Managing privacy risks when conducting due diligence
The source of much modern privacy legislation can be traced to the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which were issued in 1980. Rather than seeking to protect personal privacy itself, the guidelines had the specific aim of removing any barriers to the flow of information. They were an attempt to balance the legitimate rights of individuals against the benefits of the free flow of information. The guidelines were released around the same time as the first large-scale databases and data networks and were remarkably prescient in their understanding of the challenges which were to come.
One of the main points made at the time the OECD guidelines were issued was the change from a desire for privacy in its traditional sense of being left alone to one of protection, where data was no longer private but instead required protection in the hands of others. This distinction has been carried on in the naming of much of the legislation which relates to privacy as “data protection”.
Even today, the term “privacy” is understood by a wide variety of meanings. In a Pew Research survey, when respondents were asked who they needed to protect their data from, criminals were considered the highest risk (33 percent), followed by advertisers (28 percent), whilst risks of intrusion by governments or law enforcement were only considered important by a small number of respondents (five percent).
There is also a wide divergence in the types of information which are considered private. In a similar survey conducted by the European Commission, “Attitudes on Data Protection and Electronic Identity in the European Union”, most respondents considered financial, medical and identification (passport or other formal photo identification) information to be personal, whereas less than half considered their work history to be personal. That said, in the Pew survey it was clear that respondents already knew that there was a large volume of personal information in the public domain, as 50 percent thought that their birth date would be available online and one-fifth knew their political affiliation was available online.
In many cases, though, the sense of importance of a type of data depends on the use of that data, so a person’s name and address used for direct marketing might be annoying, but the same information used to blacklist union members would lead to significant detriment to the subject’s life.
What does the law say?
The approach of most countries when drafting privacy legislation has been to broadly follow the original OECD guidance. In Europe this was implemented in the European Commission’s 1995 directive (Directive 95/46/EC), which set out a series of principles to be applied (although the wording is dependent on each country). These include that data:
- is obtained fairly and lawfully and with the knowledge or consent of the subject – in addition to this principle, there are specific rules for the collection of sensitive data (about racial or ethnic origins, political opinions, religious beliefs, trade union membership, health or sex) which will generally require a more explicit form of consent
- is collected for specified and legitimate purposes so that you know what the collector is going to do with your data
- is adequate, relevant and not excessive so that only the amount of data necessary for the legitimate purpose is collected
- remains accurate and is kept up to date so that you are not subject to decisions made with obsolete information
- is processed for the purpose specified and kept for no longer than necessary
- is kept secure
- is not transferred without safeguards.
One of the most significant rights that the legislation provides is a right of subjects to access information held about them.
These principles are currently being debated in Europe, with a new version of the directive likely to be in force by 2015. Some of the controversial principles included in this new version are the right to be forgotten (to delete previously-held data) and requirements for more explicit consent.
Competing rights and obligations
In the European Convention on Human Rights, which provides the fundamental rights to privacy in Europe, there are some fundamental rights which overlap, such as the right to conduct a business, the right to freedom of expression in journalistic endeavours, rights to intellectual property and rights to access documents of the European Union. Each of these rights may be fundamental but may also need to be weighed in context with privacy obligations.
For businesses operating in the European Union there are also several competing legislative and regulatory obligations, such as anti-bribery legislation, sanctions and export control legislation, anti-trust, anti-money laundering and terrorist financing. Each piece of legislation is designed to meet a specific objective, but they all involve companies holding information about partners, competitors or customers. In addition, there are often contractual and confidentiality obligations to other parties which relate to private information about their staff and customers.
For governments, as well as championing the privacy rights of their citizens, there are also several competing drivers which cause them to carve out exceptions for themselves. These include parliamentary privilege and national economic and national security interests, which (arguably) require the storage and analysis of large volumes of private data to allow threats to be identified and managed. This security issue covers securing the nation by storing data about its citizens (which is generally a specific exception to privacy legislation) and capturing personal information about foreign citizens (i.e. spying), which is often illegal for more reasons than privacy.
The other reason why governments are seeking to hold more personal information on their citizens is to manage their services, either by using “big data” methods to identify and target those who most need their help, or to identify fraud or tax avoidance. It was interesting to note that the use of the so-called “Lagarde list” of bank accounts stolen from HSBC in Geneva and passed to various tax authorities did not consider the privacy of the subjects to outweigh the potential use of the information in criminal investigations.
These competing rights and obligations are better and clearly highlighted in The General Data Protection Regulation 2016/679 (GDPR) which came into effect in May 2018 and replaced the Data Protection Directive.
Steps for balancing privacy and due diligence
So, what do these competing obligations mean for the process of performing due diligence on a partner or customer?
Fortunately, most of the principles are entirely compatible with an ethical compliance programme and can be incorporated without impact on the quality of the diligence exercise. To enable this, here are the main steps you need to consider.
1. Have a policy
2. Get consent whenever possible
Where due diligence is performed as part of a partner on-boarding or hiring process, consent can generally be easily obtained, and in those cases it should be. However, even in cases of obvious consent, care needs to be given to ensure that the correct person gives consent and the right questions are asked. Issues can arise regarding whether a company can give consent on another’s behalf, or whether consent can be given at all (in the case of criminal histories in some countries).
There are some forms of due diligence where consent is either not possible or not practicable (such as pre-acquisition, pre-hiring, or when used as background to a sensitive investigation). There is also an exception in most legislations where consent is not needed when the data collection is pursuant to a legal obligation.
It is useful at this point to remember that the process of due diligence is generally to provide an answer to two main questions: “Can I do business with this partner?”, and “Should I do business with them?”.
To answer the first question, there is an obligation to check that the person (who might be an employee or owner of a partner) is not on any government-issued list of sanctioned people. The information contained on these types of lists varies, but usually includes a person’s name and location, and sometimes their date of birth. In order to confirm that someone on a list is the person you are looking for it is therefore necessary to have the same information available from the data subject. At times this won’t be enough to confirm that the person you are interested in is (or is not) a person on a list. In those cases, it is necessary to dig further, regarding both the person you know and the person on the list. This often involves finding more personal information, such as work, education and criminal history (directly or via media searches) or reverse directorship checks in order to confirm identity. For this type of check, there is a strong argument that there is both an obligation to gather the information and that the collection is in the interests of the subject (as you are now able to do business).
It could be argued that some form of due diligence is a requirement of several anti-corruption statutes, whether expressed in the legislation itself or in a guidance. In the United Kingdom, the guidance from the Ministry of Justice (which is like that from the OECD) clearly indicates the need to perform due diligence on third parties – although it doesn’t indicate that any specific data points are necessary. Whether this type of onus gives rise to an enough obligation under the United Kingdom Bribery Act (or elsewhere) remains to be seen. It is also unlikely that an obligation placed on a company by legislation in another jurisdiction would be enough.
3. Draft questionnaires intelligently and efficiently
Where overt due diligence is carried out using a questionnaire you must weigh up whether the potential privacy impact of each question will be worth the value of the response, especially if there is a desire to ask questions which fall into the category of sensitive data. Having a clear rationale for each question and a plan of how to use the responses helps not only with privacy concerns, but also eases the burden on the partner.Collect only information which is available legally
Never seek to gain access to documents which are not legally available in the country you are working (such as bank statements or criminal records). If there is a need for the information, ask the partner directly.
4. Be diligent with your use of private data
Where you have collected data, you have a duty to maintain its accuracy and to use it conscientiously. This is especially true if you have automated any decision-making processes based on the data collected. Even in cases where you have a manual process it is important to make sure that staff that make decisions based on private data are properly trained to make those decisions. A common example is where a partner is excluded because a name is found on a sanctions list, but a proper false-positive check was not carried out to ensure that the individual was correctly identified.
5. Understand the sources of your due diligence research
As mentioned above, the second rationale for due diligence is the desire to understand whether you should be doing business with the person. For this purpose, the research into a person’s reputation tends to be far wider in scope than just matching to a name on a list. The primary source of information on someone’s reputation is the media, although in some cases this can be augmented with government records (such as bankruptcy, litigation or criminal records) or via the opinions of peers.
When considering the use of the media it is important to remember that the purpose of a reputational due diligence programme is to gather information rather than to ascertain any black and white objective truth. In this context the fact that there has been an allegation of wrongdoing or a report of an indictment or conviction from a media source is as relevant as an actual wrongdoing in that it raises questions which can be dealt with by further investigation. The publishing of a story in the media is generally protected by freedom of expression (and regulated by the laws of contempt) so a due diligence report merely indicates the existence of the story rather than asserting its truth. Similarly, for the reporting of criminal trials where the court has not chosen to anonymise the trial, in most countries the names of the participants are on the public record (although in France, in the case of the website Lexeek.com, the privacy regulator issued fines for failing to remove names from published court reports).
The other main source for information about a person’s reputation is the opinions of their peers or customers. Whilst there is no privacy concern with asking opinions, issues may arise if the person who has provided the opinion has an expectation of confidentiality, since their view would be documented and provided to a data subject if requested (although their name may be subject to its own privacy constraints and would probably not be documented).
6. Keep the data secure
Once the data is in your control it remains your responsibility, regardless of whether you store and process it yourself or not. You must ensure that any partners (or any sub-contractors they use) who process the data on your behalf maintain the same reasonable standards of security that you would have for yourself.
7. Understand where your data resides
If working with a partner who is in a location outside the European Union or a safe harbour site in the United States extra care must be taken to guarantee a sufficient level of security. You will also need to be aware of any subsequent cross-border movements of the data.
8. Include due diligence reports in your record retention policy
There are often questions relating to what a reasonable time to retain the data is, but this can usually be managed as part of an overall records retention policy. Given that a due diligence report (and any decisions and actions taken subsequent to it) is a key piece of evidence in the event of future problems and that many issues take a very long time to surface and be properly investigated, there is a good argument that information collected as part of a due diligence programme should be retained for as long as the relationship with the partner remains (subject to regular updates to ensure accuracy).
9. Plan for subject access requests
There can be issues relating to responses to requests for data, as the data you hold should include all the research and analysis information plus any decisions which have been made about the person. Ensuring that decisions are clearly documented and able to withstand external scrutiny is vital. It is also advisable where possible to separate decisions made about people (which might be subject to access requests) from those about entities (which are not).
Privacy can pose a challenge for corporations who aim to comply with all the obligations placed on them. The key point to remember when considering the privacy aspects of your due diligence programme is that the requirements of privacy legislation can be incorporated into most programmes, and in many cases are helpful to those programmes. In the rare case where getting the information you need impacts a subject’s privacy rights you can either take a pragmatic approach in deciding which laws apply or build a process which accepts greater risks in those jurisdictions with a strong stance on privacy.