You head HR for a regional hospital that has a 21st century career site and a vigorous branding and outreach program. Your jobs are posted to one of the major job boards, to niche and diversity sites, and to the free distribution services.
You follow all the rules, keep great records, and even passed an informal EEOC inquiry a couple years ago.
But lurking in your ATS is proof you’re breaking the laws of Germany, or maybe France, or possibly Canada. Maybe all of them. You never wanted those resumes (CVs, if you prefer), wouldn’t sponsor the candidates, and had no interest in hiring anyone from outside the region, let alone the United States. But now that you have applicants from countries with tough privacy laws, you are bound to follow them.
“Some companies assume that because they do not have a physical operating presence in Europe or Canada that such privacy laws do not apply to them,” says HR privacy expert Dr. Donald Harris. “This is an erroneous and risky assumption.”
President and founder of HR Privacy Solutions, Harris advises companies on complying with U.S. and international laws regarding the collection and use of employee information.
Even a company with no physical presence in a foreign country may be bound by its laws, he says, should it recruit there. As you can see from the hospital example, recruiting doesn’t have to be active in order for the rules to apply. Receiving a single resume from a foreign national is enough to trigger the application of the privacy rules of the job seeker’s country.
“We are living in a global world, so things are changing, ” Harris says, explaining that the privacy rules of the European Union and its member countries are designed to protect their citizens’ personal information. “The Europeans don’t want to see their laws ignored.”
What keeps our HR hospital executive out of the hot water is that no country is actively pursuing such minor violations as storing CVs beyond the legal limit, or not providing the individual the right to delete their resumes at will. “Enforcement is very difficult for them,” Harris conceeded. The U.S. has no treaties or reciprocal agreements with other countries on these issues, so the impact of foreign rules is muted.
But, warns Harris, “While regulators may have considerable difficulty in enforcing the laws with a foreign company, the laws do apply and international cooperation amongst privacy regulators is increasing. After all, what self-respecting government would allow the Internet to provide a free pass for circumventing its laws relating to privacy, employment, or a host of other areas?”
While the hospital in our example may never open a clinic in a foreign country, or otherwise do business there, a manufacturer might. So might other companies.
“One really has to look at where a company is going” before it decides to ignore foreign rules, Harris observes. If in the future it does decide to go global, its past transgressions could exact a cost.
“And even apart from the legal issues,” says Harris, is showing ignorance or disregard of local laws and expectations about personal information a smart way to go about recruiting someone?”
So what could our fictional hospital do to avoid breaking foreign privacy rules? Here are some simple steps:
- Use pre-application questions that includes a geographic qualifier;
- Discard applications from foreign countries upon receipt;
- Make sure your site has a privacy statement that says what you will be doing with the collected information. Harris recommends that countries that are doing business globally take a look at Boeing’s privacy statement for guidance;
- Review what the European Union says about HR data collection.
In the October issue of the Journal of Corporate Recruiting Leadership we discuss this and other international privacy concerns with Harris and offer his insights on the trends in HR privacy. The Journal is available by subscription only.