Employment form

Re: Employment form

Karen-

Well- we're going to have to simply disagree on this one.

Yes- HIPAA does extend to vendors in as much as how they handle, and disemenate "patient" personal and health information. What she is gathering is no where near "patient" information and at this point has nothing to do what so ever with any prison "patient".

I still maintain that HIPAA pertains to "patient" personal and health related information. It does not reach as far as a pre-employment process.

As to the list of other resources that you gave- I looked each one up. Not one regulates or stipulates "encryption" of gathered personal information over the internet. They speak to the regulation of purchacing and sale of personal info (like mailing lists) or in the case of the Wireless 411 Privacy Act where it prohibits cell phone companies from giving out or publishing your cell phone number with out consent first. Or in the case of the Online Privacy Protection Act in California. This simply states that a website must post its privacy policy on its website.

One day I hope that there is a standard for data gathering and transfer.

For now it is left up to self policing and companies often put inplace policies and procedures to help limit their liability in the event sensitive info is intercepted or stolen. These companies often require encryption and proof of secure storage and often lists of personal who have access to such info. But that is on the company side and not by law as yet.

Bottom line of which we both agree on- gathering personal information via a form should be done in a secure manner to protect it from being intercepted or stolen.

Andy

Re: Employment form

well I have read all the points of view. I want you to realize that we presently have a pdf file on the site to gather this information. We felt that the form would be an easier way to have the potential employee communicate with us. Let's say they don't have a fax machine. The fact that we have the ability to produce this form on our sites is fantastic. I wonder what's the difference with our contact us form versus this employment application form. I realize that this form has much more personel information, but the contact forms out there gathers up a lot of personel information as well. Naval, I think you have a challenge ahead regarding this. As for now, we will look into the SSL certificate and decide if this is in compliance with state and federal laws. Untill then we will only offer the pdf file method.
Again thank you, and I look forward to any more points of view here.
Kathryn

Re: Employment form

The technology exists to safely and securely transmit personal data via email as General Naval mentions (without the use of a SSL even), and is permissable as long as you act in compliance with the Federal provisions regarding the handling of personal information (Privacy Act of 1988) and verification of identity (methods, personal certifiability :: Patriot Act sec. 326).

Both of these Acts require even private sector businesses to have a detailed written Policy that complies to these two (and additional) specific laws, and to appoint a Compliance Officer who is made responsible for proper implementation and monitoring of the compliance. There is no gray area --- all businesses must comply, and the processes are in black and white.

The issues mentioned here were regarding:

1) Technology : The technology exists and performs exactly as Naval describes (there is no need to overcomplicate things), and things like SSL and burdensome add-ons are not necessary to utilitze available technology if paired with compliant procedures.

2) Practice: Despite the rectitation of various laws and Acts inappropriately, the fact remains that there are indeed compliance issues all businesses must address specifically as mentioned above. (ICANN has no bearing on this discussion, nor does Healthcare stipulations.) It is all a matter of procedure --- the weakest link in the whole chain is the handling of data once un-encrypted (delivered) and how it is distributed, stored, used, and archived. Karen's recollections only point out the very real challenge all Compliance Officers must contend with.

Naval is correct in suggesting a simple encryption utility as he described, which must be supported by a cognizant Compliance Policy as mentioned above to assure proper processing of information according to current law.
Ther performance of those duties are what is being confused as stipulation, and should be paid attention to and presented to Users, clients, applicants, and associates accordingly.

It is obvious that many well-intentioned suggestions may lead to improper business practices if the business person does not do their due diligence to understand the requirements, laws, regulations, and best business practices that they uniquely face. Resources to search for issues and topics of law include US Small Business Administration, OSHA, US Chamber of Commerce, US Commercial Code, Patriot Act, Privacy Act of 1988, COPPA, CANSpam Act, and other State or local administrations.

Re: Employment form

Vasili,
The Privacy Act of 1988 you sited, from what I can gather, pertains to Australia. And having looked at the Patriot Act- I cannot find the section that pertains to the collection of pre-employment information via a form on the internet.

Yes- there are laws that pertain to what the company can do and cannot do with the information -once in their posession. But the crux of this debate began with the form, it's content and the avenue by which it is transmitted back to the company.

Not trying to beat a dead horse, but there is an instance here that this form violates some law and no one has specified that law- chapter and verse yet.

Your BV friend-

Andy

Re: Employment form

No, it does not.
Our Privacy Acts govern yet today (google to prove it....same base law with amendments out the yin-yang), and the introduction to the Patriot Act specifically mentions the instructions for private sector to adopt and implement provisions as detailed which were originally penned for financial institutions and DOJ procedures (premise to enforce).

With regard to what you percieve as a violation of some sort regarding Employment Applications (this is US Labor Law, and State Code), there is none, other than possible unenforceability of verification of identity.....all acts require physical submission of valied ID to certify genuineness of the inormation being submitted (this is a procedural issue, for to be personally certifiable, it is understood that it must be done in person, and that the ID can be evaluated or "proved".....taking a full-blown app online is not reccomended by me whatsoever, as there are too many areas of personal liability left open).

For comparable addressing of this issue, examine the processes, technologies, and even the disclaimers during an online credit application procedural form.....it may indeed be a secure site (SSL), most definitely involves encryption (gateway, scripting), and deals with the same type of information as would be at issue in an Employment App, correct?? The same applies to whaterever personal information is collected or communicated online, and is really only a matter of degree of protection employed to minimize degrees of risk to both parties.

You need to realize that Federal Laws are purposely written rather general and sometimes vague so that the burden of implementation is not confined: they want you to adopt and adapt according to your particular operational structure.

A good example is OSHA and how the Materials Safety Act morphed into an "Safety & Enviornmental Managemnt Program" ..... now it is required by all businesses (undr additional State auspices) not just for those who habdle hazzardous materials, and it covers everything from those materials to Fire Drill, emotional trauma, etc.

I disagree with your statement about the original topic of the thread ("musings" aside, I clearly see the issues): I see that there was a discussion about personal feelings regarding how information is processed (with inappropriate citations of Policy) and total confrontation of available technology. That is why I broke it down the way I did, and gave examples of precedence. Usually, each State expands the provisions and under different agencies.....everything from The Fair Credit Reporting Act (which also stipulates Privacy, ID, and collections issues, and which also apply to more than financial institutions or "banks") to the US Commercial Code have specific methods of implementation and enforcement detailed. THAT is why I mentioned the resources for each to discover their own applications development.

I am not a lawyer, and I do not make this stuff up......nor am I wiling to do what I consider "other people's work" for them, believing that most learn best by doing for themselves.
I know how much effort it has been to create, compile, implement, and maintain Policies for each of my businesses, and how each industry poses its own challenges. And, unfortunately, I am also aware of how many people in business have no clue as to how they are supposed to operate....

BUT....it does seem that I offered an incorrect link: (try these) The Privacy Act of 1974 (Amended) and Dept. Homeland Security The Privacy Office

Re: Employment form

>> LOL >> And, another starting point for the long-read of the week: http://www.ibls.com/internet_law_news_portal_region.aspx?s=United%20St ates&id=1&t=Online+Security