As outsourcing HR becomes increasingly common, Kathryn Dooks, Employment Partner and Paul O’Hare, Head of Outsourcing at Kemp Little LLP, provides sound advice on current legislation governing outsourcing core HR functions.
Historically, companies tended to outsource individual “transactional” HR functions, such as payroll or recruitment, functions which can often involve low levels of complexity and “value add”. Outsourcing such functions freed up more time to focus on more strategic HR issues. These “single function” outsourcings remain very successful and the market for each type grows at a healthy rate each year. As these “transactional” HR services are relatively straightforward and low risk there are far fewer legal considerations when outsourcing such functions. Now, multi-national companies are increasingly outsourcing broader HR compliance functions, as a means of saving cost and focusing staff on core business lines. Whilst these larger, multi-function deals have been around for a long time, employers remain concerned about outsourcing functions which are perceived to be risky and bound up in reputational issues, especially as ultimate liability remains with them. Part of the solution is to rather than simply outsourcing a problem, understand your obligations, clearly map your policies and procedures to the supplier’s solution and have appropriate oversight of the outsourced function. Procedures for internal auditing and performance and compliance reporting should be established.
It can be difficult to apply KPIs to outsourced HR functions which are less “transactional” in nature, as the appropriate indicator is a qualitative rather than quantitative one and therefore, by its very nature, difficult to measure, other than by employee satisfaction surveys and so on. These deals can often involve an overlap between the responsibilities of the employer and the supplier. In such circumstances, the parties should take care to clearly define where the employer’s responsibility stops and the service provider’s responsibility starts, to avoid issues falling between the cracks. Where responsibilities overlap, detailed service descriptions are key.
In addition, HR directors are increasingly using Cloud-based HR systems or ‘Software as a Service’ (“SaaS”) solutions as a cost-effective and efficient way of managing staff and HR data across the world. Cloud solutions can raise a number of data protection and security issues, particularly in an HRO context. Part of the challenge is that a typical “public” Cloud is a “one-to-many”, uniform solution with very little opportunity for the buyer to customise its requirements or the applicable contractual terms. The supplier decides where to store the data (which can be outside the EEA) and often can move it around different data centres across the world. The buyer remains responsible for employee data stored in the Cloud by the supplier. This may cause difficulties given that it is not always possible to determine the precise physical location of the data. Careful thought should therefore be given to whether a typical ‘public’ Cloud is the most appropriate type of solution available and what employee data should be stored in the Cloud. A buyer will want to ensure that the transfer of such data into the Cloud and by the supplier across the internet between data centres is secure and that data is encrypted.
The transfer of data into the Cloud means that the employer is caught by the data transfer rules within the Data Protection Act. Personal data may only be transferred to countries outside the EEA if: (i) the data subject has consented to the transfer; or (ii) the transfer is made on terms that are of a kind approved by the Information Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects; or (iii) the transfer has been authorised by the Information Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects. Typically, employers rely on employee consent.
Employee consent is also required if the Cloud solution involves the processing of any sensitive personal data, such as medical records. In any event employees should be informed of the way in which their personal data will be gathered and processed, either in the contract of employment or a data protection policy. As suppliers become more sophisticated in the HRO market, buyers become more comfortable with managing the risks around HRO, and with pressure on HR Directors to continue to cut costs and maximise the strategic role of the HR function, we are bound to see an increase in the scope of HR functions which are outsourced in the future.
Kathryn Dooks, Employment Partner
Paul O’Hare, Head of Outsourcing
Kemp Little LLP
www.kemplittle.com