Petroleum Geo-Services ASA (PGS), Daphne Bjerke, GlobalData Protection Officer, Joins Relay Race from Data Accuracy
There’s a lot in the GDPR you’ll recognize from the current law, but make no mistake, this one’s a game changer for everyone. ~ Elizabeth Denham, UK Information Commissioner
A false document is often promoted in conjunction with a criminal enterprise, such as fraud or a confidence game. ~ Wikipedia, False Document
The General Data Protection Regulation (GDPR) came into full effect 25 May 2018. In the UK, the GDPR supersedes the DPA provisions and establishes consistent guidelines that European Union (EU) personal data controllers and personal data processors must abide by in processing personal data. A personal data controller determines the purposes and means of processing personal data, whereas a personal data processor is responsible for processing personal data on behalf of a controller. What constitutes personal data processing? According to the European Commission, processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data. GDPR compliance will be managed through a country’s Supervisory Authority (SA). In the UK, the SA is Information Commissioner’s Office (ICO), and for Norway the SA is Datatilsynet. Fundamentally, however, GDPR is about protecting the integrity and privacy of personal subject data. There are six (6) guiding GDPR personal data processing privacy principles that data controllers need to adhere to:
Within the European Union (EU) Charter, data protection and privacy are fundamental personal freedoms. The United States (US) has a number of regulations in place for data protection. However, there are essential differences between the way data protection is viewed in the EU and US. The US is more concerned with integrity of data as a commercial asset, while EU data protection has firmly placed individual rights above the interest of businesses. Therefore, under DPA personal data transfers outside the EU were only allowed if data controllers could ensure an adequate level of protection for the rights and freedoms of individuals in relation to processing personal data. Under GDPR, businesses are prohibited from transferring personal data outside the European Economic Area to a third country that does not have adequate data protection. From this vantage point, human resources (HR) personal data becomes some of the most high risk personal data that organizations will process. For one thing, each EU country has its own labor laws that regulate when and how employee data can be processed. For instance, such national laws set forth record retention requirements for specific types of HR data. Unlike processing consumer business to business (B2B) customer data, processing HR data involves special data, such as nationality and ethnic origin information, trade union membership records, medical information, and criminal history data.
Under GDPR, employers may collect and process employee data only if they are able to demonstrate, that the processing of the data is necessary under another legal basis, such as to: (a) perform the employment contract, (b) comply with legal obligations, and/or (c) further a legitimate interest of the employer. Employers are required to designate a data protection officer (DPO), as a result of processing HR data, if its core activities involve regular and systematic large scale monitoring and processing of sensitive or special subject data. Further to this, employers must conduct data protection impact assessments (DPIA) for many HR data processing functions where data processing is likely to result in a high risk to the rights of data subjects. A DPIA must be performed when any two of the following factors are present: (1) use of automated decision-making with legal or significant effect, (2) evaluation or scoring of data subjects including evaluation of work performance, (3) systematic monitoring, (4) processing sensitive data, (5) processing data on a large scale, (6) processing data of vulnerable subjects, (7) transferring data outside of the EU, (8) engaging in an innovative use or application of technological solutions, or (9) engaging in processing that prevents a data subject from exercising a right. Employees are regarded as “vulnerable subjects” and, therefore, processing employee data that involves evaluating work performance, monitoring of employees, sensitive data, and transfers of HR data outside of the EU will meet the two factor requirement, triggering the obligation to perform a DPIA for such processing.
Daphne Bjerke is the Global Data Protection Officer for Norway based marine geophysical service company Petroleum Geo-Services ASA (PGS). Recently, I submitted a data request to Bjerke, citing the new regulation provisions. Also, PGS has recently undergone restructuring that has omitted the Marine Contract division which I once worked in. The integrity of PGS global personal data processing compliance and integrity is now principally Bjerke’s responsibility. The initial response from Bjerke was reiterated by PGS Exploration (UK) Limited (PGSUK) new Head of Legal, John Francas Francas has replaced former PGSUK Head of Legal and Company Secretary, Carl Richards, who resigned 25-May-2018, the date when GDPR came into full effect. I was informed that my data request may take up to 90-days to complete, instead of the prescribed 30-days. What is disconcerting is that Francas has already perpetuated the irresponsible and damaging behaviors (to the data subject) of his predecessor, and PGSUK Company directors: Rune Olav Pedersen, PGS CEO and President; Gottfred Langseth, CFO and EVP; and Christin Steen-Nilsen, PGS SVP Chief Accountant, as well as form director and PGS CEO and President, Jon Erik Reinhardsen, who have obstructed all efforts to resolve data protection issues brought-up in the past. The legal compliance of data processing practices by data controllers PGS and PGSUK is very clearly the collective responsibility of company directors (and secretary) and should be guided by the law. It is Francas’ responsibility to provide this guidance. It is their collective fiduciary duty to be concerned, and then also to take definitive measures, to correct any transgressions with any individual subject’s personal data. It is not their responsibility to shield directors and executives from their accountabilities.
The truth is not what you want it to be; it is what it is, and you must bend to its power or live a lie. ~ Miyamoto Musashi
If ethics are poor at the top, that behavior is copied down through the organization.~ Robert Noyce
In October 2014, I submitted a subject access request (SAR) to PGS Exploration (UK) Limited (PGSUK), citing the UK Data Protection Act 1998 (DPA). I also submitted another SAR to the Norway based parent company, Petroleum Geo-Services ASA (PGS), citing the Norwegian data protection laws. I am a USA citizen who, along with my dependent family members, was sponsored by PGSUK on a Tier 2 visa to work in England. I was personally involved in preparing the documentation delivered to UK Border Agency for the processing of the Tier 2 visa for myself and family member dependents, and of course all documents needed to be signed by applicants to attests to the accuracy of personal data provided. We all lived in Weybridge, England from 26-Sep-2010 to 24-Dec-2013 during my PGSUK sponsored employment. My employment with PGSUK was terminated through a settlement contract agreement (SCA). SCAs are most often used to terminate employees for poor performance or redundancy. The SCA proffered to me was in response to my submitting a formal workplace grievance citing workplace harassment, gang-bullying (mobbing), misuse of the performance management system, breaches in my employment contract duty of care and duty of mutual trust and confidence common law provisions. My boss, Edward von Abendorff, VP Marine Contract Sales – Africa; his boss, Simon Cather, Marine Contract Regional President – Africa; and HR manager, David Nicholson, were deceitfully promulgating defamatory information intended to destroy my professional reputation and stifle my progress in the marine geophysical industry. My grievance specifically stated that is was a response to defend and correct an unsubstantiated and defamatory letter which was written by Nicholson, as well as slanderous comments that had been made during a meeting which preceded the letter.
To terminate employment by an SCA, one needs to engage a legal advisor, because an SCA is a very legally binding instrument which prohibits any future legal action. The SCA had been proffered to me by *Nicholson a few days before a scheduled grievance hearing to stop the grievance process from commencing. I found it very odd and unsettling that Nicholson, a principal implicated within the grievance document, was even allowed to proffer an initial SCA as a way to stop the grievance process. The grievance document had been delivered during a scheduled 20-Sep-2013 meeting. Besides me, the meeting attendees were Nicholson, Abendorff, as well as my witness and coworker, John Barnard. Copies of the grievance document were e-mailed to meeting attendees, as well as to Terje Bjølseth, PGS SVP Global HR and compliance officer, and Per Arild Reksnes, EVP Marine Contract. Reksnes was the functional superior of Cather. John Greenway, SVP Marine Contract, also was e-mailed a copy. There was never any direct contact with me by the recipients of the grievance document related to the concerns raised in my grievance. I also had never received any help or guidance with regard to the grievance process. Most notably, neither Bjølseth, nor his fellow compliance officer, Rune Olav Pedersen, PGS General Counsel (at the time), ever contacted me. Nicholson, again, was involved in scheduling and coordinating a grievance hearing.
Following Nicholson’s proffering the initial SCA, I investigated my options and contacted Philip Landau and Holly Rushton, with Landau, Zeffertt, and Weir Solicitors (LZW) for legal advice. I discovered Landau through a blog post article which he had written. My desire was to follow the prescribed processes for grievance, because I had read that one would be in a stronger legal position if the issue went through to tribunal. I attended a grievance video conference hearing from England with my witness Barnard, chaired by Bjølseth and Reksnes in Norway. There hadn’t been any sympathy or advice, regarding my grievance, being offered by Bjølseth or Reksnes, following the 20-Sep-2013 grievance delivery. This made the workplace difficult to bear. Also, as a sponsored Tier 2 employee, my options were also limited. (This point was also made within my grievance document.) Landau had received a copy of my grievance document with names redacted. He was also kept aware of how the grievance process was progressing. The stress from the entire situation was affecting my health, and I had visited doctors. LZW persuaded me to pursue an SCA and was eventually entrusted to negotiate SCA terms in my best interests. PGSUK enlisted their own counsel to negotiate the final SCA terms on their behalf, Rhodri Thomas, with Watson, Farley and Williams (WFW). The grievance process was “parked” as the SCA negotiations commenced. WFW had also processed my personal data, relevant to the same time frame, to obtain the Tier 2 visa for myself and dependents. It should be verifiable that the same base legal and accurate data was used for both the visa processing and for the SCA.
Sometimes, in a fictional story, you can be more honest and truthful, actually. As a journalist, you’re a prisoner of the data, in effect. You have to tell the story with evidence you can verify. ~ Peter Landesman
Defamation; is an act of impiety. ~ Kristian Goldmund Aumann, The Seven Deadly Sins
As the SCA negotiations finalized, on 4-Dec-2013, LZW and WFW had both assured me that my personal data being processed by PGS/PGSUK would be true and accurate. However, at no time did LZW ever recommend that I actually view the contents of my personnel file, even though defamation by principals was a central claim within the grievance and an ongoing concern during negotiations. It is why I demanded that a strong non-disparagement clause be included in the SCA. On 5-Dec-2013, following assurances from both LZW and WFW legal advisers that my personal data was true accurate, I signed the SCA. From 5-Dec-2013 until 24-Dec-2013, I remained in Weybridge on garden leave. I was never really satisfied with the final SCA terms, and seriously considered abandoning the SCA and continuing the grievance process into tribunal. However, I also knew that the work environment was taxing my health and well-being. I knew that we – my wife and daughters – needed to leave. The SCA included repatriation costs for me and my family as a reimbursable, which I also did like. I wanted a lump sum and not have to deal with the situation while in the US. Again, PGS/PGSUK was adamant about a reimbursement scheme. (I believe part of this was so PGS/PGSUK agents could keep track of where I was.) This meant that I needed to send moving expense receipts to PGSUK HR (Nicholson) for processing. The reimbursements were paid in the April-May 2014 time frame. What led me to submit the SAR to PGSUK in the first place were the strange encounters and interviews that I had after I arrived in Houston, Texas, January 2014, a city where I had a post box but had not lived since 2001.
I clearly remember the events in 2013 relating to my grievance and subsequent SCA. Legal and compliant processes cannot produce non-compliant and illegal outcomes. Therefore, I have refused to passively accept the false narrative being told through the false records being processed as my personal data. I believe there was illegality. On 3-Jul-2015, I published, An American, the UK Data Protection Act, Petroleum Geo-Services (PGS) and the Tyranny of “Accurate Data”, on LinkedIn™ Pulse. Over the past months and years since, I have written over thirty (30) blog posts sharing e-mails, as well as other verifiable document records, proving that the personal data PGSUK is processing in my name is inaccurate and illegal. For the most part, these blog post articles, which now reside on a personal website, have been a verbose expansion of mostly the same base claims made within the “solution” e-mail appended to my personnel file which was written 5-Dec-2014, a full year after my signing the SCA 5-Dec-2013. When I received the firm contents of my (HR) personnel file in late 2014, I immediately recognized several problems. Employees are expected to sign formal documentation being processed in their employee personnel file to acknowledge that they have received a copy and have reviewed the contents. This is standard practice. Historically, from my over twenty-years as a professional, personal performance assessments or HR documentation had always been validated (signed) by both the employee and the first-line supervisor/assessor as a minimum requirement.
None of the personnel file documents relevant to the SCA have been signed by me, the data subject, or his first line supervisor von Abendorff. The firm HR personnel file documents pertinent to the SCA are mostly the creation and/or are signed by the HR manager, Nicholson. The data subject never reported to Nicholson, and such data would be inadmissible hearsay evidence. The firm HR personnel file records do not correlate with time-stamped e-mail data between pertinent parties, including Nicholson himself, von Abendorff, and legal advisers Landau and Rushton. Most notably, the Memo: Conclusions to Grievance Hearing signed by Bjølseth and Reksnes does not even reference the grievance document presented on 20-Sep-2013. However, the grievance document is referenced within the SCA, as well as the 22-Dec-2014 Nicholson letter. The sent e-mail header which sent the grievance document is addressed and dated. The Memo references a cancelled meeting and a letter never written by me. The witness, Barnard, is not included in the distribution of the Memo purportedly sent to my attention just prior to the SCA negotiations commencing when LZW/Landau was engaged as my legal adviser. However, Cather and Nicholson are included in the distribution. There is no proof of delivery to me, nor has this significant Memo been countersigned by me. (I never received the Memo as dated, 25-Oct-2013.) Further, PGS compliance officers, LZW, and WFW data processors refuse to authenticate the personnel file records, including the Memo. In the law of evidence, authentication is the act of verifying that a document is legally admissible in evidence. PGS compliance officers (Bjølseth and Pedersen), LZW, and WFW cannot demonstrate that the firm HR personnel file documents being processed are legal, which is the first principle of GDPR. So, for what purpose were the firm HR personnel (Bjølseth, Nicholson, Laura Haswell, Anne Stokle, and Gareth Jones) processed if they are not verifiably legal documents? These are the central issues that Bjerke must address as a Global Data Protection Officer whose responsibilty, first and foremost, is to ensure that subject data is legal and accurate, because these are human rights under GDPR.
A delusion is something that people believe in despite a total lack of evidence. ~ Richard Dawkins
It is easy to ignore responsibility when one is only an intermediate link in a chain of action. ~ Stanley Milgram