Friday, October 24, 2008

Firm Directories and Privacy

The Human Resources group at your firm has lots information about you. They probably publish a portion of that information to your internal photo-directory. Have they just violated some privacy laws? Can a 2.0 directory avoid the violation.

The European Union has much stricter limits on privacy than the United States. [See 31995L0046 EU Directive 95/46/EC] The EU prohibits the publication of an electronic directory with any "personal data" which is broadly defined as any reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

The big exception is when the data is published after the "data subject's consent." There is much thought that a request by an employer to an employee is inherently coersive. (Are you afraid of losing your job if you do not submit the information.)

It seems that a wiki-like directory could solve the consent issue. You could publish the directory with just basics, name and phone number. The employee can then add whatever information they want. There is consent, because the employee voluntarily took the time to add the information.The stored history of the wiki page can show who added the information.

There are a few prohibited areas under the EU Directive: revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life. You would want those excluded from a company directory in anyhow.

Maybe you should rethink your company directory? What are your thoughts?

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.