EU Data Protection Act and Sarbanes Oxley - any conflicts? 470

  • On 14 June 2005 the French Data Protection Authority refused to authorize the use of anonymous whistleblower hotlines.
    The French Authority’s view was that such hotlines are ‘disproportionate to the objectives sought and the risks of slanderous denunciations and the stigmatization of employees who were the subjects of an ethics alert.’
    In a similar decision the following day, a German Labour Court ruled that parts of an employee code of conduct inviting employees to report misconduct to a whistleblowers hotline breached German labour law.

    Quelle surprise :roll:
    McDonald’s originally planned to put in place an ethics hotline and a dedicated e-mail address but, after discussions with the CNIL, decided to use a U.S. fax number and postal address instead .
    Nice to see that there’s still a solution from a SOX point of view

  • This is a good point Denis. It was good that you pointed to this, as it would have been lost in my large message.
    There is still a reason for concern. Any complaint received pertaining to McDonald’s France personnel would be passed by the parent company to McDonald’s France management except complaints concerning senior management in France, which would be investigated by the parent company.
    A would not want to be a member of this strange multinational disclosure committee …

  • There is a very interesting paper about the issues we discuss, from the Institute of Chartered Accountants in England and Wales (ICAEW), the largest professional accountancy body in Europe with over 125,000 members in 142 countries worldwide.
    ‘Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes’
    2.18: Data collected for the purpose of specific engagements should not be used for other purposes.
    Institute of Chartered Accountants in England and Wales
    Since the establishment of the Cadbury Committee in 1991, it has played a significant role in the development of corporate governance. For example, the Turnbull Guidance on Internal Control published by the ICAEW was approved by the Securities and Exchange Commission (SEC) as a framework for compliance with Section 404 of the Sarbanes-Oxley Act.

  • Thank you George

  • You are very welcome

  • A great sourse of information about privacy and data protection issues:

  • I received one email and as I promised, I write my answers here for all my friends in the list.

    1. ‘If we use COBIT, where is the high level control objective and where the detailed objectives for privacy?’
    2. ‘What audit work is involved?’
    3. High-level control objective PO8, Ensure compliance with external requirements:
      Control over the IT process of ensuring compliance with external requirements that satisfies the business requirement to meet legal, regulatory and contractual obligations is enabled by identifying and analyzing external requirements for their impact, and taking appropriate measures to comply with them and takes into consideration:
      Laws, regulations and contracts
      Monitoring legal and regulatory developments
      Regular monitoring for compliance
      Safety and ergonomics
      Intellectual Property
      Detailed control objective PO8.4, Privacy, intellectual property and data flow:
      Management should ensure compliance with privacy, intellectual property, transborder data flow and cryptographic regulations applicable to the IT practices of the organization.
    4. AUDIT WORK:
      Ensure that data being transmitted across state and international borders does not violate local and export laws
      Ensure compliance with privacy regulations
      If encryption is used check if conform with regulations (i.e. length of the key)
      Ensure that sensitive/private information is being afforded appropriate security and privacy protection internally and externally

  • Thank you George, you have helped us

  • You are very welcome.

  • Very Interesting:
    ‘Update: European Data Protection Officials Find Conflicts with Sarbanes-Oxley Employee Hotlines’ Update - European Data Protection - October 20051.pdf
    BE CAREFUL :idea:
    In EU, Data collected and used for Sarbanes Oxley purposes MUST NOT be used for other means that are incompatible with the purposes for which the data was originally obtained

  • Brilliant. I’m writing a thesis on whistleblowers protection in holland and as I am looking for information on the subject of SOx and the european data-protection directive I find this forum. Thanks for the information.
    Am I right to have understood that the problem is, kind of, solved? The American Court of Appeals has ruled tha SOx rules do not apply to foreign whistleblowers working outside the US. across the ocean the ‘group article 29 (EU 95/46)’ has advised in the matter and concluded that (national) legal obligations may breach the data-protection directive. If the obligation for a whistleblowers procedure comes from overseas, it may still be allowed, as long as it is proportionally right.
    Is this the end of it?
    Diederik Diercks

Log in to reply