Editors' Note

Welcome to the January issue of Mayer Brown’s Privacy Posts, a newsletter on privacy, security and data protection law that will report and provide commentary on developments and trends that are significant to our clients’ business across the globe. As always, we welcome your thoughts and comments and invite you to contact us with any feedback.

Employee Data Privacy—A Global Overview

Data protection has become a high profile topic due to cases of mishandling and abuse ofpersonal data. In response, employee data privacy laws around the globe are becoming more stringent. With increasing globalization and employee mobility, as well as the relative ease with which data can be transferred between legal entities and across borders, complying with all requirements relating to personal data has become a complicated exercise.

For example, in Hong Kong, a data access request is a statutory mechanism where an employee can obtain access to personal data held about the employee by his/her employer. Employees have been making these requests in order to obtain information about themselves in support of claims that they are bringing against their employers.

In the United States, the federal government has not passed any legislation aimed at broadly protecting the privacy and security of personal data. Instead, the federal government specifically regulates information that is obtained by particular entities (e.g., an employee’s health and fitness, social security number, address, credit reports, employer performance reviews). Each US state also has its own framework and laws regulating personal data collection, storage and destruction by employers, and the kind of request for personnel files that is new in Hong Kong is standard fare in the US.

In the United Kingdom, the collection and use of personal data is governed by the Data Protection Act of 1998 (the “DPA”), which requires anyone who handles personal information to comply with certain data protection principles. The DPA also gives individuals rights over their personal data. Employers will also need to refer to the Information Commissioner’s Employment Practices Code (the “Code”), which covers recruitment and selection of procedures, management of employment records (including medical information), monitoring of employees and the transfer of employment records in the context of a business sale.

To assist with these issues, Mayer Brown has recently published Employee Data Privacy—A Global Overview. This publication provides insight into 44 different jurisdictions in Asia, EMEA and the Americas. If you are interested in receiving a complimentary copy, please submit your request below.


Red Flag Provisions are Narrowed

On December 19, 2010, President Obama signed the Red Flag Program Clarification Act of 2010 (Act), which narrows the definition of creditor under the Fair Credit Reporting Act, as amended by section 114 of the Fair and Accurate Credit Transactions Act of 2003 (Section 114). Section 114 requires each financial institution or creditor to develop and implement a written Identity theft prevention program to detect, prevent and mitigate losses from identity theft in connection with the opening of certain accounts or certain existing accounts. The Federal Trade Commission (FTC) and the federal banking agencies have issued guidance to assist financial institutions and creditors with the formation and maintenance of programs that satisfy these requirements.

In addition, the FTC and the federal banking agencies have issued regulations (Red Flag Rules) implementing the requirements of Section 114. The FTC’s Red Flag Rules have been controversial because of the broad interpretation of “creditor,” which covers providers of goods and services who regularly grant their customers the right to defer payments. The Act amends the definition to expressly exclude any entity that “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”

The Act is expected to resolve litigation initiated by the American Bar Association and other trade organizations challenging the broad scope of the FTC’s Red Flag Rules. The FTC's Red Flag Rules required creditors to have written identity theft prevention program in place by December 31, 2010, but implementation has been delayed numerous times due to legal challenges and the hope that Congress would ultimately resolve the dispute concerning the proper scope of Section 114.