the progress of the investigation or to provide a final report.
2. Challenges in Obtaining Email or Other Electronic Communications as Evidence
Based on information Pascal has obtained through interviews, he suspects that Audrey has sent or received emails that contain evidence of the kickbacks. As a result, he intends to ask his organization's IT department to provide him with access to Audrey’s work emails for the past three months.
The ability of an employer to review emails sent and received using its corporate email system varies dramatically by country. In some countries, there is little restriction on the ability to review the messages, since they are seen as the “property” of the employer or, alternatively, simply as data residing on the employer’s servers. In other countries, there may be significant limitations on the ability to review such messages. In France, for example, if an employee marks an email as “private” in the subject line, the employer generally is prohibited from reviewing its content.
From an investigator’s point of view, this is a significant handicap. Since the emails may contain valuable evidence of wrongdoing, the investigator very much would like access to them. But, an employee aware of the rules could simply label an email containing evidence of wrongdoing as “private” in order to shield it from scrutiny.
In addition, the employer is also typically prohibited from reviewing emails sent using personal web-based email accounts (such as Gmail, Yahoo, etc.) via the employer’s internet connections and possibly even prohibited from monitoring an employee’s internet usage altogether.
In France, additional constraints exist. Even if an email is not labeled “private,” the employer may not be able to rely on the content of the email as evidence of wrongdoing, unless the content itself is a violation of the law or the employer’s policies. For example, an email containing romantic messages between colleagues who are having an affair would not be permitted as evidence of the affair (even when romantic relationships between co-workers are a violation of policy) since the act of sending romantic messages is not a policy violation. By contrast, an email sharing confidential information about an upcoming merger would be a violation of policy, and thus would be permitted as evidence of wrong doing.
Finally, even when review of electronic messages is permitted, it may be necessary for the employer to use sophisticated software—or hire a third-party forensic consultant—to screen the messages first in order to limit access to only those messages that are most likely to contain relevant information. In other words, significant care must be taken to prevent access to emails that are not relevant to the investigation at hand. And, with highly sensitive data, it may be necessary to redact names and other identifying information.
3. Challenges in Communications With Outside Legal Counsel
Because the “entertainment” of government officials that is raised in the allegation against Audrey might violate anti-bribery laws, Pascal is instructed to coordinate closely with outside legal counsel. As Pascal obtains evidence, he sends summaries to counsel.
Communication between an employer and its outside legal counsel is covered by data privacy regulations in many countries. As a result, the employer needs to ensure that any disclosure of PII complies with local data privacy requirements. Do not assume that legal counsel will do the right thing or has all required protections in place. A good practice is to execute an agreement with legal counsel requiring them to secure and manage all PII in accordance with applicable law.
Unfortunately, there is no simple solution to the complex challenges of cross border investigations. Data privacy laws across countries differ too greatly for there to be a one-size-fits-all, easy fix.
As a result, organizations operating in multiple countries need to coordinate with legal counsel (internal or external) to identify the specific rules that apply in those locations. Then, those rules need to be translated into guidance for investigators that clearly describe how—country by country—they should deal with transfers and processing of PII related to investigations.