An American, the UK Data Protection Act, Petroleum Geo-Services (PGS) and the Tyranny of “Accurate Data”
A traitor is everyone who does not agree with me.George III (The last American King)
Until lions have their historians, tales of the hunt shall always glorify the hunters.African Proverb
Each of our personal history is contained within firm or electronic data stored in the records from the many transactions and accountings that take place each day. The United Kingdom (UK) Data Protection Act 1998 (DPA) is considered a complicated piece of legislation adopted from and based on the European Union (EU) Directive. The DPA provides the essential guidance for the processing of personal subject data which can include data collection and storage, as well as everything in between. Those involved with the processing of personal subject data are called data controllers. Data controllers are required to process personal subject data consistent with the eight principles. The Information Commissioner’s Office (ICO) oversees DPA compliance. As a U.S. citizen who worked for the same company overseas for over 14 years at different locations, my personal data had been strewn out over the globe. I worked in England for 36 months on a Tier 2 visa, eligible through the Shortage Occupation List where companies must specifically require and request foreign expertise where there is no resident eligible candidates. I left England at the end of 2013 shortly after having our family visa’s renewed. Therefore, DPA applies to my personal data processed in the UK. The sixth principle of the DPA gives rights to the individual in respect of personal data the organization holds about them. Toward the end of 2014, I learned more about DPA and submitted a subject access request (SAR) to my former employer to find out what data was being held about me. I am not a lawyer or solicitor. I have referenced online information and communications carried out through the process. Herein is a chronicle of my journey of discovery about how my personal data was processed and how the DPA principles are realized in practice, and especially in this case, for a U.S. citizen.
The UK Data Protection Act 1998 Principles
Subject data must be,
- Fairly and lawfully processed;
- processed only for limited purposes;
- Adequate, relevant and not excessive for the above purposes;
- Accurate and up to date;
- Not kept for longer than is necessary for the above purposes;
- Processed in line with the rights of the data subject;
- Data is kept secure;
- Not transferred to other countries outside the European Enterprise Area (EEA) without adequate protection.
A Data Subject’s Journey of Discovery
The DPA and EU Directive considerations are becoming a more important issue as multinational companies occupy and employ individuals from around the globe. Personal data is information about any identified or identifiable natural person, known as a data subject. The DPA specifically prohibits sending subject data to any country without an appropriate level of protection. By DPA and EU Directive standards, the US does not have the required adequate standard. Data Controllers are companies holding personal personnel information. Employers are data controllers. Many US-based human resource departments have been surprised to learn that the DPA and EU Directive applies to their internal and confidential personnel information. Even intra-company human resource electronic and firm data transfers are affected by the DPA and EU Directive. Data transfers outside EEA (European Enterprise Area) raise a real risk that personal data offshore becomes susceptible to abuse. EEA based data controllers or data processors who share personal subject data with their American companies, even their US based affiliates, do so in violation of the eighth principle. Information received through EEA based companies about a data subject by an American company is gossip and unauthorized. Neither the information nor the data processor should be regarded as credible as there is a violation of the eighth principle, unless DPA provisions are satisfied.
Data controller records should be organized, factual, and comprehensive in a way that can aid in decision making. Facts are different than opinions. Often, facts are blended with opinion. The fourth data protection principle states that data shall be accurate and, where necessary, kept up to date. The definition of accuracy is the quality or state of being correct or precise. This sounds straightforward to check. But, as the ICO website tells us, the law recognizes that it may not be practical to double-check the accuracy of every item of personal data received in through an SAR. This provision provides significant latitude to data controllers and can be abused. The fourth principle allows data subjects to challenge data controllers to revise or remove data held about them. Data subjects can first make this request with the data controller. If the data controller does not agree with the request then the request can be made through the court system. A successful claim depends on convincing the court that your settlement demand is appropriate for any damages suffered. This requires that a data subject must be able to prove that there were damages in order to prevail in court. In court, a data subject has to prove such damages by a preponderance of the evidence. If the data subject cannot get over that legal burden of proof, they will likely lose the case. The DPA stipulates that data needs to be accurate, while the court system focuses on data causing damages to be removed or revised.
Trust, but verify.Ronald Reagan
Data controllers are not held to a standard that requires authentication and verification of the subject data that is being processed. This brings into question whether data controller subject data can ever be assumed to be accurate at all unless it is verified. If data cannot be authenticated at the compliance stage by ICO, then the fourth principle can be (and is) easily bypassed because the issue is not accuracy itself, but the damages from inaccuracy. Fiction can easily replace fact when data subjects need to bear the burden of time and court expenses to challenge and change inaccurate data. This is a significant shortcoming of ICO enforcement in my opinion. When one thinks about this, there are very few business transactions that do not require some standard of verification. When purchases are made, buyers are provided receipts, most contracts must be signed before they are executed, HR departments most often require assessments or course completions to be affirmed, and quality management or safety audits generally require verification. In fact, I have been involved with long contracts where each page had to be signed and numbered by hand to ensure that no items would be added or removed from the final contract document. At these stages of acceptance, loss or damage is not the primary consideration of the business transaction. Authentication and verification are of critical importance. However, there is no such compulsory data authentication and verification standard for processed subject data prescribed by ICO to accompany the UK Data Protection Act 1998.
It is my experience that data controllers can intentionally violate the fourth principle with the understanding that there is little probability of financial sanction because the court process is prohibitively expensive and time consuming for data subjects (especially those from overseas). Certain data controllers want to stand firm on the inaccurate data that they process to the angst of the data subject who may rightly believe their data is being manipulated to influence third parties. At the very least, these data controllers want to project power and control over the subject’s narrative to potential employers. Otherwise, what is the point of the processing? But, truth is a great equalizer. Revealing these intentional inaccuracies also puts light on unscrupulous data controllers. Such data controllers intentionally search for loop holes in complying with the DPA. However, how data controllers choose to process subject data really demonstrates the data controller values and business practices to potential customers, employees, and shareholders. Therefore, it is important to a wider spectrum of individuals beyond the data subject how personal data is processed.
Most data controllers are inclined to process subject data reasonably. It would not be fair to suggest that how my personal data was processed is common or reflective of normal business practices. For this reason, I believe it is imperative that the data controller and processors involved with my personal data be specifically identified. My employer was PGS Exploration UK Limited, which is an affiliate of the Norwegian company, Petroleum Geo-Services. For the record, Norway adheres to their version of the EU Directive which is similar to the DPA, the Personal Data Act. In my daily work in England, I interacted and communicated with the main office in Norway frequently. I was employed as a Contract Sales Supervisor for the Marine Contract division, Africa region. My boss in England was Edward Von Abendorff, VP Marine Contract Sales Africa. His boss is Simon Cather, Regional President for Africa. The main processor for my SAR was David Nicholson, Human Resource Manager. I also communicated with individuals based in Norway: Per Arild Reksnes, Executive Vice President of Marine Contract, Terje Bjølseth, Senior Vice President of Human Resources, and John Greenway, Senior Vice President, Marine Contract with respect to my processed data.
PGS Core Values
PGS is built a value set that provides the foundation for all our goals, policies and actions. These offer clear guidelines on how we expect everyone at PGS to interact with their colleagues, suppliers, customers and the people we encounter in our day-to-day work.
- We care for our employees, our environment, our customers’ success
- We are leaders in HSEQ
- We work as a team to get the best results
- We act in the best interest of PGS
The very ink with which all history is written is merely fluid prejudice.Mark Twain
The events that will be described occurred after the employer – employee relationship ended. The specifics of the prior business communications and data of course are off limits and really are not too important. It should be noted that PGS complied with the SAR to ICO’s standard. ICO determined that there was not a basis for a more thorough investigation. Nonetheless, all of the information that I will share about the data processing is corroborated directly by the data and communications which I received through my SAR process. Most of the data that I received through the SAR process is not controversial. The discovered data which I did request removed from my personal records had never been received nor authenticated while I was an employee. As a data subject who perused the data with the personal knowledge of events, the question that I had for ICO was how it was possible that one’s personnel file was allowed to have many inaccurate and unverified documents? I was told, but it did not really sink in until recently, that ICO does not authenticate processed data. Data controllers have great license with regard to what personal subject data they process and how. My view is that turnabout is fair play. If data controllers can retain highly controversial unauthenticated files in personal records, then as a data subject I will relate how my data was processed by the data controller and why I thought it should be removed.
Prominent in the front of my personnel file is a memo addressed to my attention and signed by Per Arild Reksnes, Executive Vice President of Marine Contract (at the time) and Terje Bjølseth, Senior Vice President of Human Resources. The memo proclaims a conclusion to a process. However, it had actually been determined that another avenue would be pursued. There was no conclusion of the process to my understanding. I do recall the meeting and waiting for a meeting summary along with my colleague who accompanied me. But, this was never received by me or my colleague while I was still employed. The memo is actually dated for the day when the decision to pursue another avenue was made. I received a copy of the unsigned by me memo with my SAR documents. I would have not signed or accepted the memo because, among other things, it referenced a meeting which never occurred and there is no record of, as well as a letter which I never wrote. The meeting date matched other documentation, but that referenced meeting had actually been postponed to a later different date which the signers should have known. As for the letter written by me, I requested a copy just in case I had forgot something. But, this was not provided with my SAR contents and I am quite sure that I never wrote any letter. The memo was copied to Simon Cather, Regional President for Africa, who did not attend the meeting. However, no copy of the memo was addressed to my work colleague who had attended the meeting with me. David Nicholson, Human Resources Manager, managed and processed my personnel file data. He also did not attend the meeting. I requested this document removed from my personnel record. This request was denied.
Most striking, however, was the minutes to a meeting that really defined all other events that followed and the other unauthenticated documents that are now part of my personnel file record. I had been called to a meeting with very short notice. I remember this clearly and had communicated this fact by e-mail to Edward Von Abendorff, VP Marine Contract Sales Africa, Simon Cather, Regional President for Africa, Per Arild Reksnes, Terje Bjølseth, John Greenway, Senior Vice President, Marine Contract, and again to David Nicholson, Human Resources Manager. I had requested minutes from this meeting and clarifications from David Nicholson directly following the meeting. However, these minutes were never provided to me. I was told in another e-mail from David Nicholson that the meeting was off the record and no minutes were distributed. In lieu of these requested minutes a different summary letter was written that had left out several key aspects discussed during the meeting which I addressed in a different communication. (This communication asking for clarifications is not included with my personnel file. I requested that it should be. This request was denied.) I was very surprised when I received the documents from my SAR and saw that the inclusion of the meeting minutes which had been denied to me. The minutes indicated that the meeting had been scheduled, which was not true. In addition to the copy of my personnel file, the SAR also provided other e-mail communications. One such communication was an email sent from David Nicholson to other meeting attendees (Edward Von Abendorff and Simon Cather). In the e-mail David Nicholson had indicated alarm that I had requested the meeting minutes and assured the other attendees that they would be sent the minutes, but none would be sent to me. A version of the minutes appear in my personnel file in transcript form (there was no recording). From my memory, statements have been omitted or embellished. Of course, that is why it is standard business practice to share minutes with meeting participants to verify contents. The meeting minutes of course were never delivered or the contents accepted and authenticated by me. I requested that these minutes, which had been withheld from me for authentication, be removed from my personnel file records. This request was denied.
I only requested the removal of unauthenticated documents which I had not seen before during my employment. The unauthenticated documents spanned the last six months of a career of over fourteen years and had been altered or embellished to form an inaccurate account of my work with PGS. These included shorter one-on-one meetings with the Human Resources Manager clarifying certain issues annotated by him but not shared. However, I always voiced an interest in receiving summaries of meetings if they were available. This fact is actually highlighted. My interest in having things written down was more for my personal review and clarity, not so notes about me would be retained without my knowledge. (I thought David Nicholson would understand this.) One of the meeting summaries was for a meeting that I was not invited to or attended. I am not sure what exactly the intention of such a meeting held behind my back is when my office is next door or across twenty feet from those who attended. I was most likely available for direct discussion. Again, there is no way to confirm that any such meetings even happened much less verify what was discussed. It does however show the work culture and communication fabric that constituted my normal working day.
I was also surprised that certain documents seemed to have been removed or omitted from my personnel file. I had expected to find a report prepared by a contracted professional which had been requested by my boss and the HR Manager. However, when I received my SAR contents there was no mention of this expected report in my file. I was told several times by the HR Manager that no report had been produced. It is my understanding that ICO received a similar response. I think that HR was hoping to discover some fact to exploit. But, since nothing of significance was determined the requested report was no longer interesting and retained. However, I was able to receive a copy of the report through a separate SAR and discovered that a follow-up review which was not aligned to HR’s interests had been recommended. I also saw that the report was prepared as requested and addressed to the attention of the HR Manager, David Nicholson.
The SAR is supposed to let data subjects know who has had access to their personal data. Another surprise was to learn that a data processor in Houston had had access to my personal data. This would be a violation of the eighth principle. The data processor is a UK resident working in the US. Apparently, if the data processor is an employee of the UK entity even though they are physically in the US, there is no violation. However, as with data authentication, ICO does not verify the agency of the data processor and whether or not there was a violation of the eighth principle. I did not know that UK workers could legally work in the US as a UK agent. Even though there have been multiple intentional manipulations of my personal data, I nevertheless needed to accept the ICO conclusion that only authorized UK data processors have been involved with my data. I was concerned that a Houston based employee with incorrect data could potentially present the risk that personal information would be shared with US based third parties or potential employers.
From my point of view, it seems clear that there has been an exceptional effort to process my personal data both inaccurately and unfairly in contradiction to the DPA principles. This is obviously an opinion. The DPA assumes that the data controller has the intention to process data accurately and in the same way that they would process any normal business documentation (which could very well still be true), when in fact data controllers can instead process works of fiction with virtual impunity. Just as TV movies that may be based on actual events but are far from true, data controllers can write or say just about anything that they want if they have an ax to grind. Which I think is the case here. Any effort to parse out the accurate data would likely be prolonged and difficult. The ICO limitations in enforcing compliance of DPA principles on data controllers through not authenticating data does not provide too much confidence or security about one’s personal data, in my view. How a business processes personal data is determined to a large extent by the personal interests and integrity of the data processors themselves. “Accurate data” is determined by what the organization wishes the “facts” to be and not what they actually are. It is not only the prerogative of the business to selectively include or omit factual information, data controllers can construct narratives of past employees out of whole cloth. This is what data controllers can do, but is this what they should do? The DPA principles really operate on an honor system. Compliance should be a measure of business integrity, not really a list of items that can be gamed and manipulated.
I never did give anybody hell. I just told the truth and they thought it was hell..Harry S. Truman
The past eighteen months since I left PGS have been a challenging time in the marine seismic industry, especially for proprietary contract work. It has also been a challenging time for me and my family constrained by the uncertainty of how your former employer of the past fourteen years processed your personal data and what gossip was being shared. Has it really been prudent to have top Marine Contract executives injecting themselves and manipulating the personnel data of a former employee during this time? Are the system and values so weak and executives so insecure and fearful that they feel the need to be this petty and jeopardize the reputation and operations of the company because a former employee hurt their feelings by speaking the truth? Jon Erik Reinhardsen, President and CEO of PGS, usually highlights PGS core values during his quarterly presentations. I imagine that he will do so again for the upcoming Q2 2015 presentation. Maybe he will also need to explain to Johan H. Andresen and all the other shareholders, customers, and employees how his team really plays ball during times of challenge and uncertainty.
I am not a multinational company, but I have been around the block and around the world. I understand the challenges faced in this climate. I cannot accept my narrative being defined through the tyranny of self-impressed psychopaths. I want control of my narrative. I know what I have done for the past fourteen years and before. For most data subjects the issue is data accuracy, not damages that meet some subjective legal definition. Falsification is damaging, plain and simple. It is clear to me that values and performance are interpreted much differently. This is why any relationship ends and mature people move on. However, this is difficult to do when those on the other side of the relationship team-up and work in the shadows like vampires scared of the light of day. Instead, they chose to maintain secret files avoiding confrontation that would require them to defend their objectives and actions. The Founding Fathers of the U.S. were endowed with the courage to challenge tyranny because while they feared the abuse of power, they feared the submission to it even more. I call on their spirit. I am American, and this is MY Independence Day.
Do you want to know who you are? Don’t ask. Act! Action will delineate and define you..Thomas Jefferson