TeliaSonera Human Rights Impact Assessment Report

HUMAN RIGHTS IMPACT ASSESSMENT
TELIASONERA FINAL REPORT 10APRIL 2013
AUTHORSHIP Principal Author: Dylan Tromp, Advisor, Human Rights and Business Department Danish Institute for Human Rights Supporting Authors, Danish Institute for Human Rights: Rikke Frank Jrgensen, Senior Advisor, Research Department Allan Lerberg Jrgensen, Department Director, Human Rights and Business Department Assessment Coordinators, TeliaSonera: Patrik Hiselius, Senior Advisor, Group Sustainability Eija Pitknen, Head of Group Sustainability April 2013 Danish Institute for Human Rights CONTACT Dylan Tromp (Advisor) Human Rights and Business Department Danish Institute for Human Rights Wilders Plads 8K, DK-1403 Copenhagen K Phone+45 3269 8888 Phone +45 3269 8856 (direct) www.humanrights.dk dtr@humanrights.dk
TELIASONERA HUMAN RIGHTS IMPACT ASSESSMENT DANISH INSTITUTE FOR HUMAN RIGHTS INTERNAL TELIASONERA CLIENT WORKING MATERIAL, DATA AND OPINIONS/ COMMERCIAL SECRET/BUSINESS SECRET / MATERIAL INTEREST / MATERIAL FINANCIAL INTEREST / PRIVILEGED AND CONFIDENTIAL ATTORNEY WORK PRODUCT / DO NOT DISCLOSE, MARK ON OR COPY
CONTENTS
1. EXECUTIVE SUMMARY 2. BACKGROUND 3. FINDINGS 4. RECOMMENDATIONS ANNEX 1 DETAILED FINDINGS ANNEX 2 METHODOLOGY REFERENCES 4 10 15 39 57 63 66
TELIASONERA HUMAN RIGHTS SELF-ASSESSMENT 2013 DANISH INSTITUTE FOR HUMAN RIGHTS INTERNAL TELIASONERA CLIENT WORKING MATERIAL, DATA AND OPINIONS/ COMMERCIAL SECRET/BUSINESS SECRET / MATERIAL INTEREST / MATERIAL FINANCIAL INTEREST / PRIVILEGED AND CONFIDENTIAL ATTORNEY WORK PRODUCT / DO NOT DISCLOSE, MARK ON OR COPY 3
1.
1.1
EXECUTIVE SUMMARY
EXTERNAL CONTEXT
TeliaSonera was criticized during 2012 in the Swedish media and elsewhere for allowing governments to use its networks to infringe upon the human right to privacy, including by releasing subscribers private data, such as their geographical location and the content of their communications to public authorities.1 Additionally, the company was accused of improper interference in the human right freedom of expression by complying with government orders to temporarily shut down its networks,2otherwise restrict access to its services in certain geographic areas, or restrict access to certain online content.3This criticism focused on TeliaSoneras operations in Eurasia, including the operations of its associated company Turkcell in Belarus.4 TeliaSoneras main shareholders and some of its corporate customers expressed their concerns related to the issues highlighted in the media.5
1.2
INTERNAL CONTEXT
TeliaSonera has characterized the allegations raised during 2012 as serious criticism.6 TeliaSoneras 2012 Annual Report states that: TeliaSoneras business strategy means that the company does business in some of the worlds most challenging markets when it comes to violations of human rights. The importance of a zero tolerance across the entire organization for human rights abuses can therefore not be underestimated.7 TeliaSonera has identified that human rights pose a high risk to its business, and has identified a number of what it calls human rights hot spots including lawful interception, positioning, network shutdowns, content-blocking, stored personal data, and license requirements. 8 Overall, TeliaSonera considers Human rights: freedom of expression and privacy, with a special emphasis on our Eurasia region and Assessing sustainability risks as part of major investment decisions and operational risk management to be amongst the four most important topics for its stakeholders.9TeliaSoneras current Corporate Responsibility Goals, as set out in the companys Corporate Responsibility Report 2011, included an action for 2012 to Conduct a human rights impact assessment and Based on the results prepare a mitigation plan for negative human rights impact, with the goal to improve understanding across the Group of the companys human rights impact, based on the UN Guiding Principles on Business and Human Rights.10 The present report is a key output of this action.
1.3
METHODOLOGY
This report presents the findings and recommendations of a group-wide Human Rights Impact Assessment (HRIA) by TeliaSonera, facilitated by the Danish Institute for Human Rights (DIHR) from July 2012 toApril 2013. The objectives of this assessment were to identify and assess potential adverse human rights impacts in which TeliaSonera may be involved through its activities and its business relationships and to recommend and prioritize corresponding mitigation measures to address these potential impacts. The assessment had a heightened focus on freedom of expression and privacy, two issues pre-identified by both the Danish Institute for Human Rights and TeliaSonera as being particularly material. The United Nations Guiding Principles on Business and Human Rights11 served as the external benchmark for the assessment. This benchmark was operationalized by the Danish Institute for Human Rights into a bespoke scenarios-based human rights impact assessment tool customized to TeliaSoneras business and operations as a telecommunications company. Initial findings were then validated through a series of depth interviews with selected subject matter experts (SMEs) within the company. The assessment methodology is described in more detail in Annex 2 to this report.
1.4
KEY FIN DINGS
The key potential adverse human rights impacts identified for TeliaSonera are described in the Findings section of this report (below). Detailed findings are then presented in Annex 1. The most significant improvement areas identified were: POLICY COMMITMENT
IMPACT ASSESSMENT
User Privacy policy gap. Surveillance and interception issues are not wellcovered by the current version of the Group Privacy Policy, which explicitly allows for company acquiescence to verbal demands for release of private user data to government authorities. Current policies rely on an assessment of lawfulness of governments requests, rather than considering compatibility with internationally recognized human rights standards. The Group Privacy Policy is not applied directly to TeliaSoneras associated companies, creating a significant gap in policy protection. Freedom of Expression policy gap. There is no stand-alone group-level policy on freedom of expression. While there are some references to freedom of expression in the Code of Ethics and Conduct, the current wording does not amount to a commitment to respect the right to freedom of expression as such. Incomplete scope of application for the Supplier Code of Conduct. Inclusion of the Supplier Code of Conduct is not mandatory for procurement activities that do not involve Group Sourcing, creating a gap in policy protection. Investigating and assessing actual human rights impacts. The present assessment has focused solely on potential human rights impacts. As far as the Danish Institute for Human Rights is aware, the company has not taken measures to assess actual impacts on human rights in which it may have been involved (i.e. real impacts which have already occurred). Assessment
INTEGRATION & EMBEDDING
of such impacts would be a prerequisite for the company to provide for, or cooperate in, their remediation through legitimate processes, as required by the United Nations Guiding Principles on Business and Human Rights(see further Remediation, below). Absence of country-level assessment of potential human rights impacts. Neither the present assessment, not any other assessment that the Danish Institute for Human Rights is aware of, has meaningfully assessed the risk of company involvement in human rights impacts at the country level. This is true even for operating markets pre-identified by the company as being high-risk for human rights, and where the company has faced what it recognizes to be serious public allegations of involvement in breaches of customer privacy, and freedom of expression. Secondary (knock-on) consequences for rights-holders. The companys current approach to human rights risk and impact assessment focuses narrowly on primary impacts (such as immediate breaches of user privacy, for example), while neglecting to consider possible serious and significant secondary consequences (knock-on effects) of such primary impacts for the rights-holders affected, which could amount to gross violations of human rights. Decision making process for handling and escalating government requests. The documented decision making process reviewed for this assessment applies only to Business Area Eurasia, to the exclusion of other geographies, fails to require either an assessment of the compatibility of requests with internationally recognized human rights standards, or an assessment of potential secondary (knock-on) impacts for affected rights-holders, explicitly excludes so-called Normal day-to-day lawful interception requests from its scope, applying only to New requests to install real-time access to network information for authorities requests to close down all or parts of the network [and] requests to block internet websites, fails to clearly require Group Management decision-making in handling such requests, and fails to require the maximum possible public disclosure of such requests, or disclosure to affected users. Corruption occurs systematically. Some company staff report that corruption occurs systematically. Staff very unclear about companys policies, processes& expectations on human rights and anti-corruption. In general, internal company participants in the assessment reported a perceived or actual lack of formal processes and accompanying instructions many areas relevant to human rights, such as data protection, or reported that such processes were in place for certain operating markets but not others. A need for training was clearly expressed by many respondents, particularly in relation to appropriate handling of personal data and anti-corruption. Apparent de-prioritization of protection of children online. The company has removed protection of children online from its priority action plan and long-term ambition, raising concerns that this area of work may have been de-prioritized for implementation and attention. Overtime, living wage, occupational health and safety.Employees reported concerns relating to overtime, living wage, occupational health and safety.
TRACKING & MONITORING COMMUNICATION & REPORTING

REMEDIATION
There is still a lot of work to do in our supply chain. Relevant staff reported a perception of inadequate leverage vis-a-vis suppliers on the issues of working hours, wages and leave (issues which are not covered by the Supplier Code). Assessment and audit of suppliers appears to be at a nascent stage. The companys most recent Sustainability Report(2012) acknowledges that There is still a lot of work to do in our supply chain. Security audits. Personal user data security audits, and follow-up to these, are considered by staff to be inadequate to meet the relevant international human rights standards on privacy. Communication with affected users and the public. Current decisionmaking process documents for handling government service-limitation and interception requests fail to require communication to affected users or the general public. Freedom of expression complaints. The company does not publish information on complaints regarding freedom of expression that it receives, nor the actions that it has taken in response. Sustainability Report 2012. The most recent Sustainability Report (2012) fails to report against a number of relevant Global Reporting Initiative (GRI) indicators. Addressing actual impacts. It is unclear whether, or to what extent, the company has sought to assess its involvement in any actual (as opposed to potential) impacts on human rights, or the extent to which it has integrated and acted upon the findings of such an investigation, and tracked the effectiveness of its response. Certainly the company has not communicated adequately how it has sought to remediate any impacts on human rights in which it may have been involved. External grievance channels. It was unclear to the assessment team whether or not, and to what extent, the companys existing whistle-blowing mechanisms are accessible to affected users, employees of suppliers and contractors, and members of the general public. Anonymity.Anonymity of whistle-blowing reports of misconduct cannot be guaranteed by the company in all operating markets, according to the companys own public statements, raising concerns about the safety, integrity and effectiveness of these channels. Poor uptake of existing whistle-blowing channels. A total of only 11 complaints were received through the companys whistle-blowing channels in 2012, and only 4 in 2011. This low level of uptake suggests poor staff awareness of, or trust in, the existing whistle-blowing function.
1.5
HIGH-LEVEL RECOMMENDATIONS
The key risk treatment recommendations for TeliaSonera are presented in the Recommendations section of this report (below). The recommendations prioritized as Critical for the company were:
AREA GOVERNANCE TOPIC Human Rights Advisory Panel Human Rights Working Group Human Rights Focal Point RISK MANAGEMENT Country-level Human Rights Impact Assessments Human Rights Controls Assessment Instruction for handling government requests Dissemination of Anti-Corruption Instruction Implementation and capability-building (training) License agreement terms RECOMMENDATION Appoint a Human Rights Advisory Panel reporting directly to Group Management. Establish an internal cross-market and cross-Business-Area Human Rights Working Group comprising of front-line practitioners with human rights responsibilities. Establish a Human Rights Focal Point at group-level. The Focal Point would serve as the Chair of the Human Rights Working Group. Conduct country-level human rights impact assessments, prioritizing existing markets pre-identified as high-risk for human rights, as well as for new market opportunity countries. Conduct or commission a systematic Human Rights Controls Assessment analyzing the coverage and strength of existing company architecture relevant to the management of human rights. Develop and disseminate a mandatory group-wide Instruction for implementing the proposed Lawful Interception Policy and a similar Instruction for implementing the proposed Freedom of Expression Policy. Continue ongoing activities to develop and disseminate an internally mandatory Instruction on implementing group-level anti-corruption commitments locally in day-to-day operations. Continue ongoing activities to prioritize anti-corruption implementation actions in pre-identified high-risk markets, supported by training and capability-building. Seek to renew or renegotiate the terms of existing operating licenses and further analyze, together with industry peers on a global level, possibilities for collective action and constructive lobbying and leverage on this issue vis-a-vis host government authorities in each operating market. Engage in unilateral advocacy with host government authorities as well as collective activities (including through the Telco Industry Dialogue and any other applicable forum) to seek to limit the legislative and regulatory basis for restrictions on user privacy and freedom-of-expression at the national level in all operating markets. Leverage the companys best efforts to encourage the associated companies to uphold, at a minimum, TeliaSoneras own commitments to human rights. Use Transparency Reporting to publicly disclose to the greatest possible extent information regarding government user data and service restriction requests. Investigate, assess, and remediate actual impacts on human rights in which the company may have been involved in the past. Continue ongoing activities to integrate robust human rights due diligence measures into new market-entry approach, and ensure that measures are consistently applied.
INTEGRATION & EMBEDDING ANTI-CORRUPTION
OPERATING LICENSES
REGULATORY & LEGISLATIVE REQUIREMENTS
Regulatory and legislative requirements
ASSOCIATED COMPANIES EXTERNAL REPORTING REMEDIATION MARKET ENTRY/EXIT
Leverage (active ownership) Transparency Reporting Remediation of actual impacts Market-entry human rights due diligence
1.6
NEXT STEPS
It is envisaged that TeliaSonera would now follow-up on this report by taking the following next steps: 1. ASSIGN OWNERSHIP FOR IMPLEMENTATION Assign ownership for implementation at a senior level within the enterprise, such as CEO or Head of Group Communications. 2. ACCEPT OR REJECT RECOMMENDATIONS Consider each of the recommendations presented in this report and either accept or reject each for inclusion in a Human Rights Mitigation Plan. 3. HUMAN RIGHTS MITIGATION PLAN The recommendations accepted by the enterprise for implementation would be developed into a Human Rights Mitigation Plan, as envisaged in TeliaSoneras Corporate Responsibility Report 2011, with implementation to commence during 2013. The Danish Institute for Human Rights will then assess the Mitigation Plan,12 and assess and support the first stages of its implementation.13 The assessment tool upon which this project has been based will then be made available for other companies in the ICT sector to apply.14 4. EXTERNAL COMMUNICATION In order to account for how the enterprise is addressing its human rights impacts, the UN Guiding Principles require the external communication of information that is sufficient to evaluate the adequacy of an enterprises response to the particular human rights impact involved. To this end, it is recommended that TeliaSonera publish: Summary of Key Findings of this report Human Rights Mitigation Plan responsive to these findings, or a summary thereof.
2.
2.1
BACKGROUND
OBJECTIVES
The overall objectives of this assessment were to: 1. Identify and assess TeliaSoneras involvement in potential adverse human rights impacts groupwide across all company operations and business relationships.15 2. Provide recommendations for addressing and mitigating the identified potential impacts.
2.2
TeliaSonera is organized into three Business Areas (BAs): Mobility Services, Broadband Services and Eurasia. Business Area Eurasia (BAE) comprises mobile operations in Kazakhstan, Azerbaijan, Uzbekistan, Tajikistan, Georgia, Moldova and Nepal, and is also responsible for developing TeliaSoneras shareholdings in MegaFon (Russia) and Turkcell (Turkey). 16 Mobility Services and Broadband Services between them comprise operations in Sweden, Finland, Norway, Denmark, Lithuania, Latvia, Estonia, Spain and international carrier operations.17 As per the United Nations Guiding Principles on business and human rights, the scope of this assessment covered TeliaSoneras own activities and omissions as well as adverse human rights impacts that may be directly linked to the operations, products or services of TeliaSonera via business relationships.18 Hence, the operational scope of this assessment extended to TeliaSoneras business areas, subsidiaries, supplier base (value chain), and customer base including: Majority-owned companies. The assessment covered potential human rights impacts that may be linked to TeliaSoneras operation of all of its majority-owned companies in all 15 countries in which they operate, namely: Azerbaijan, Denmark, Estonia, Finland, Georgia, Kazakhstan, Latvia, Lithuania, Moldova, Nepal, Norway, Spain, Sweden, Tajikistan, and Uzbekistan. 19 Across this geography, all of TeliaSoneras three international business areas were within the operational scope of this assessment, namely: Mobility Services, Broadband Services, and Eurasia. Specific business activities in scope included, among others: Telecommunications services, supply chains, software development, IT services and retail sales. TeliaSonera International Carrier (TSIC). TSIC is a wholly-owned fiber-based telecommunications services and infrastructure provider to operators and service-providers. TSIC is Europes largest IP
OPERATIONAL SCOPE
10
carrier, and supports service solutions for media, gaming and online entertainment industries. TSIC has had, as of late 2012, operating companies in 29 countries, with personnel based in 15 countries and infrastructure and contracts but no personnel in the remaining 14 countries. TSIC is the worlds third largest international IP network, and was within scope for this assessment. Business customer sales units. The Business Services sales division is the TeliaSonera Group's shared business sales unit, and was within scope for this assessment. Business Services is responsible for marketing and sales of TeliaSoneras basic telecom services and managed service solutions to corporate customers in Sweden and Finland and multinational companies in the Nordic countries.
2.3
THEMATIC SCOPE
As per the United Nations Guiding Principles on business and human rights, The responsibility of business enterprises to respect human rights refers to internationally recognized human rights understood, at a minimum, as those expressed in the International Bill of Human Rights and the principles concerning fundamental rights set out in the International Labour Organizations Declaration on Fundamental Principles and Rights at Work.20 In organizing this broad range of rights in scope, joint DIHR-TeliaSonera scoping for the assessment pre-identified six overall human rights focal areas for TeliaSonera. These were group around areas where it was considered that TeliaSonera may have significant potential human rights impacts, based on key human rights challenges facing companies in the ICT sector. These pre-identified human rights focal areas were: User Privacy Freedom of Expression Protection of Children Online Employment Practices Community Impacts (including Anti-Corruption) Supply Chain Management
2.4
CONTEXT
RIGHTS-HOLDERS IN FOCUS TeliaSonera provides fixed, mobile and global IP telecommunications services to its subscribers and users. TeliaSonera is Europes fifth-largest telecommunications operator. As at Q4 2012, TeliaSonera had 183 million subscriptions across its markets in consolidated (majority-owned) operations (71 million subscriptions) and associated companies (112 million subscriptions).21 This customer base constitutes a significant group of rights-holders in focus for this assessment. Possible vulnerable groups within this user base may include human rights defenders, journalists, trade unionists, political dissidents, other political figures (including members of opposition parties to the government of the day), bloggers, online
commentators, and children, amongst others. Both individual subscribers, and service-users as a whole, i.e. the wider society relies on telecommunications services provided by TeliaSonera. For the purpose of this assessment then, external rights-holders in focus therefore, are both subscribers and users. In terms of internal rights holders. as at end 2012, TeliaSonera employed directly 27,838 people world-wide.22 TELIASONERA IN EURASIA TeliaSonera describes its seven Eurasian companies as its engines of growth, with four times as many subscriptions in 2012 as in 2007.23 In its Eurasian markets, TeliaSoneras majority-owned companies already typically account for a significant proportion of the total market share for mobile services.24 In 2012, the number of subscriptions in majority-owned (consolidated) operations Eurasia rose by 7.7 million to a total of 42.5 million, not counting the subscriptions to associated companies.25 In all, TeliaSoneras operations in Eurasia current ensure (2G) mobile coverage for 90 to almost 100 percent of the population in each country (e.g. 95 percent in Kazakhstan, and 99.8 percent in Azerbaijan).26 As noted in the Human Rights and Business Practice risk map included in the companys Sustainability Report 2012, many of these countries are considered either not free (Azerbaijan, Kazakhstan, Tajikistan, Uzbekistan) or only partly free (Georgia, Moldova, Neap) in terms of indicators of civil and political rights (including the rights to privacy and freedom of expression) by reputable non-government organization commentators, such as Freedom House.27Additionally, all seven Eurasian markets where TeliaSonera has majority-owned subsidiaries are considered by the company itself to be high risk for corruption, based on Transparency Internationals Corruption Perception Index. 28 S EC ON DARY ( KN OC K -ON ) C ON S E QUE N C E S O F P RI M ARY HUM AN RIG HT S IMP AC TS As noted in TeliaSoneras Annual Report 2012, certain TeliaSonera markets are highly challenging when it comes to corruption and violations of human rights.29 Some of the countries where TeliaSonera operates pose a significant challenge to upholding the companys corporate responsibility to respect human rights. In such contexts, there is a risk that TeliaSonera may be involved in interference with the rights to privacy and/or freedom of expression of its users, whether through its direct actions or omissions, via its product or services, or indirectly, via its business relationships. In this connection, it is noted that interference in user privacy and freedom of expression may in some contexts raise the risk of serious secondary (knock-on) consequences for rights-holders. For example, consider a scenario (developed in a forthcoming European Commission guidance document on human rights and the ICT sector) in which: Provision of user data to government enables the state to target human rights defenders, political dissidents, members of a particular ethnic group for harassment, arrest and arbitrary detention Rights to Life, Liberty and Security of the Person, Prohibition Against Torture, Cruel, Inhuman or Degrading Treatment, Right to NonTELIASONERA HUMAN RIGHTS IMPACT ASSESSMENT DANISH INSTITUTE FOR HUMAN RIGHTS INTERNAL TELIASONERA CLIENT WORKING MATERIAL, DATA AND OPINIONS/ COMMERCIAL SECRET/BUSINESS SECRET / MATERIAL INTEREST / MATERIAL FINANCIAL INTEREST / PRIVILEGED AND CONFIDENTIAL ATTORNEY WORK PRODUCT / DO NOT DISCLOSE, MARK ON OR COPY
12
Discrimination.30In such a context, a breach of privacy is not merely a privacy issue: It could quickly lead to additional, secondary human rights consequences of great severity. In this connection, the UN Guiding Principles stipulate that: Business enterprises shouldtreat the risk of causing or contributing to gross human rights abuses as a legal compliance issue wherever they operate given the expanding web of potential corporate legal liability arising from extraterritorial civil claims, and from the incorporation of the provisions of the Rome Statute of the International Criminal Court in jurisdictions that provide for corporate criminal responsibility. In addition, corporate directors, officers and employees may be subject to individual liability for acts that amount to gross human rights abuses.31 EMERGING ISSUES Looking forward, mobile data traffic on TeliaSoneras network per customer is increasing. Total data traffic carried by TeliaSonera expanded by nearly 80 percent in 2012.32 Overall, TeliaSoneras data traffic is growing in all regions, bringing new challenges to privacy and data protection (PDP).33 Technological trends, such as the cloud (virtual networks and software available remotely for access be users), behavioral advertising, deep packet inspection (examination of data within a computers network enabling for instance, data mining), location awareness, the risk that seemingly anonymous data can be re-identified and new models for storing and processing of data (data warehousing) all pose right-to-privacy and dataprotection challenges. 34
2.5
LIMITATIONS
As compared with the benchmark for this assessment (the United Nations Guiding Principles on Business and Human Rights) this assessment was characterized by the following limitations: NO ASSESSMENT OF ACTUAL IMPACTS The UN Guiding Principles specify that human rights due diligence should include assessing actual, and not only potential human rights impacts, and then integrating and acting upon the findings, tracking responses, and communicating how impacts are addressed. The scope of the present assessment was limited to an assessment only of potential, as opposed to actual, human rights impacts. One of the recommendations issued in this assessment is therefore that the company assess and address its actual impacts on human rights (see further, Recommendations, below). NO EXTERNAL CONSULTATION The UN Guiding Principles set out that a business enterprises processes to assess human rights risk human rights risks a business enterprise should [i]nvolve meaningful consultation with potentially affected groups and other relevant stakeholders, as appropriate to the size of the business enterprise and the nature and
context of the operation. The present assessment did not seek the views of potentially affected stakeholders, their legitimate representatives, or any other interested external parties or organizations and to this extent falls short of the UNGPs benchmark. It is therefore recommended that TeliaSonera engage in meaningful external consultation in 2013 with relevant external stakeholders, taking the issues identified in this report as a starting point(see further, Recommendations, below). NO SYSTEMATIC REVIEW OF HUMAN RIGHTS CONTROLS No systematic review of TeliaSoneras existing group-wide, regional, business-area or country-specific controls was made by the Danish Institute for Human Rights during this assessment. Such a Controls Review is therefore one of recommended follow-up actions to this report, and would serve as a useful facts-base for any corresponding mitigation plan(see further, Recommendations, below). SIGNIFICANT EXCLUSIONS FROM OPERATIONAL SCOPE The Guiding Principles set out that the scope the corporate responsibility to respect human rights extents not only to a companys own activities and omissions but also to adverse human rights impacts that may be directly linked to the operations, products or services of TeliaSonera via business relationships. A number of exclusions to the operational scope of this assessment constitute a limitation against this benchmark. It is therefore recommended that TeliaSonera promote an assessment within its associated companies in order to bring them within scope of visibility and analysis (see further, Recommendations, below). The following TeliaSonera business interests were excluded from the scope of the assessment: Associated Companies. Three of TeliaSoneras associated companies, namely MegaFon (Russia), TurkCell (Turkey) and Lattelecom (Latvia) were excluded from the scope of this assessment. TeliaSonera does not have operational control over these companies, but rather is a minority shareholder directly linked to these companies by virtue of business relationships. Furthermore, through its 37% ownership of TurkCell, TeliaSonera has a non-operating minority interest in a local subsidiary company in Belarus (Life), which has been the focus of external stakeholder attention on human rights grounds. Although it is directly linked to TeliaSonera by virtue of a business relationship, this local company is also outside the assessment scope.35 The ongoing ownership dispute within TurkCell was one reason given by TeliaSonera for not including TurkCell, with its subsidiaries, in the scope of this assessment. TeliaSonera Finans. A credit-market company offering financing and packaging of hardware and services to TeliaSoneras customers, was excluded from the scope of this assessment.
14
3.
FINDINGS
The tables commencingoverleaf summarizes the key potential adverse human rights impacts identified for TeliaSonera. Detailed findings are presented in Annex 1 to this report, including attribution of specific findings to specific country markets where such trends were identified. Potential impact scenarios were identified as a priority for the company on the basis of their probability of occurrence, given existing controls in place; the number of rights-holders that stand to be affected by the impact; and severity of consequences for those rights-holders should the impact occur. Included in consideration of the final factor were possible secondary (knock-on) consequences for rights-holders of primary impacts in which TeliaSonera might be involved. For example, how disclosure of user data to government authorities could lead to secondary consequences for the rights-holders concerned in terms of other human rights issues, such as the right to liberty and security of person. More detailed information on how the significance of these impact scenarios was rated is provide in Annex 2 to this report. For each impact scenario, an assessment of strengths and improvement was made against the benchmark provided by the Untied Nations Guiding Principles on Business and Human Rights. The basis for this assessment was indicatorbased and open-qualitative information received from company personnel participating in facilitated scenario-based self-assessment questionnaires and subsequent validation interviews, contextualized by the Danish Institute for Human Rights in light of publicly-available information on TeliaSoneras website.36On this basis, the key potential adverse human rights impacts identified for TeliaSonera are presented in the tables commencing overleaf:
USER PRIVACY
IMPACT SCENARIO: Personal data is accessed, disclosed or monitored in a manner which is unlawful, disproportionate or in breach of international human rights principles AND/OR collected, stored or used without a clearly defined purpose, in an unlawful or unsafe manner, or without the informed and continued consent of customers or users AND/OR there is inadequate stewardship of surveillance products/services.37 STRENGTHS POLICY COMMITMENT IMPROVEMENT AREAS Gaps in the Group Privacy Policy. There is a corporate-level policy gap on the issue of interception and surveillance of private user communications, whether such interception is lawful or unlawful. The current version of the Group Privacy Policy (3 December 2012), focuses mainly on data collection, retention and processing (for example, issues such as informing uses of collection, and obtaining user consent), to the relative exclusion of other key human rights aspects of privacy such as disclosure and surveillance (i.e. interception) of private user data to/by public authorities. Gaps in the Code of Ethics and Conduct. The Code of Ethics and Conduct (3 April 2012) contains commitments to protecting customer privacy, but these are not set out in operational detail, nor do they explicitly recognize privacy as a human right, nor take a human rights-based approach ensuring company respect for user privacy. Verbal demands. Significantly, section 2.7 of the GroupPrivacy Policy explicitly allows for verbal demands for provision of personal customer data to authorities. Consideration of such non-written demands would render a proper assessment of legality, let alone compatibility with human rights standards difficult if not impossible. Lawfulness of requests
Code of Ethics & Conduct. The Group Code of Ethics and Conduct is the overall policy document for TeilaSoneras sustainability work, including human rights.38 The Code was updated in April 2012 to include a commitment that company actions will be guided by the OECD Guidelines for Multinational Enterprises, which follow the UN Guiding Principles on Business and Human Rights. Group Privacy Policy. Group Privacy Policy (3 December 2012) provides additional policy-level commitments on user privacy, based on the Code of Ethics and Conduct. United Nations Global Compact. TeliaSonera joined the United Nations Global Compact(UNGC) on 21 Feb 2013. The UNGCis an external voluntary initiative which includes high-a level commitment support and respect the protection of internationally proclaimed human rights and ensure that the company is not complicit in human rights abuses.39 Industry Dialogue Principles. TeliaSonera is a signatory to the Telco Industry Dialogue Principles on privacy and freedom of expression, which were launched in March 2013,40 based on the UN Guiding Principles on Business and Human Rights.
16
versuscompatibility with human rights. The Current wording in section 2.1 of the Code of Ethics and Conduct could readily be construed as implying that the company will always comply with all lawful requests from authorities for personal customer data, rather than first seeking ways to honor the principles of internationally recognized human rights, as required by the United Nations Guiding Principles on Business and Human Rights (Guiding Principle 23(b)). Associated companies. A significant proportion of TeliaSoneras subscribers, including those in markets identified by the company as being high-risk for human rights, are serviced by associated companies. From a human rights perspective, it is significant that these companies are not covered by the direct applicability of the Code of Ethics and Conduct.41 Currently, there is no ongoing systematic group-wide assessment of potential impacts on rightsholders of company involvement in interference in the right to privacy. The assessment team could find no evidence of any systematic or considered evaluation of the possible secondary consequences for affected rights-holders, including subscribers, of company involvement in breaches of the right to privacy.
IMPACT ASSESSMENT
Major investments; Mergers & Acquisitions (M&A). The TeliaSonera Board of Directors announced in October 2012 a decision to tighten its risk management processes for major investments, in order to ensure that the strategy can be implanted in a manner that is in line with the companys code of ethics and conduct as well as UN and OECD guidelines on corruption and human rights.42The Board has further resolved to improve sustainability risk evaluation for investments related to Mergers & Acquisitions (M&A). 43 No specific reference to the right to privacy was publicly made in relation to these measures. Enterprise Risk Management (ERM). Work is apparently ongoing towards integrating human rights into corporate-level Enterprise RiskManagement (ERM) systems. Country risk mapping. The Sustainability Report 2012provides a basic, high-level human rights riskmapping of TeliaSoneras current operating markets. ISO 26000 self-assessment. TeliaSonera undertook a self-assessment in 2012
against the ISO 26000 Guidance on Social Responsibility, a standard that includes human rights, and concluded that it was compliant. INTEGRATION & EMBEDDING
2012 Action Program. In April 2012, TeliaSonera launched an action programme for handling issues related to protection of privacy and freedom of expression in non-democratic countries, in a better and more transparent way. The measures to be taken under that program include, amongst others: An overhaul of compliance with the regulatory frameworks governing operations in the countries under discussion, cooperation with external experts on human rights, and initiatives to start a dialogue with the authorities in the countries44 in question as well as internal work to develop our risk analysis, improve reporting, increase transparency and provide our employees with training on human rights Renewing the analysis of the legal and license-based requirements on each market in order to ensure that TeliaSonera does not go beyond the laws requirements and that there is a solid process and escalation model when our active participation is required; Requesting that Turkcells Board of Directors launch corresponding efforts in its subsidiary in Belarus; Taking initiatives to start a dialogue with the telecommunications minister of each country in question; focusing the already planned training of all employees, in relation to the implementation of our code of ethics and conduct on human-rights-related issues; Further developing and integrating human-rights-related risk assessments in connection with investments and business decisions, including information on the requirements set by local legislation and licenses. The assessment team was not able to systematically gauge progress against any of these actions. Privacy Policy Implementation Plan. During 2011, TeliaSonera developed a two-year implementation plan (Group
Decision making process. The company has developed a Decision making process regarding certain decisions with risk of human rights violations(10 September 2012) which outlines a procedure and escalation model to be followed when a legislative or license-based requirement for lawful interception of the companys networks or services is received from official authorities. However, this document applies only to Business Area Eurasia (BAE), and makes no reference to any procedural requirement to ascertain compatibility of the request with human rights standards on privacy, nor to undertake a risk-assessment of possible secondary human rights consequences, including potential knock-on impacts for affected users of an initial breach of the right to privacy. This is despite the fact that TeliaSonera has stated that: Group management is aware that even when local legislation is adhered to there might be an obvious risk that the requested action is in conflict with human rights, 48 and more generally that There is a risk that national laws and regulations on such issues as intercepting communications could be defined in ways that enable violations of human rights.49 The Decision making processexplicitly excludes so-called Normal day-to-day lawful interception requests, while failing either to define these or explain how they are to be handled by the company. In terms of user privacy, the process applies only to New requests to install real-time access to network
18
Privacy Governance Program) for its Group Privacy Policy, based on a prestudy. The program is being implemented. The stated aim of the program is to ensure compliance with both national laws and end-user expectations, based on defined key performance indicators (KPIs) by filling identified compliance gaps and prioritizing high risk areas for local measures. The assessment team was neither able to review the Implementation plan nor assess the extent of its implementation. Implementation of Industry Dialogue Principles. TeliaSonera has committed to start work on implementation of the Telco Industry Dialogue Principles on privacy and freedom of expression from March 2013, to which it is a signatory. Resources and corrective measures. The Group Privacy Policy (section 3) states that Relevant and sufficient organizational resources shall be in place and secured to ensure proper implementation of this policy and corrective measures shall be taken where necessary. TeliaSoneras inhouse expertise on digital rights may be an example of this resourcing. Human Rights Mitigation Plan. In the Corporate Responsibility Report 2011, TeliaSonera has committed to developing a human rights mitigation plan based on the results of the present assessment. Training. A global mandatory e-learning course on the Code of Ethics and Conduct is currently under development, for group-wide roll-out in 2013. Completion of this training module will be compulsory for all personnel. The e-learning focuses on human rights and anti-corruption. Assessment of government requests to access user data. TeliaSonera has publicly committed to assessing the legality of all requirements from public authorities that risk conflicting with international human rights standards, although this may not cover-off on situations where legal requirements are in conflict with international human rights norms.
information for authorities, presumably excluding management review of any such existing access already in place. According to Paragraph 5 of the Process, the decision whether or not to comply with requests to install such systems is to be taken by the Business Unit CEO, involving Group CEO in the matter only if and when the BU CEO deems appropriate. This would appear to contradict a statement made by the company on 23 August 2012 that Group management will evaluate the authoritys request to implement any major actions in TeliaSoneras network.50 Ownership for decision-making is further rendered unclear within the process document itself: As per Paragraph 10, The BU CEO is required to wait for feed-back from the Head of BAE before acting on the request, but the BU CEO is authorized to take action before such feed-back is received if he deems it necessary. Interception. Overall, routines, processes, and systems regarding inappropriate or unlawful disclosure, and external (government) interception, surveillance or monitoring of personal user data appear to be inadequately defined at groupleveland only weakly embedded across company operations at the subsidiary level. Data protection. Controls and routines for collecting, storing and timely deletion of user data appear to be similarly weak. Corporate policies do not direct personnel to adequately supportive mandatory instructions or other guidelines. Staff knowledge across the group regarding protection levels and relevant legal requirements as well as the system locations where personal data are actually stored and processed appears to be inadequate to ensure that data is handled in a way that is compatible with human rights standards regarding privacy.
Handling of major government requests.Responsibility for handling of major requests and requirements from public authorities that risk conflicting with human rights has been escalated to Group Management, rather than local in-country management, as was previously the case. Engagement of external advice. The company has assigned Swedens former ambassador to Russia, Tomas Bertelman, to act as a strategic advisor in matters concerning the companys operations in Central Asia. The former Ambassador will assist the Board of Directors.45 CEO rotation scheme. The CEO rotation scheme, which was applied in five Eurasian markets in the third quarter of 2012, aims at maintaining good corporate governance across the organization. The CEOs of Azercell, Geocell, Moldcell and Ncell have exchanged their positions. Management rotations are standard practice in BA Eurasia.46 Dialogue with host governments. TeliaSonera has initiative discussions with the ministries of communications in Georgia, Kazakhstan, Moldova, Tajikistan and Uzbekistan, in order to emphasize the high priority [the company] give[s] to human rights issues.47 Sustainability data gathering. In 2012, TeliaSonera implemented a new sustainability data gathering system.51 The extent to which this system gathers relevant information on right-to-privacy issues was unclear to the assessment team. Reporting of complaints. TeliaSonera has reported the total number of complaints regarding breaches of customer privacy during 2012 (the total was 42 complaints). The company further disaggregated the total number of substantiated complaints received from outside parties (31) and the number of complaints received from Security audits. Auditing of personal user data security is seen by company staff as inadequate and follow-up on audit findings is reported by staff to be poor.
INTERNAL TRACKING & MONITORING
EXTERNAL COMMUNICATION & REPORTING
Communicating with affected users. No requirement to communicate company actions to affected or potentially affected users is specified in the Decision making process regarding certain decisions with risk of human rights violations(10 September 2012) nor is there any commitment to
20
regulatory bodies (11).52The Corporate Responsibility Report 2011 likewisediscloses the number of complaints regarding breaches of customer privacy received by TeliaSonera during 2011, disaggregated by source (i.e. regulatory body vs. other outside parties). Human rights reporting. United Nations Global Compact (UNGC) membership, which commenced in February 2013, includes a commitment to annual public Communication on Progress (COP) reporting. TeliaSonera has not yet submitted its first UNGC COP report. Sustainability Report. TeliaSonera produces an annual corporate responsibility report (Sustainability Report) which makes reference to human rights. The Sustainability Report 2012 has been externally verified by PriceWaterhouseCoopers (PWC). TeliaSonera and applies the Global Reporting Initiative (GRI) guidelines, including the telecommunications sector supplement. However, in the 2012 Sustainability Report, TeliaSonera did not fully report against all of the relevant GRI indicators, although it did partially report against all of them. Sustainability Indexes. TeliaSonera has been included in the FTSE4Good sustainability index since 2009,53 and is also included in the Folksam Index for Corporate Responsibility 2011 and the OMX GES Sustainability Sweden index.54 The Group Privacy Policy (Section 3) states that: Employees are encouraged to report violations of these principles by reporting misconduct via the whistle-blowing function.
communicating publicly regarding actions taken. Indeed, the default position implied by the decision making process is no public communication at the Group-level, other than that determined on an ad hoc basis by the Head of BAE together wit the Head of Group Communication, the BU CEO (and other deemed appropriate for inclusion in the discussion by the Head of BAE), and no public communication at the BU-level, other than that decided by the BU CEO after consultation with the Head of BAE, the Head of BAE Communications, and others deemed appropriate by the BY CEO.
REMEDIATION
Investigating and addressing actual impacts. It is unclear what action, if any, TeliaSonera has taken to investigate allegations that it has caused or contributed to, or is otherwise directly linked via its business relationships to, actual human rights impacts. More generally, the companys current approach to providing for or cooperating in the remediation of such actual impacts was not clear to the assessment team. External grievance channels. It was unclear to the assessment team whether the companys whistle-blowing function was available to external rightsholders, including subscribers, or only to company personnel.
Moreover, even if such a channel is accessible to external third-party rights-holders in theory, its existence may not be adequately communicated to potentiallyaffected groups, especially subscribers/users, in practice. The companys response to privacyrelated grievances received is not currently disclosed to the public. Anonymity. Internal reports of misconduct against the Code of Conduct can only be reported anonymously in countries where this is legally permissible. 55 This would seem to limit the compatibility of current whistleblowing channels with human rights standards.
22
FREEDOM OF EXPRESSION
IMPACT SCENARIO: Customers or users are barred from communicating, seeking or imparting information in a manner which is unlawful or disproportionate or in breach of international human rights principles.56 STRENGTHS POLICY COMMITMENT IMPROVEMENT AREAS No stand-alone group-level policy on freedom of expression. There is currently no group-level stand-alone policy on freedom of expression that could provide further internal or external clarity as to the companys commitment and position on this issue. Policy gap on freedom of expression in the Code of Conduct.While there are some references to freedom of expression in the Code of Ethics and Conduct, the current wording does not amount to a commitment to respect the right to freedom of expression as such (current wording merely acknowledges the concerns related to legal bases for limiting this right and noting that freedom of expression is at the core of TeliaSoneras business). There appears to be no ongoing systematic group-assessment of the risk to rights-holders of company involvement in interference in freedom of expression. In particular, there is no systematic assessment of this risk with respect to particular local operating subsidiaries, even in markets that the company has identified as being high risk for human rights. Decision making process. There is a Decision making process regarding certain decisions with risk of human rights violations(10 September 2012) which outlines a procedure and escalation model to be followed when a legislative or license-based requirement for limitation of networks or services, including in particular: requests to close down all or parts of the network and requests to block internet websites is received from official authorities. However, this document applies only
Code of Ethics and Conduct;United Nations Global Compact & Industry Dialogue Principles: See User Privacy, above.
RISK & IMPACT ASSESSMENT
Major investments; Mergers & Acquisitions (M&A); Enterprise Risk Management (ERM); Country risk mapping &ISO 26000 selfassessment: See User Privacy, above.
2012 Action Programme; Implementation of the Industry Dialogue Principles; Human Rights Mitigation Plan; E-learning; Handling of major government requests: See User Privacy, above.
to Business Area Eurasia, and makes no reference to any procedural requirement to ascertain compatibility of the request with human rights standards on freedom of expression. This is despite the fact that TeliaSonera has stated that: Group management is aware that even when local legislation is adhered to there might be an obvious risk that the requested action is in conflict with human rights, 57 and more generally that There is a risk that national laws and regulations on such issues as shutting down networks could be defined in ways that enable violations of human rights.58 According to Paragraph 5 of the Process, the decision whether or not to comply with requests to install such systems is to be taken by the Business Unit CEO, involving Group CEO in the matter only if and when the BU CEO deems appropriate. This would appear to contradict a statement made by the company on 23 August 2012 that Group management will evaluate the authoritys request to implement restrictions in TeliaSoneras network,59 which is reiterated in the Sustainability Report 2012: Major requirements (including public authorities decisions to shut down all or parts of networks) are now assess at Group management level instead of locally. 60 Moreover, ownership for decision-making is further rendered unclear within the process document itself: As per Paragraph 10, The BU CEO is required to wait for feed-back from the Head of BAE before acting on the request, but the BU CEO is authorized to take action before such feed-back is received if he deems it necessary. No requirement to communicate company actions to affected or potentially affected users is specified in the process.
24
The procedure explicitly excludes Requests to close down web sites showing child pornography, while failing to set out how such content is to be defined and identified. There is a lack of formally established processes for appropriate handling of service limit requests. The companys approach is reportedly inconsistent across operating markets, subsidiary companies, or business units. There is a lack of clear internal guidance or mandatory instruction on how to handle service limit requests in line with international human rights standards. The extent to which the new sustainability data gathering system gathers relevant information on freedom-of-expression issues was unclear to the assessment team. Communication with affected users. Company interference in freedom of expression is not generally disclosed either to the public, or to the affected users: Currently, there is only very limited disclosure of the nature, scope and source of major government requests and the response taken by the company in selected instances. No publication of number of freedom-of-expression-related grievances received. The company does not publish the number of freedom-of-expression-related grievances it has received, nor does it publish its response to these.
Sustainability data gathering. See User Privacy, above.
REMEDIATION
Public commitment to communicate major network shutdowns. TeliaSonera has publicly committed, wherever possible in particularly challenging situations when public authorities requests do follow the existing local regulations but it is clear that the required actions could violate human rights to publicize any major network shutdowns ordered by the public authorities.61 Disclosure regarding network shutdowns in 2012. During 2012, TeliaSonera has provided some information about some restrictions of local networks and content in its newsroom.62Cases published in this way in 2012 were: The temporary shutdown of all communication networks, including Tcell, in the Gorny Badakhshan region of Tajikistan in July 2012 The temporary shutdown by Kcell of the 3G network in the city of Zhanaozen, Kazakhstan in September 2012 Restriction of access to certain sites by Tcell in Tajikistan during 201263 The Code of Ethics and Conduct states that: Employees are encouraged to report violations of the Code by reporting misconduct via the web-based whistle-blowing function.
Addressing companys provide for remediation processes freedom of
actual impacts. The current approach to or cooperate in the through legitimate of actual impacts on expression which the
company has caused or has contributed was not clear to the assessment team. Nor was the extent of progress towards successfully remediating such actual impacts. External grievance channels. It was unclear to the assessment team whether the companys whistleblowing function was available to external rights-holders, including subscribers. Anonymity. Internal reports of misconduct against the Code of Conduct can only be reported anonymously in countries where this is legally permissible.64
26
ANTI-CORRUPTION
IMPACT SCENARIO: Payments, gifts or services made, offered or received by the company or its representatives, agents or suppliers to or from civil servants or public authorities, in order to gain or facilitate decisions or services.65 POLICY COMMITMENT
IMPACT ASSESSMENT
Group Anti-Corruption Policy. Group Anti-Corruption Policy (prepared in 2012 and approved in early 2013), in consultation with Transparency International. The Policy takes a broad definition of corruption (including, for example, negligent financing of corruption). Code of Ethics and Conduct. Group Code of Ethics and Conduct, which was updated in April 2012 to include a commitment that company actions will be guided by the OECD Guidelines for Multinational Enterprises. The Code is the overall policy document for TeilaSoneras sustainability work, including anticorruption.66 United Nations Global Compact. Membership of the United Nations Global Compact (21 Feb 2013), which has one principle on anti-corruption.67 The revised Supplier Code passes a prohibition on corruption to TeliaSoneras suppliers. Corruption Risk Assessment & due diligence. The company is apparently taking steps to improve its corruption risk assessment and due diligence work related to business partners, taking a risk-based approach.68 Management sign-off. Senior management must confirm their adherence to the Code of Conduct in writing. Instructions and guidance. The Anti-Corruption Policy commits the company to issuing for each geographical market where it has operations more detailed instructions on compliance with the Policy. Compliance the new Policy Corruption risks do not yet appear to be systematically assessed group-wide on an ongoing basis.
Corruption occurs systematically. Staff assessed current anti-corruption controls as weak. A small number of staff respondents reported that corruption occurs systematically. One responded reported that We use gifts up to a certain extent in order to run the business. Instructions and guidance. It is not clear that the more detailed, and geographically-specific instructions called for by the new Policy have yet
defines compliance follow-up as a the responsibility of all management staff.
been developed or disseminated. Mannheimer Swartling report. In relation to the question Has TeliaSonera violated any of its ethical rules that were applicable at the time?, the recent publicly-available report by Mannheimer Swartling 69 states, in relation to one specific instance where corruption was alleged, that: serious criticism can be directed at the project management as well as the CEO and board at the times in question, including the current CEO (for the uncritical attitude that has been maintained, despite the presence of continued unclearcircumstances in connection with transactions in 2007, as well as subsequent events). Staff very unclear about companys anti-corruption expectations & policy. A number of staff reported that they were very unclear on the companys anti-corruption policy, position and expectations of its personnel. Current training on anti-corruption was assessed to be inadequate. It remains unclear to the assessment team how the companys anticorruption procedures and performance are monitored. Sustainability Report 2012. In the 2012 Sustainability Report, a key anticorruption indicator (S03 percentage of employees trained in organizations anti-corruption policies and procedure) is only partially reported. Corporate Responsibility Report 2011. Likewise, in the 2011 Corporate Responsibility Report, relevant corruption indicators on the GRI are either only partially reported against or not reported against at all. Low levels of awareness of, and trust in, available whistle-blowing channels. There appears to be either an absence of readily-accessible, trusted whistleblowing channels or a very low level of staff awareness of such channels as might exist. Few complaints received in 2011-2012.
GUIDANCE & TRAINING
E-learning. The new Code of Conduct e-learning tool has a focus on anti-corruption.
EXTERNAL PUBLIC REPORTING & COMMUNICATION
Sustainability Report 2012. In the Sustainability Report 2012, the company fully reports against 2 out of the 3 standard GRI indicators for Corruption: S02 Percentage and total number of business units analyzed for risks related to corruption and SO4 Actions taken in response to incidents of corruption.
REMEDIATION
Employees encouraged to report. The Anti-Corruption Policy encourages employees to report violations by contacting their immediate superiors, any member of local executive management, or the TeliaSonera Board of Directors via its secretary, in addition to the
28
possibility of using the web-based whistle-blowing function.
Some of the 11 whistle-blowing complaints received by the company in 2012 related to corruption allegations. The Corporate Responsibility Report 2011 states that during 2011, the company received a total of only 4 complaints relating to misconduct via the formal whistle-blowing channel. It is unclear from the information presented in the report how many of these (if any) relate to corruption/bribery issues. These small figures indicate low levels of uptake and use of whistle-blowing channels in practice.
PROTECTION OF CHILDREN ONLINE

IMPACT SCENARIO: The company's products or services are used in ways that contribute to violations of children's rights online and/or the company's measures to fight child sexual abuse content infringe on the right to freedom of expression and/or the rule of law.70 POLICY COMMITMENT
The Code of Ethics and Conduct states that: TeliaSonera pays special attention to protecting children from any forms of abuse within the scope of our services. This includes deploying tools to help customers protect themselves against illegal or unwanted content and collaborating with governmental and trusted organizations to block sites that provide child sexual abusive content. We expect all our business partners to work against the exploitation of children. In its Sustainability Report 2012, the company states that: We see it as our duty is to protect children in collaboration with the authorities and other stakeholders. We have taken an ethical standpoint against child sexual abuse material. Protection of children online is apparently being incorporated into TeliaSoneras overall assessment of sustainability risks.71
While the Code of Conduct and Ethics contains a very general reference to the protection of children, a dedicated corporatelevel Protection of Children Online policy clearly setting out the scope of this commitment for internal and external audiences is currently lacking.
IMPACT ASSESSMENT
Current group-wide riskassessment processes may not adequately take into account specific risks to the rights of the child in the context of provision of specific online services. Protection of children online removed from the companys priority action plan and longterm ambition. In the companys 2011 Corporate Responsibility report one of the listed sustainability actions concerned protecting children online. In the Report, 2012 Sustainability however, the relevant targets are not listed as part of the companys priority action plan and long-term ambition, suggesting that they may have
Group-level instruction. In its Sustainability Report 2012, the company states that : Our work is guided by a Group-level instruction on efforts to combat child sexual abuse. The assessment team has neither received nor reviewed this document. Parental Controls. In Finland, Estonia, Norway and Sweden, the company states that it provides parents with tools (Parental Controls) to limit their childrens internet usage.
30
Blocking child sexual abuse material at the DNS level. TeliaSonera is working with national police to identify and block child sexual abuse material at the DNS level (www.domain.com) Child SafeGuard whitebox solution.The company is working with the software provider Netclean to implement a whitebox solution called Child SafeGuard which is now placed in TeliaSoneras IP transit network in Sweden and Spain. Blocking child sexual abuse material on the IP-level (Internet Watch Foundation). The company is also working block child sexual abuse material on the IP-level in cooperation with the Internet Watch Foundation (www.iwf.org.uk) GSMA Mobile Alliance Against Child Sexual Abuse Content. TeliaSonera is a founding member of the GSMA Mobile Alliance initiative, which is designed to obstruct the use of the mobile environment by individuals or organizations wishing to consume or profit from child sexual abuse content. CEO Coalition Protecting Kids Online. TeliaSonera has participated in the the CEO Coalition Protecting Kids Online (European Commission) since December 2011. Safer Use of Connected Devices and Online Services by Children and Young People in the EU. In parallel with the CEO Coalition, TeliaSonera is also participating in the parallel scheme Safer Use of Connected Devices and Online Services by Children and Young People in the EU. TeliaSonera joined this initiative in December 2011. Surfa Iungt. The company is working with the Swedish network Surfa lugnt (www.surfalugnt.se). This network, whose name means Surf in peace, aims to increase the safety and security of young internet users.
been demoted or de-prioritized for implementation and attention. The 2012 report notes only that This target is handled outside the table. Related targets have been set for the ICT industry across Europe Protecting children continues to be an important area within our sustainability work. Balancing freedom of expression with protection of children on online. In general, the types of due process safeguards with regard to blocking of content, including potential child sexual abuse content raises human rights issues in relation to freedom-ofexpression. The extent to which such considerations have been taken into account in the design, selection, and implementation of measures to protection children online. In particular, the assessment team is concerned that the company may not have adequate due process safeguards to ensure that initiatives to block child sexual abuse content do not have disproportionate or adverse negative impacts on the legitimate exercise of the right to freedom-of-expression. Handling and escalation of takedown and blocking requests. The making process Decision regarding certain decisions with risk of human rights violations(10 September 2012) explicitly excludes from its standard handling and escalation system Requests to close down web sites showing child pornography are received from official authorities. However, this process document fails to set out how such content is to be defined and identified, and fails to indicate either how such request should be handled, or which alternative company controls should apply. Staff report that there is a lack of formalized processes and a weakness of controls on the blocking of access to alleged child sexual abuse material. Staff further report that they have not been provided with adequate
information regarding the companys definitional scope of child sexual abuse content, and that they are not adequately informed of appropriate action to take in relation to content, and that decisions on possible illegality of content are not currently referred to competent judicial authorities. Age-restricted material. Default settings on company products/services may children easy access to premium services for which additional payment is necessary, and maximum privacy settings may not be adequate. The company could do more. Staff expressed the opinion that, in general, the company could do more to empower both children and parents to evaluate, minimize and report risks and engage online in a secure, safe and responsible manner. It remains unclear to the assessment team how the companys procedures and performance on the protection of children online are monitored. The company reports on its activities in this area, but the assessment team is unaware of any company reporting on progress and outcomes. No directly provided grievance channel for customers. According to staff, customers, and users, subscribers are not currently provided by TeliaSonera directly with an easily accessible channel for reporting alleged child sexual abuse content.
REMEDIATION
32
EMPLOYMENT PRACTICES
IMPACT SCENARIO: Employees exposed to excessive working hours, excessive overtime or lack of rest periods AND/OR are not able to make at minimum a living wage sufficient to meet the basic needs of the employee and the employee's legitimate dependents AND/OR are exposed to unsafe or unhealthy working environments, resulting in accidents or personal injury. POLICY COMMITMENT
Code of Ethics and Conduct. The Group Code of Ethics and states that: Conduct TeliaSonera supports the international human rights and dignity of all employees as outlined by the UN declaration and core ILO conventions.
Policy gaps. Many important international human rights standards for the workplace are set out in ILO instruments other than the 8 core conventions.
IMPACT ASSESSMENT INTEGRATION & EMBEDDING
Overtime. For both TSIC and for the Baltic subsidiaries, overtime was reported to be frequent with no current company actions or initiatives identified to compensate for heavy workloads. Living Wage. Controls to ensure that salaries amount to a living wage were assessed as weak. Workplace Health & Safety (OHS). Overall, workplace health and safety control was assessed as poor by a number of staff respondents. Personal security risk for staff relating to dangerous transportation and fear of reprisals from disgruntled members of the public was identified as a specific risk in Nepal only.
INTERNAL TRACKING & MONITORING EXTERNAL COMMUNICATION & REPORTING
Sustainability Report 2012. The Sustainability Report 2012 contains fully reported information on 6 GRI labour indicators, and partiallyreported information on a seventh indicator.
Sustainability Report 2012. The Sustainability Report 2012 contains no information against a number of important labour indicators in the GRI, including: LA7 Rates of injury, occupational diseases, lost days, and absenteeism, and total number of work-related fatalities, by region and by gender. LA14 Ratio of basic salary and remuneration of women to men by employee category, by significant locations of operation. LA8 Education, training, counseling,
prevention, and risk-control programs in place to assist workforce members, their families, or community members regarding serious diseases. LA10 Average hours of training per year per employee by gender, and by employee category. LA9 Health and safety topics covered in formal agreements with trade unions. LA11 Programs for skills management and lifelong learning that support the continued employability of employees and assist them in managing career endings. LA12 Percentage of employees receiving regular performance and career development reviews, by gender. OHS incidents. Staff respondents were under the impression that there is no official procedure for either staff reporting of, or company follow-up on, workplace OHS incidents.
REMEDIATION
Employees are encouraged Group Code of Ethics and Conduct to report violations of the Code. Some of the 11 whistleblowing complaints received by the company in 2012 related to human resources allegations.
34
SUPPLY CHAIN MANAGEMENT

IMPACT SCENARIO: Failure to promote international human rights standards in interactions with suppliers and business partners AND/OR supplier employees exposed to excessive working hours, excessive overtime and lack of rest periods; salaries that do not constitute a living wage sufficient to meet the basic needs of the employee and the employee's legitimate dependents; and/or lack of paid annual leave, paid sick leave and paid paternity leave. POLICY COMMITMENT
Group Supplier Code. The GroupSupplier Code was revised in 2012. The assessment team was not provided with the revised Code, which was not yet publicly-available at the time that this report was written.
Incomplete scope of application. The Supplier Code states that it shall be applied in all Supplier relations where TeliaSonera Group Sourcing is involved and is recommended to be used in all sourcing activities within the TeliaSonera Group. This implies that inclusion of the Supplier Code is not mandatory for sourcing activities not involving Group Sourcing, creating a gap in coverage. Ambiguous policy requirement. The June 2010 revision of the Supplier Code (the most recent version to which the assessment team was given access) describes itself as a set of Mandatory Corporate Responsibility Requirements for TeliaSonera Suppliers. The mandatory nature of the Code is however rendered ambiguous by the statement in its opening paragraph that We encourage our Suppliers to adhere. It is therefore unclear whether the Code represents aspirational or mandatory requirements. Working Hours, Wages, Leave. Responsible staff appear to have the impression that TeliaSonera lacks control/leverage vis--vis its suppliers on the issues of adequate conditions of hours, wages and leave. The Supplier Code is silent on these issues (except for a reference to the local legal minimum wage, which may not amount to a living wage in accordance with human rights standards), providing a weak contractual basis for leverage. Risk assessment. Risk assessment of suppliers appears to be weak. This was identified as a particular issue in both Russia and Ukraine. TeliaSonera recognizes that its annual purchasing volume amounts to SEK 50 million, and disaggregates publically that the majority of these purchases (in terms of volume and capital) concern infrastructural equipment and services related to the building, development and maintenance of its fixed and mobile networks and IT
IMPACT ASSESSMENT
Join Audit Cooperation. The Joint Audit Cooperation (JAC), which TeliaSonera joined in2012 works to foster the effective auditing of highrisk suppliers.
infrastructure, as well as mobile handsets, other consumer electronic devices and electricity.72However, the assessment team is not aware of any systematic attempt to identify potential human rights impacts associated with these procurement activities. INTEGRATION & EMBEDDING
Supplier Portal. TeliaSonera has committed to establishing a supplier portal to communicate with, and support, its suppliers in the implementation of the revised Supplier Code. Contract requirements. At the end of 2012, the Supplier Code requirements were incorporated into 100 percent of significant and approved suppliers contracts.73
Contract requirements. It is unclear what significant and approved means in the context of the total number and percentage of contracts with suppliers into which the Supplier Code has been integrated, and what overall percentage of procurement contracts currently incorporate the Supplier Code. Training. It appears that no training is currently provided to TeliaSonera staff regarding appropriate support of, and oversight over, supplier compliance with company expectations in respect of international human rights and working conditions standards. Still a lot of work to do. The Sustainability Report 2012 states that: We recognize that there is still a lot of work to do in our supply chain. Monitoring. It appears that few, if any audits or other assessments of suppliers are being performed, with the consequence that level of supplier compliance with current contractual requirements on human rights and working conditions is very difficult to ascertain. Freedom of association and collective bargaining. Reporting against GRI indicator HR5 in the Sustainability Report 2012 neglects to include information on significant suppliers identified in which the right to exercise freedom of association and collective bargaining may be violated or at significant risk, and actions taken to support these rights. Child labour. Reporting against GRI indicator HR6 in the Sustainability Report 2012 neglects to include information on significant suppliers identified as having significant risk for incidents of child labor, and measures taken to contribute to the effective abolition of child labor. Forced labour. Reporting against GRI indicator HR7 in the Sustainability Report
The 2012 Sustainability Report states that: One of the actions in our Sustainability Priority Action Plan aims to strengthen the processes we use to assess how well our suppliers respect our Supplier Code. Sustainability Report 2012. Some relevant GRI indicators are reported against in the Sustainability Report 2012.
36
2012 neglects to include information on significant suppliers identified as having significant risk for incidents of forced or compulsory labor, and measures to contribute to the elimination of all forms of forced or compulsory labour. Human rights screening and follow-up actions. According to the 2011 Corporate Responsibility Report, the percentage of significant suppliers, contractors and other business partners that have undergone human rights screening, and actions taken (a GRI indicator) are only partially reported. No requirement for whistle-blowing mechanisms in the Supplier Code. The Supplier Code fails to require suppliers to provide an effective whistle-blowing channel or operational-level grievance mechanism whereby the employees of suppliers could lodge complaints. At the same time, it is not clear that TeliaSoneras own whistle-blowing channels are accessible and available to the employees of its suppliers.
REMEDIATION
Some of the 11 whistle- blowing complaints received by the company in 2012 related to procurement process allegations.
4.
RECOMMENDATIONS
4.1 SOURCES Key mitigation recommendations (risk treatment actions) for TeliaSonera are summarized in the table below, together with implementation guidance. Wherever possible and practicable, recommendations have been based on the principle of building on, and integrating into, existing company architecture and systems. Hence, most recommendations are grounded in TeliaSoneras existing policy commitments, initiatives, and ongoing activities on human rights. The recommendations are based on, and correspond to, the findings of this assessment, and have been further informed by authoritative external third-party guidance, in particular the United Nations Guiding Principles on business and human rights,74the European Commission draft Guidance for the Information and Communication Technologies (ICT) Sector on Implementing the UN Guiding Principle on Business and Human Rights,75 and the Telecommunications, Freedom of Expression & Privacy Principles (March 2013), 76 to which TeliaSonera is a signatory. Recommendations have been prioritized according to severity and irreemediability of consequences for rights-holders of the potential impacts that they are designed to address, bearing mind also the additionality, feasibility and likely efficacy of proposed countermeasures, as assessed by TeliaSonera staff in internal validation workshops (see further, "Annex 2 - Methodology"). 4.2 HUMAN RIGHTS MITIGATION PLAN It is proposed that the mitigation recommendations presented in this report should form the basis of a Human Rights Mitigation Plan, with implementation to commence during 2013. The Danish Institute for Human Rights is then able to assess the companys proposed Mitigation Plan, 77 and support its implementation. 4.3 IMPLEMENTATION GUIDANCE The table overleaf presents numbered recommendations in bold, each accompanied by implementation guidance (in plain text). The recommendations in bold describe a process, activity or goal to be achieved. The implementation guidance (pain text) suggests possible pathways for achievement. 4.4 PRIORITIZATION Each recommendation has been accorded a priority rating, based on: TeliaSoneras self-assessment of the probability, severity and scale of associated potential impacts Internal validation by DIHR with TeliaSonera subject matter experts (SMEs) as to the additionality, feasibility and likely efficacy of the recommendation.
4.5 RECOMMENDATIONS The recommendations of this assessment are presented in the table overleaf:
38
RECOMMENDATION 1
1.1
PRIORITY
GOVERNANCE
Appoint a Human Rights Advisory Panel reporting directly to Group Management. Appoint an external Human Rights Advisory Panel, reporting directly to Group Management comprising of reputable persons with demonstrated expertise in the area of human rights serving in their personal capacity. The Panel should be mandated to advise Group Management on human rights matters of significance such as, for example: o Appropriate company handling of significant government requests that may interfere with user privacy and/or freedom of expression. o Human rights considerations related to significant changes to planned business operations, such as country entry/exit, mergers and acquisitions (M&A), joint ventures (JVs), license agreement negotiations and license agreement renewals, with a view to identifying major material risks and corresponding mitigation approaches. o Other significant internal and external human rights issues, initiatives and developments as may arise from time to time. In terms of working models for such a Panel, it is noted that HSBCs Board of Directors has a dedicated committee on sustainability that also addresses human rights issues, while UBS Investment Bank has a board committee similarly dedicated to environmental and human rights issues. Shareholders have recently targeted other ICT sector companies, including Hewlett-Packard (HP) and Apple as well as other leading businesses, such as Goldman Sachs, with resolutions that call for the creation of similar such board-level human rights advisory committees. Establish an internal cross-market and cross-Business-Area Human Rights Working Group comprising of front-line practitioners with human rights responsibilities tasked, amongst other things, with driving implementation of a Human Rights Mitigation Plan to be based on the recommendations contained in this report. Members would constitute the first generation of TeliaSonera Human Rights Champions. Critical
1.2
Critical
The Working Group should function primarily as an internal professional network formalizing and supporting peer-to-peer (P2P) and top-down (cascade) capability building on human rights. Functional, business-area and subject matter expertise required for implementation of the Mitigation Plan should be adequately represented in the membership of the Working Group. In particular, membership should comprise amongst others: Local legal counsel for targeted markets/regions; Group legal counsel; M&A deal team negotiators; local government-liaison personnel and local External Affairs, and representation of relevant in-company technical expertise (e.g. product/service engineers, network administrators etc.). The working model from other leading companies is that these groups are
staffed by designated issue-owners and subject matter experts (SMEs). Designating issues owners plus an overall responsible person/function will be a key governance step for he Working Group. Such designation could flow from, or other wise be logically derived from the specific actions set out in the Mitigation Plan. The mandate of the Working Group should be to draw on and build upon existing internal capabilities, expertise and good practice on privacy and freedom of expression, particularly in the areas of: Agreement-making; handling of external requests; network administration and integrity/security, amongst others. The Working Group could, for example: o Participate in scenarios-based face-to-face (F2F) skills-development training. o Contribute to the current legal landscaping review of local operating requirements from a human rights perspective, and distil lessons-learned. o Pilot-test the proposed group-wide protocol (see below) for appropriate handling of government user data and service limit requests. o Develop preferred standard contract clauses for privacy and freedom of expression to support deal-team negotiators, and in license negotiations and renewals, possibly in cooperation with related industry and multistakeholder initiatives. o Participate in ongoing Peer-to-Peer (P2P) support and mutual learning from in-company experience, shared challenges, and local pockets of bestpractice. o In 2014 and beyond, share high-level learning outcomes with TeliaSonera board representatives on minority-owned (non-controlled) companies. Members of the working groups could be the first participant members of a TeliaSonera Human Rights Champions program. Expanding upon this base of leadership and expertise, the working group members could then train and capacitate a broader cohort of Human Rights champions within the business, through cascading Train-The-Trainer approaches.
1.3
Establish a Human Rights Focal Point at group-level, charged with implementing a Human Rights Mitigation Plan (based on the recommendations continued in this report). The Focal Point would also serve as the Chair of the Human Rights Working Group. The Human Rights Focal Point, should housed within a group-level corporate function, be readily accessible to all TeliaSonera personnel, and be accountable as directly as possible to Group Management. The function-holder(s) should possess requisite subject matter expertise on freedom of expression and privacy issues, as well as familiarity with typical realworld on-the-ground challenges in the companys operating markets. The Terms of Reference (ToR) for the Focal Point should include a mandate to: o Support/participate in the development of new company controls, compliance frameworks, group-level policies, supporting guidelines/instructions, training, external initiatives, and so forth. o Monitor and advise on appropriate company response to external
Critcal
40
human rights developments, such as changing country situations, new products/services, emerging industry standards, best practice of peer competitors, evolving stakeholder expectations, regulatory, soft-law and policy developments at the national, regional and international level, as well as developments in peer practice and industry and multistakeholder initiatives, and so forth. o Support human rights due diligence for new market entry/exit and new business development/business relationships (mergers, acquisitions, joint ventures, operating license negotiations, disposals, country-exit and so forth). o Support staff to handle challenging cases and dilemmas, clarify understandings and unpack company expectations vis--vis human rights, through on-call advice as may be needed on a case-by-case basis.
2
2.1
POLICY COMMITMENT
Develop a stand-alone group-level Lawful Interception Policy based on the TeliaSonera Code of Conduct and Ethics, complementing the existing GroupPrivacy Policy. The policy should: Be based on international human rights standards on the human right to privacy, in particular as set out at UDHR Art. 12 and ICCPR Art. 17. Align with the Industry Dialogue Principles, where these are stronger or more specific than international human rights standards. Derive its internal authority from the Code of Ethics and Conduct, upon which it would be based. Be on an equal footing, and intersect with, the existing GroupPrivacy Policy. Take secure access for all users as its starting premise. Explicitly call out and address by name key human rights issues relating to lawful (and other) forms of interception, such as: Surveillance, tracking, positioning, wire-tapping, monitoring, interception, continuous surveillance (e.g. SORM-style continuous surveillance), and explicitly address linkages to freedom of expression (i.e. so-called chilling effects), and other human rights. Set out clearly what is expected of company personnel. Set out clearly what is expected of business partners and other parties directly linked to TeliaSoneras operations, products or services Be supported by clear information about how TeliaSonera will implement its commitment e.g. in terms of alignment to strategic priorities, concrete actions and timelines, clearly sign-posting/ linking to clear, actionable, hands-on guidance for its implementation, including a description of how internal and external reporting will take place, and how grievances will be handled. High
The policy development process should: Involve meaningful consultation with external stakeholders Culminate in approval at the most senior level of the business
2.2
Develop a stand-alone group-level Freedom of Expression Policy based on the TeliaSonera Code of Conduct and Ethics, complementing the existing Group Privacy Policy. The policy should: Be based on international human rights standards on the human rights to freedom of expression, in particular, as set out at UDHR Art. 19 and ICCPR Art. 19. Align with the Industry Dialogue Principles, where these are stronger or more specific than international human rights standards. Derive its internal authority from the Code of Ethics and Conduct. Be on an equal footing, and intersect closely with, the existing corporate-level Privacy Policy. Take reliable, uninterrupted and unrestricted access for all users as its starting premise. Explicitly foresee State of Emergency and other circumstances in which governments may seek to circumscribe the freedom-of-expression of users. Explicitly address linkages to privacy (i.e. so-called chilling effects), and other human rights. Set out clearly what is expected of company personnel. Set out clearly what is expected of business partners and other parties directly linked to TeliaSoneras operations, products or services. Be supported by clear information about how TeliaSonera will implement its commitment e.g. in terms of alignment to strategic priorities, concrete actions and timelines, clearly sign-posting/ linking to clear, actionable, hands-on guidance for its implementation. The policy development process should: Involve meaningful consultation with external stakeholders. Culminate in approval at the most senior level of the business.
High

2.3
Publish on the TeliaSonera website a Digital Rights Framework sign-posting key group policies and relevant external voluntary commitments (external version) and directly linking to relevant supporting internal instructions and guidelines for staff (internal version). The existing page on the TeliaSonera website Human rights within the international legal framework for telecom operators78 could serve as a useful starting-point for this. Publish a high-level (e.g. 1-page) company website-hosted Framework, setting out on how digital rights (privacy, freedom of expression) are managed in TeliaSonera in line with international human rights standards. The Framework should provide a publicly-accessible and comprehensive overview of the relationship between relevant corporate-level policies, and how they are applied in practice in TeliaSonera, including key initiatives, commitments, outcomes and performance (including indicators) and should invite external feedback on the companys approach to managing digital rights. It is important that the external version of the Framework is readily
Medium
42
comprehensible to the user/subscriber as well as the general public (i.e. a nonspecialist audience, as well as more engaged and informed stakeholders who will require more detailed information. Consider therefore include a Question & Answer approach, e.g.: How does TeliaSonera respond to government requests to take down content?, How does TeliaSonera ensure that personal data is deleted when its original purpose has been fulfilled?, and so forth. The internal version of the Framework (e.g. as hosted on the staff intranet) should directly link to relevant supporting internal instructions and guidelines for staff.
3
3.1
RISK MANAGEMENT
Conduct country-level human rights impact assessments, prioritizing existing markets pre-identified as high-risk for human rights, as well as for new market opportunity countries, assessing the specific potential human rights impacts associated with specific goods and services in particular markets on specific groups of rights-holders. In order to gauge its potential human rights impacts on-the-ground in each market, conduct country-level human rights impact assessments that involve meaningful consultation with potentially affected groups and other relevant stakeholders. The assessments should: Build on the findings contained this report. Comply with the United Nations Guiding Principles on Business and human Rights. Take a risk-based approach to country-selection/prioritization, commencing with high-priority markets for human rights (e.g. Eurasian countries) as preidentified in the Corporate Sustainability Report 2012, or by more rigorous means of country-level human right and business risk-assessment. Include legal landscaping, on-site reviews, in-person internal interviews, consultative development of locally-tailored mitigation recommendations, as well as meaningful consultation with local external stakeholders, amongst other methodologies. Be updated at regular intervals; prior to a new activity or relationship; prior to major decisions or changes in the operation (e.g. market entry, product launch, policy change, or wider changes to the business); in response to or anticipation of changes in the operating environment (e.g. rising social tensions); and periodically throughout the life of an activity or business relationship. Disaggregate findings by product and service. Disaggregate findings by customers and end-users and other rights-holding groups that may potential by affected, with the goal of identifying specific impacts on specific groups of individuals. TeliaSonera should also promote a human rights assessment within each associated company. If it is not possible to ensure that an assessment is carried out, then undertake an external assessment of the associated company, from the TeliaSonera perspective (see further, Associated Companies, below). Critical
3.2
Continue ongoing activities to integrate human rights and anti-corruption into existing enterprise risk-management (ERM) systems. Continue to integrate human rights and anti-corruption into existing group-wide risk-management systems, with a focus on: Assessing risk-to-rights-holders (human rights risk) rather than risk-to-business (business risk), focusing on specific impacts on specific people. Human rights and anti-corruption due diligence for new business opportunities (M&A, joint ventures, country-entry etc..) Ongoing group-wide internal risk-reporting, prioritization and mitigation Consider referring to the forthcoming United Nations Global CompactGuide for Anti-Corruption Risk Assessment for further guidance on assessing corruption risks.79 Conduct or commission a systematic Human Rights Controls Assessment analyzing the coverage and strength of existing company architecture relevant to the management of human rights. The Controls Assessment should: Focus on the thematic areas identified as high-priority in this report, including, amongst others: Privacy, Freedom of Expression, and Anti-Corruption, with a particular focus on such issues as hotspot markets, handling of government requests, user privacy, human rights risk/impact assessment, and so forth. Review a comprehensive inventory of controls including: Compliance systems, relevant group-level policies, mandatory instructions, external voluntary commitments, routines/systems/processes, non-mandatory guidelines, amongst other tools and documents relevant to the management of human rights impacts. Assess both the extent to which current controls cover material risks (i.e. potential human rights impacts), and the strength of the control provided over those potential impacts (i.e. assessment of likely efficacy of existing controls when/if used, identifying control weakness and gaps). Include an evaluation of staff awareness, uptake, and perceived effectiveness and utility of existing controls in place. Result in concrete proposals for strengthening existing controls wherever possible and developing new controls where required.
High
3.3
Critical
4
4.1
HANDLING OF GOVERNMENT REQUESTS

Develop and disseminate a mandatory group-wide Instruction for implementing the proposed Lawful Interception Policy and a similar Instruction for implementing the proposed Freedom of Expression Policy (see recommendations 2.1 and 2.2, above, respectively). These Instructions would then form part of the overall Digital Rights Framework set out at recommendation 2.3, above.
Critical
44
The Instruction should: Provide staff with clear and objective criteria enabling them to pre-identify and escalate requests which may interfere with user privacy or freedom expression, and which therefore need to be the subject of further careful consideration and handling. Establish a clear escalation process whereby, after initial screening, frontline staff refer external requests to appropriate internal and external decisionmakers, e.g. to Group Management and its proposed Human Rights Advisory Committee. Provide specific instructions need to be developed for the different types of requests, such as alleged child abuse content, alleged intellectual property right (IPR) violations, and so forth. Be based on the principle of presumptive rejection (i.e. that any request is first presumed to be invalid or subject to question or challenge, with the onus on the request-maker to support the validity and merit of the request), and include a mandatory in-built point of challenge at which all incoming requests preidentified as posing a potential risk to human rights are first presumptively denied and then become subject to screening, challenge and decision-making As regarding content-blocking, the principles should be that content is only blocked if and when a competent judicial authority has taken a decision that the eleven content is illegal. Set forth clear, objective and unambiguous decision-making criteria upon which the legality, legitimacy, and compatibility of the request with international human rights standards is to be ascertained. The criteria will include: Lawfulness (written requests with a sound basis in national law, e.g. based on a valid court order or warrant), necessity (clear, lawful, reasonable stated purpose), proportionality in pursuit of a legitimate and clearly-defined public purpose (e.g. national security, public order, public health, or the rights or reputation of others in light of the likely practical impact on freedom of expression and privacy), and the existence of a direct and immediate connection between the requested action and its stated purpose. Establish clear ownership (responsibility and accountability) for deciding the companys response, with a clear and mandatory procedure for escalation of requests to the key responsible function/unit, which should include both internal legal counsel and internal human rights expertise (e.g. Human Rights Focal Point, Human Rights Advisory Panel), as well as Group Management. Include instructions on when and how to push back on request via negotiation, advocacy, and/or by seeking judicial review, appeal to other relevant branches of the administration, such as regulators or governmental departments, engaging the United Nations and/or other supranational bodies and/or other governments (such as the Swedish government and its embassies abroad) or institutions for diplomatic support, and engaging other stakeholders, such as media/NGOs, as appropriate. Seek to build relationships with National Human Rights Institutions (NHRIs) and Non-Government Organizations (NGOs) in all operating markets. Such partners will add credibility and force to measures such as joint open letters to government authorities, and will assist to build trust with the public by demonstrating a participatory approach to addressing material human rights issues on the basis of a facts-base co-created with independent third-parties. Prescribe that, if actioned, all requests to interfere with user privacy or freedom-of-expression will be enforced as restrictively as possible, i.e.
interpreted as narrowly as possible, using the least restrictive possible means, enforced for the shortest possible duration, and implemented in a graduated fashion. The minimum internal compliance requirement should be to demonstrate an exhaustive attempt to seek any and all appropriate alternative measures that would minimize or mitigate the human rights consequence of compliance with the request. Include a mandatory requirement to seek to ensure the safety and liberty of company personnel who may be placed at risk, whatever course of action is taken by the company. Actively encourage, on an ongoing basis, home state (i.e. Sweden) to engage in diplomatic dialogue with host governments of those countries where TeliaSonera has operations and where risks related to freedom of expression and privacy are present, escalating or emerging. State that request to send communications to users on behalf of the government should be presumptively rejected, and subject to a clear and object set of stringent evaluation criteria and processed on a case-by-case basis at an appropriate level of responsibility within the business. Provide clear directions for where and how to maintain meticulous and detailed records of all government requests received, including information that would be required for public disclosure (see External Reporting & Communication, below). Include a mandatory requirement to notify users of any service limit restriction or personal data disclosure in a clear, prominent and timely fashion, and to ensure public reporting of same. Refer company staff to the Human Rights Focal Point for further support and guidance in difficult cases.
5
5.1
MANAGEMENT OF USER DATA

Appoint responsibilities for continuous improvement in data management, in line with requirements of Group Privacy Policy, corresponding Instructions, and national legislation. In particular, appoint a corporate Data Protection Officer. Appoint a corporate Data Protection Officer. According to current draft EU Data Protection Reform measures, this may soon be a mandatory requirement for companies above a certain size,80 and will in any event contribute to building company capacity to implement relevant measures improve data protection, such as those set out in the current report. Early tasks of the of the Data Protection Officer should include: o Overseeing regular and ongoing system-wide cleaning of old or unnecessary personal data. o Strengthening internal well as external privacy audits, including review of level-of-access of staff to user data o Ensuring that that default privacy settings are set to maximum possible levels of protection High
46
Consider all other appropriate resourcing options, including, including continuous prioritization of current implementation program for the Privacy Policy, and building the capability of existing staff through awareness-raising, knowledge development, skills-based training, and peer-to-peer support, for example through the vehicle of the Human Rights Working Group (see Recommendation 1.2, above).
6
6.1
ANTI-CORRUPTION
Continue ongoing activities to develop and disseminate an internally mandatory Instruction (as well as any supporting non-mandatory guidance as may be needed) on implementing group-level anti-corruption commitments locally in day-to-day operations. The Instruction should: Clearly explain to staff both what they need to do in order to comply with company expectations as well as how this must/should or could be achieved in practice in their day-to-day work. Include information on disciplinary procedures for violations of company anticorruption policies Demonstrate the appropriate response in common corruption-risk scenarios. Contain information on disciplinary procedures for violations of company anticorruption policies is available to employees. Critical
6.2
Continue ongoing activities to prioritize anti-corruption implementation actions in pre-identified high-risk markets, supported by training and capability-building. Prioritize anti-corruption measures in markets pre-identified as high-risk for corruption in the Corporate Responsibility Report 2011. Review this prioritization annually. Actively seek employee feedback and dialogue on its anti-corruption initiatives. Actively promote whistle-blowing channels and encourage their use by all staff. Evaluate the potential areas of corruption risk including factors such as type of transaction, countries of operation, industries, and customers or business partners involved, taking a risk-based approach to anti-corruption due diligence. The company has developed an action plan to address the risk of corruption, and has defined responsibilities for each task including detailed policies for high-risk areas. Identify the weakest spots of corruption within the company and seek to address these weaknesses in the prevention of corruption internal functions with the highest risk of corruption, and addresses weaknesses in the prevention of corruption. Share experience, procedures and challenges of corruption with other organizations i.e. the local business community, sector initiatives, networks etc. and initiate or join initiatives with other companies in the same sector for the purpose of promoting a fair business environment. See to stimulate multistakeholder dialogue on challenges of corruption and encourage local business communities and business partners to initiate cooperation to fight corruption.
Critical
7
7.1
SKILLS-BASED TRAINING
Building-upon, but separate from, the e-learning planned for group-wide roll-out in 2013, develop and roll-out skills-based training on group-level policy commitments on: User privacy, freedom-of-expression, lawful interception and anti-corruption. This training may, for example, involve scenarios-based learning and face-to-face instruction, with the objective of enhancing the capability of targeted staff to solve real-world human rights dilemmas and challenges. Medium
Skills-based training could build-on planned e-learning on the Code of Ethics and Conduct by way of dedicated skills-based extension e-learning modules on: o Anti-corruption (building upon proposed group-wide e-learning) o User privacy / lawful interception o Freedom of expression / service limitation requests The audience for these extension training modules should be targeted to involve corporate functions and local country personnel most likely to be exposed to digital rights challenges & corruption risk, including marketing & sales, network administrators, external affairs, legal personnel at group-level as well as in local markets, and so forth. Training material should direct participants to additional supporting resources (i.e. Instructions & guidelines) and also to the Human Rights Focal Point for further on-call support where needed on a case-by-case basis. Targeted in-depth face-to-face (F2F) training should be developed and delivered for selected high-priority audiences (e.g. in-country workshops, function-specific, or region-specific), based on discussing and learning how to appropriately handle realistic real-world-type dilemma scenarios (e.g. takedown requests, etc.).
8
8.1
PROTECTION OF CHILDREN ONLINE

Review current channels for enabling users to report child sexual abuse content and develop new channels as necessary. Medium
Co-operate with INHOPE and promote its illegal content-reporting application for mobile devices in Sweden, Finland, Norway, Denmark, Estonia, Latvia and Lithuania. If and when common web reporting becomes available, promote such initiatives on relevant TeliaSonera webpages with relevant organization (i.e. NGO) icon/logo. Ensure that scope of child abuse content is clearly and consistently defined within TeliaSonera for operational purposes is defined and that due process safeguards are enhanced (see further, the detailed findings on this subject set out in Annex 1 to this report). Undertake a specific risk assessment group-wide risk assessment area, engaging appropriate external expertise.
48
8.2
Improve dissemination and implementation of existing Instruction on Group Instruction on Fighting Child Sexual Abuse and Limiting Erotic Content Offerings. Make sure that the Account Managers for relevant content providers have a procedure in place for incidents, such as substantial customer complaints. Consider developing and offering barring and filtering functions for erotic content. Implement technical mechanisms to prevent unintentional access to Child Sexual Abuse Images, e.g. Internet addresses identified by an appropriate agency as hosting such material. Strive for phrasing in all contracts with relevant content providers to assure that customers are informed that erotic content will be delivered and are provided with an option to accept or decline gaining access to erotic content. Include a possibility to disbar a content provider service should the content provider repeatedly or materially violate such provisions. Ensure that the customer is provided with the ability to easily discontinue delivery of erotic content. Ensure that TeliaSonera customer care and incident handling units have the relevant processes, knowledge and resources in place to receive and investigate complaints or incidents in relation to fighting child sexual abuse and limiting erotic content offerings.
Medium
9
9.1
OPERATING LICENSES& LEGISLATIVE REQUIREMENTS

Seek to renew or renegotiate the terms of existing operating licenses in order to enhance the legal basis for company respect for user privacy and freedom of expression. Additionally, further analyze, together with industry peers on a global level, possibilities for collective action and constructive lobbying and leverage on this issue vis-a-vis host government authorities in each operating market.
Critical
Based on the results of the current legal review of existing license agreements, through a human rights lens, seek to re-negotiate or re-new problematic terms of existing license agreements to include robust protections on privacy and freedom-of-expression. Within the Industry Dialogue initiative, and/or other collective industry initiatives multi-stakeholder forums, analyze possibilities, if any, for individual players, or groups of companies to jointly purpose similar measures in selected markets. In cases where renegotiation of a particular operating agreement is not possible, as an interim measure, seek to establish a supplementary Memorandum of Understanding (MOU) or similar agreement, setting out a common agreement that the terms of the license agreement will be interpreted by both parties in a way which is least restrictive to human rights.
9.2
Engage in unilateral advocacy with host government authorities as well as collective activities (including through the Telco Industry Dialogue and any other applicable forum) to seek to limit the legislative and regulatory basis for restrictions on user privacy and freedom-of-expression at the national level in all operating markets. Plan working agenda for interactions with host government authorities, in light of concerns, suggested action items (such as those contained herein), and desired outcomes. Meet with host government authorities on a regular bilateral basis to discuss regulatory, legislative, license-based and other issues faced in common by mobile operators (i.e. TeliaSonera and its peers) in each operating market. Seek to understand the challenges in detail. Communicate expectations on, and develop acceptance of, the companys commitment to privacy and freedom of expression and raise any human rights concerns as early as possible, referring also to the relevant international standards, particularly those to which the host government is a ratified party as well as TeliaSoneras commitments within the Industry Dialogue. Establish willingness and mechanisms for continuing dialogue with host government authorities. Seek to establish a pattern of regular, formal meetings and formal and consistent reporting mechanism(s). Identify best line(s) of communication on issues and concerns. Develop contact with supportive of influential individuals or agencies, using senior in-company figure establish relationship(s) if necessary. Meticulously record minutes of all meetings and ensure follow-up in subsequent discussions. Pool leverage at the national level through cross-industry cooperation with other international mobile and internet operators present in each market to take collective positions and joined-up action on human rights.
Critical
9.3
High
Seek to cooperate on human rights and anti-corruption with all international internet and mobile service providers operating in key markets, including by: o Pooling leverage vis--vis government requests affecting all operators, using the Industry Dialogue, or other appropriate grouping, as a vehicle for this. o Seeking to collectively influence national government policy, law, regulation and practice on human rights protection, international standards in order to limit the legal basis for restrictions of user privacy and freedom-of-expression, including through the Industry Dialogue, or other appropriate group. This cooperation could take the form of bilateral or multi-lateral engagements, and could be formalized through a memorandum of understanding (MOU) setting out the aims and scope of the cooperation, or through membership of a national-level (or regional-level) Human Rights Working Group with more-orless formalized aims and working methods.
50
10
10.1
ASSOCIATED COMPANIES
Leverage the companys best efforts to encourage those associated companies (i.e. subsidiaries over which TeliaSonera does not have operational control) to uphold, at a minimum, TeliaSoneras own commitments to human rights. Make maximum effective use of board presence (representation) and active ownership practices to promote respect for human rights within all of the associated companies, prioritizing those companies in operational contexts that pose the highest risks to human rights. Associated companies in focus would include, amongst others, MegaFon (Russia), Life (Belarus), TurkCell (Turkey) as well as associated companies in Tajikistan (MegaFon), Ukraine (TurkCell/Life) and Latvia (Lattelecom). Engage country-level liaison representatives on promoting TeliaSoneras human rights commitments with associated companies. Review agreements with associated companies for human rights standards and application of TeliaSonera policy, and revise to include where not adequately represented. Ensure that agreements establish the right to audit and control vis-a-vis TeliaSoneras own human rights commitments. Ensure that associated companies, and their employees and users/subscribers are explicitly and proactively included within the scope and reach of TeliaSoneras grievance (whistle-blowing) mechanisms and internal and external reporting arrangements. Promote a human rights assessment within each associated company. If it is not possible to ensure that an assessment is carried out, then undertake an external assessment of the associated company, from the TeliaSonera perspective (see further, recommendation on human rights impact assessments, above). Among the factors that should enter into the determination of appropriate action when considering termination of a significant business relationship with an associated company is TeliaSoneras leverage over the entity concerned, whether opportunities to increase that leverage exist, the severity of the human rights impacts at stake, and whether terminating the relationship with the entity would itself have adverse human rights consequences. Critical
11
11.1
EXTERNAL REPORTING & COMMUNICATION

Use Transparency Reporting to publicly disclose to the greatest possible extent information regarding government user data and service restriction requests. Publicly disclose requests to the greatest legally-permissible extent. As a minimum, disclose the number, type, and nature of requests received in each operating market, and the companys action/response (i.e. engage in Transparency Reporting). Googles Transparency Report may serve as a useful model.81 Disclose also anonymous examples of requests received and explain standard company protocol for responding to requests of each type. Whenever full disclosure is not possible, clearly explain legal and any other limitations and constraints on full disclosure of government requests, and
Critical
11.2
disclose to the maximum possible extent. Identify and describe trends in government requests, disaggregated by country and type, on a quarterly or annual basis. Encourage host governments in all operating countries to similarly disclosure the total figures of requests made, disaggregated by type. Strengthen human rights reporting, including via the annual Sustainability Report and the United Nations Global Compact (UNGC) Communication on Progress (COP). Review existing external reporting of human rights impacts and measures taken to address these, and identify opportunities to improve depth and coverage, considering such avenues as: The annual Sustainability Report UN Global Compact Communication on Progress (COP) reporting In particular, consider reporting on an annual basis: Total number of substantiated complaints regarding breaches of customer privacy and losses of customer data (GRI indicator 3.1, Product Responsibility 8). Number of requests complied with that may impact upon freedom-ofexpression or user privacy (see also recommendation 11.1 on Transparency Reporting, above). Number of grievances related to human rights filed, addressed and resolved through formal grievance mechanisms (GRI 3.1 indicator HR11) Percentage and total number of significant investment agreements and contracts that include clauses incorporating human rights concerns, or that have undergone human rights screening (GRI 3.1 indicator HR1). Percentage and total number of operations that have been subject to human rights reviews and/or impact assessments (GRI 3.1, indicator HR10).
Medium
11.3
Disclose the full text of all existing operating licenses, through publication on the companys website, to the maximum legally-permissible extent. Failing this, publish to the maximum legally-permissible extent those terms of the agreement that are most salient to human rights. Analyze together with peer companies, within the Industry Dialogue or other suitable forums, further such disclosure possibilities which may be undertaken collectively, e.g. on market-by-market basis where multiple operators are subject to the same license agreement terms. Relevant terms to disclose would be those relating to the scope and permissible circumstances of content/service limitation and user-data access. Additionally, use the vehicle of the Digital Rights Framework (proposed above) to translate the critical and common terms of existing license agreements in to simple, public-facing and customer-facing questions and answers (Q&A) concerning how specific user rights are protected or put in jeopardy by such terms.
High
52
11.4
Report externally on an annual basis, and whenever circumstances make it relevant, on progress in implementing these recommendations herein and as appropriate on major events occurring in this regard.
High
Make public these high-level recommendations, as well as their total number. Report progress on implementation in concrete terms of completeness (e.g. not yet started, in progress, partially implemented, full implemented etc.), recommendation-by-recommendation, or failing this, by total number in each status category.
12
12.1
REMEDIATION
Investigate, assess, and remediate actual impacts on human rights in which the company may have been involved in the past. Actual human rights impacts i.e. those that have already occurred should be investigated and remediated. The present assessment has focused on potential human rights impacts. As far as the Danish Institute for Human Rights is aware, the company has not taken measures to assess actual impacts on human rights in which it may have been involved (i.e. impacts which have already occurred). Assessment of such impacts would be a prerequisite for the company to provide for or cooperate in their remediation through legitimate processes, as required by the United Nations Guiding Principles on Business and Human Rights. The company should therefore identify and assess the nature of the actual adverse human rights impacts with which it is, or has been, involved. Where the companys investigations identify that the company has caused or contributed to adverse impacts, it should provide for or cooperate in their remediation through legitimate processes. Consider leverage home state (Swedish) embassy support and or supporting legal aid to identified victims. The "Yahoo! Human Rights Fund" could serve as a model or such an initiative. Consider also partnering with independent organizations such as the ICRC to undertake prison visits for identified detainees. Establish a credible and effective externally-facing grievance mechanism accessible to all users and customers, as well as the general public. Provide a credible and effective channels whereby users and members of the public can safely report questions, concerns, complaints, and grievances, including those relating to corruption, privacy and freedom-of-expression. Design the mechanism against the effectiveness criteria set-out in the UNGPs (Principle 31). The internal company protocol establishing the complaints mechanisms should specify that complaints are to be investigated promptly (and responded to in a timely fashion (e.g. within 10 working days), and ensure that the companys Human Rights Focal Point and or Human Rights Advisory Panel (see above) may be engaged to offer their advice on particular cases. The proposed Human Rights Advisory Panel and/or the Human Rights Working Group or Human Rights Focal Point, (see above) should participate in a regular Critical
12.2
High
(e.g. annual) review of the mechanism for its uptake/utilization, responsiveness/effectiveness, as well as the pattern and substance of grievances raised, by way of feedback on company human rights performance. The mechanism should provider users with the opportunity to appeal against any service limit restrictions, disclosure of personal data, or other decisions/actions taken by the company. Work together with peer companies, including through the Industry Dialogue and any other suitable channels, to seek to establish an industry-level mechanism or Ombudsman for the sector.
12.3
Strengthen internal whistle-blowing channel(s) and ensure that all employees are aware of, and have access.
High
Strengthen the existing internal whistle-blowing channel(s) using the effectiveness criteria set-out in the UNGPs (Principle 31) as a benchmark. Promote awareness and use of the channel(s) by: o Finalizing and roll-out the planned Code of Ethics and Conduct e-learning, ensuring that the course content covers the whistle-blowing mechanisms(s) available to staff. o Ensuring prominent signposting to the whistle-blowing system on company intranet and any other internal induction or daily work systems. o Promoting awareness and use of the whistle-blowing mechanisms(s) through top-down cascading via the company management hierarchy.
13
13.1
MARKET ENTRY/EXIT
Continue ongoing activities to integrate robust human rights due diligence measures into new market-entry approach, and ensure that measures are consistently applied. Critical
Review and upgrade existing opportunity-assessment as to market/countryentry processes to ensure robust human rights due diligence procedures are in place. Develop a clear human rights due diligence protocol, with a phased approach (early spotting of red-flags, deal-breakers, show-stoppers, deeper approach including meaningful stakeholder consultation once new business opportunity enters the public domain). For example, host government proposals to include provisions that would enable so-called backdoor access in license agreements should be treated as a red flag or show-stopper and should be rejected. Engage the internal Human Rights Working Group, Human Rights Focal Point and Human Rights Advisory Panel (see recommendations 1.1, 1.2 and 1.3 above) early in the process of considering new markets for advice on particular business partner and/or country market opportunities. Engage also external human rights expertise to undertake in-depth countrylevel risk human rights assessment, including a detailed legal landscaping
54
review, early-on in appraisal of new market entry opportunities. This assessment should involve meaningful consultation with external stakeholders to the maximum extent possible, within the necessary constraints imposed by the legitimate considerations of commercial confidentiality. Seek to include robust provisions on privacy and freedom of expression in all new operating license agreements, tabling the companys policies and commitments in this regard at the as a non-negotiable starting-point for discussions.
13.2
When considering exiting a market (country), take ramifications for rights-holders duly into account. Among the factors that should enter into the determination of the appropriate action when considering market exit is TeliaSoneras leverage over the entity concerned, whether opportunities to increase that leverage exist, the severity of the human rights impacts at stake, and whether exiting the market would have adverse human rights consequences.
High
14
14.1
RESPONSIBLE SUPPLY CHAIN MANAGEMENT

Continue ongoing activities to systematically assess human rights risks in the supply chain. Medium
14.2
Together with the Joint Audit Cooperation (JAC), take a human rights risk-based approach to segmenting the supplier based base for prioritized audits, and follow-up with corrective action plans and capability-building as needed. Continue with ongoing activities to design and carry out training with procurement staff on new Supplier Code scope and requirements, including on human rights. Continue ongoing activities to review base of supplier contracts to advance universal inclusion of updated Supplier Code, including those contracts in which Group Sourcing is not involved and to suppliers other than those that are significant and approved. Review contractual basis for expecting human rights and working conditions performance of suppliers for coverage of relevant human rights aspectsincluding those contracts in which Group Sourcing is not involved and to suppliers other than those that are significant and approved. Review and report externally on implementation in terms of percentage of contracts to which Supplier Code applies on an ongoing annual basis, taking account of the above two categories of contract.
Medium
15
15.1
JOINT INDUSTRY ACTION

Continue to engage in joint industry action, through the Industry Dialogue and any other appropriate forum, to advance respect for human rights more broadly in the ICT and Telco sector. Seek to advance human rights through joint industry action, including: Continued efforts in collective (industry) standard-setting, building upon the Industry Dialogues Telco principles on privacy and freedom of expression Independent verification of company human rights performance Aggregate public reporting channels Industry-level grievance mechanisms (or Teleco and Human Rights Ombudsman). Training program development and dissemination Sharing approaches, experiences, tools, lessons learned and effective practices on pushing back on government interception and service limitation requests, as well as on operating licenses and their negotiation (consider, in this context, opportunities to learn from host-government agreement (HGA) agreementmaking in other industries). This could culminate, for example in an Industry Dialogue Standard Approach to Host Government Interaction for Telecommunications Operators, or similar such outcome documents. Collective issue-specific actions on right-to-privacy, freedom-of-expression, the protection of children online, and anti-corruption. Country-level multistakeholder and/or industry processes to respect for human rights by the ICT/Telco sector at the national level. High
56
ANNEX 1 DETAILED FINDINGS

ANNEX 1.1 USER PRIVACY FINDINGS
BUSINESS UNIT / MARKET & COUNTRIES IN FOCUS Global / Groupwide FINDINGS

TeliaSonera Intl. Carrier
Eurasia (Georgia)
Baltic (Estonia, Lithuania)
Incomplete fulfillment of group Privacy Policy commitments: Data collection and storage not thoroughly governed. Group Policies lack information on, and fail to link to, supporting guidelines / instructions / directions / procedures on responding to requests for disclosure or monitoring of user data No systematic assessment of risk of contributing adversely to privacy violations Lack of appropriate processes across all data collection and storage systems Inadequate staff knowledge across the group regarding protection levels/requirements and the locations where personal data are stored/processed company systems. No global overview of where personal data is stored and processed Inadequate audit trails: Data protection and user privacy audits not conducted on a continuous basis; lack of appropriate documentation Failure to prioritize data-purging in targeted systems, citing costs of compliance: It is expensive to correct, since we are dealing with decades of negligence; We clearly fail with regard of cleansing/deletion of old personal data Violations of privacy legislation have reportedly occurred (e.g. in Sweden) Some markets relying on local custom rather than group requirements/expectations for handling government requests to interfere with user privacy. No systems in place to track internal compliance with group principles on privacy. Weak controls for protection of personal user data in the face of disclosure/monitoring. User data disclosure/monitoring challenges are very common in someTSIC jurisdictions such as Russia and Ukraine. Weak controls, implying the company is in risk of contributing to actions that may interfere with the privacy of customers and users in an unlawful, disproportionate or unjustifiable way. Failure to interpret legitimate requests narrowly interpreted and/or to enforce them for the shortest possible duration (Estonia) Withdrawal of user consent not properly administered (Lithuania) Personal data for may be used for purposes other than those which it is collected (Lithuania)
Nordics (Denmark, Finland)
Failure to comply with legal requirements on deletion of old user data (e.g. Denmark) Default privacy settings not set for maximum protection or users not adequately warned of implications of changing privacy settings (Finland) Failure to delete old user data (Finland) Role-based access missing in mission critical system: Everyone (i.e. all staff) can access personal user data (Norway) Corrective actions not always taken following data security audits (Norway) Failure to interpret legitimate requests narrowly and/or to enforce them for the shortest possible duration (Sweden) Weak controls for personal data is collected, stored and used. (Sweden)
58
ANNEX 1.2 - FREEDOM OF EXPRESSION FINDINGS

BUSINESS FINDINGS UNIT / MARKET & COUNTRIES IN FOCUS Global / No systematic assessment of risks related to contributing adversely to freedom group-wide of expression violations. Lack of clear internal guidance on appropriate handling of service restriction requests: Staff unaware of any guidelines/instructions regarding appropriate process to follow in response to government service restriction requests Inconsistent company approach across markets/regions/business units: Staff report deviations between Nordic and Eurasia companies concerning both company routines and local legal requirements. Legitimate decision-making process and procedure for external judicial review/appeal not in place for all markets. Some markets relying on local rather than group guidelines/practices for handling government requests to interfere with freedom of expression. No systems in place to track internal compliance with group principles on freedom of expression. TeliaSonera Serious lack of formal processes for evaluating, handling and responding Intl. Carrier appropriately to service limit requests, including: Lack of a clear policy commitment to international standards on freedom of expression. Lack of a clear decision-making process, based on necessity, justification, legality, legitimacy and proportionality of requests, including a standard procedure for seeking external judicial review of requests that appear to be in conflict with international human rights standards Lack of clear guidelines/instructions on implementing this process Eurasia Lack of a clear decision-making process, based on necessity, justification, (Georgia) legality, legitimacy and proportionality of requests, including a standard procedure for seeking external judicial review or appeal to government for requests that appear to be in conflict with international human rights standards Lack of clear guidelines/instructions on implementing this process Government or national security services prohibiting Eurasian operators from disclosing that a resource has been shut-down upon their orders. Baltics Failure to seek judicial review when a service limit request conflicts with legal (Lithuania) regulation or international human rights standards Nordics Lack of procedures on handling service limit requests and/or such procedures (Sweden; not set out clearly in company guidelines and/or instructions. Norway) Failure to interpret legitimate service limit requests narrowly or to ensure that they are enforced for the shortest possible duration. Absence of processes to seek judicial review or government appeal when requests appear to be incompatible with international standards.
ANNEX 1.3 ANTI-CORRUPTION FINDINGS

BUSINESS UNIT FINDINGS / MARKET & COUNTRIES IN FOCUS Global / Group Two respondents report that corruption occurs systematically. One wide respondent reported that We use gifts up to a certain extent in order to run the business. Lack a clear anti-corruption policy. Staff report that they are very unclear on companys anti-corruption position. Inadequate anti-corruption training staff unaware of the existence of such training. Lack of whistle-blowing channels and/or staff unaware of such channels as may exist. Eurasia Corruption reportedly occurs systematically in this region. Respondents (Kazakhstan, imply that MoldCell may be linked to corrupt practices (Moldova) Moldova, Nepal) Weak anti-corruption controls (Kazakhstan, Nepal) Not all staff pass current anti-corruption training (Moldova) Baltics Weak anti-corruption controls (Lithuania) (Lithuania)
60
ANNEX 1.4 PROTECTION OF CHILDREN ONLINE FINDINGS

BUSINESS UNIT / FINDINGS MARKET & COUNTRIES IN FOCUS Global / group-wide No systematic assessment of risks, or systems to address, risks related to contributing adversely to violation of childrens rights online Staff not provided with adequate information regarding scope and definition of child sexual abuse content Staff not informed of appropriate action to take when TS is notified of alleged illegal child sexual abuse content Customers are not provided with an easy way of reporting alleged child sexual abuse content. Default settings may easily allow children to access premium services for which additional payment is necessary, e.g. IPTV service provides also adult content by default Failure to implement content distribution measures to avoid the exposure of children to inappropriate advertising in any form of online media. TeliaSonera Intl. Carrier Weak controls and a lack of clear formal definition (and internal communication) of child sexual abuse content Lack of processes related to restricting access to alleged child sexual abuse material, particularly as regards Russia and Ukraine. Eurasia Default settings may allow children to access premium services for (Georgia, which additional payment is necessary (Georgia) Moldova) No procedure in place to be followed in case of a government request to restrict a telecommunication service in order to fight child sexual abuse content (Moldova) Baltics Decisions on illegality of content are not referred to competent (Lithuania) judicial authorities Nordics Failure to active steps to empower children and parents to evaluate, (Sweden) minimize and report risks and engage online in a secure, safe and responsible manner.
ANNEX 1.5 EMPLOYMENT PRACTICES FINDINGS

BUSINESS UNIT / FINDINGS MARKET & COUNTRIES IN FOCUS TeliaSonera Intl. Frequent overtime, and no actions to compensate for heavy workload. Carrier Weak controls on living wage Poor workplace health and safety controls Baltics Frequent overtime and no actions to compensate for heavy workload. (Estonia) Nepal Personal security risk for staff relating to dangerous transportation and fear of reprisals from disgruntled members of the public. No official procedure for reporting and/or follow-up on H&S incidents
ANNEX 1.6 RESPONSIBLE SUPPLY CHAIN MANAGEMENT FINDINGS

BUSINESS UNIT FINDINGS / MARKET & COUNTRIES IN FOCUS Global / Group Few, if any audits are being performed, with the consequence that level of wide supplier compliance with contractual requirements on human rights / working conditions is very hard to ascertain No training is provided to TeliaSonera staff regarding supplier compliance with international human rights or working conditions standards. TeliaSonera Lack of risk assessment of suppliers in Russia and Ukraine. Intl. Carrier Baltics Lack of TeliaSonera control/leverage vis-a-vis suppliers on the issue of (Estonia) adequate conditions of hours, wages and leave.
ANNEX 1.7 PRODUCT STEWARDSHIP FINDINGS

BUSINESS FINDINGS UNIT / MARKET & COUNTRIES IN FOCUS Global / TeliaSonera unable to guarantee product safety (e.g. in terms of harmful Group-wide substances, or flame-retardant products), because we have so many suppliers. We should be more active in terms of product stewardship.
62
ANNEX 2 METHODOLOGY
This assessment was conducted in a combination of desk research, internal stakeholder participation in kick-off workshops, internal stakeholder participation in scenario-based self-assessment questionnaire survey, which also included human rights compliance assessment indicators, as well as follow-up internal validation interviews with selected in-company subject matter experts (SMEs).The principal tool utilized in this human rights impact assessment was a scenarios-based human rights self-assessment questionnaire. The tool presented respondents with a set of impact scenarios, and associated compliance questions in 7 thematic areas: Freedom of Expression Privacy Protection of Children Employment Practices Community Impact Supply Chain Management In total some 300 TeliaSonera personnel were invited to respond to this questionnaire, and 202 responses were received (68% response rate). For efficiency, sections of this questionnaire were sent to targeted respondent groups based on their subject matter expertise, functional role, and geographic location:
AB - Privacy Freedom of Expression Participant Groups 1. Legal 1 1,2 1,2 1,2 1,2 1,2 1,2 2 2 1 1,2 1 1,2 1 5,6 3,4 1 1,2,3,4,5,6,7,8,9, 10,11,12 4 1 1,2 1 1,2,3,4,5,6 7,8,12 2 1,2 2 2 1 1 2. Security 1 3. TeliaSonera International Carrier (TSIC) 1 4. Customer Relations 5. Products and Services Development 6. Employee Representative 7. IT / Infrastructure / Deployment 8. Marketing 9. Communications 10. Content 11. M&A 12. Human Resources 13. Sourcing 14. Risk Management 15. Business Customers (including Public Customers) 16. Business Services (BUS) C -Child Protection Due D - Employment Diligence (for Practices areas A, B & C) 1,2,3,4 1,2,3,4 1,2,3,4,5 5,6 1,2 5,6 3 1,2,3,4,5,6,7,8,9, 10,11,12 1,2,3,4,5,6,7,8,9, 10,11,12 E - Community Impact F - Supply Chain Management
1,2,3,4 1,2,4 1,2,3,4,5 4,5, 4,5 4 3,4 4 4 4 4 4 4 1,2,4,5
1,2,3,4,6,7
1,2,3,4,5,6,7
1,2,3,4,5,6,7 1,2,3,4,5,6,7
1 1,2 1,2,3,4,5
4,5 4,5
ASSESSMENT PROCESS The assessment was conducted in 3 phases: Scoping, Assessment and Reporting. The assessment was undertaken as a self-assessment exercise, facilitated by the DIHR. The results of the self-assessment were then compiled and analyzed by DIHR, which also undertook a selective review of some of the key grouplevel controls in place in the company. DIHR established an initial set of priorities and recommendations which were subsequently validated in interview with internal company subject matter experts. HUMAN RIG HTS IMPACT SIGNIFIC ANCE RATING During the assessment, potential adverse human rights impacts, where assessed according to three factors using the following methodology: Human Rights Impact Assessment factors Probability The probability that the impact will occur in the next 12 months Severity The severity of the human rights consequences of the impact for the affected individuals Scale Number of individuals potentially affected by the impact Assessment Scale 1: Unlikely 2: Likely to happen in a few isolated cases 3: Likely to happen in several cases 4: Likely to happen on a routine basis 1. Low: Infringement of civil liberties such as non-discrimination, expression, free movement, public participation etc. 2. Medium: Loss of basic needs such as food, water, housing, property, incomes, education etc. 3. High: Bodily harm such as loss of life, physical assault, detention, adverse health effects, malnutrition etc. 1: less than 100 persons 2: 100-500 persons 3: 500-5000 persons 4: More than 5.000 persons
Based on the above assessment factors, the potential impacts have been rated according to the following methodology: Low Assessment score: 3 5 Unlikely impacts with low severity and limited scale Medium Assessment score: 6 8 Impacts that may happen in isolated or several cases with medium severity consequences for a moderate or high number of people. High Assessment score: 9 10 Impacts that are likely to happen in several cases or on a routine basis with medium or high severity consequences for a large number of people.
64
ASSESSMENT TEAM Assessment Team Danish Institute for Human Rights
Dylan Tromp, Advisor, Human Rights and Business Department Allan Lerberg Jrgensen, Department Director , Human Rights and Business Department Rikke Frank Jrgensen, Senior Advisor, Research Department
Assessment Coordinators TeliaSonera
Patrik Hiselius, Senior Advisor, Group Sustainability Eija Pitknen, Head of Group Sustainability
Validation Interview Participants TeliaSonera
Mats Salomonsson Vice President, Head of Markets and Business Developments Annette von Koskull Responsible within BA Eurasia for CRM, Trademark, supplier relations Erik Hallberg Head of TSIC Peter Lav - TSIC Legal Edward Granillo, Internal Audit Aliya Kishkimbayeva, Director, Legal Department, KCell Ingrid Stenmark - Legal Affairs Regulatory Olli Tuohimaa Head of Legal Affairs BA Eurasia Roman Pinhasov Director, Legal & Administration Department, UCell, Vahid Mursaliyev General Counselor to CEO, Department Director, Legal Affairs & General
Administration, Azercell
Hkan Kvarnstrm Head, Corporate Security
REFERENCES
TeliaSonera, Sustainability Report 2012, p. 20. TeliaSonera, Sustainability Report 2012, p. 3. 3 TeliaSonera, Sustainability Report 2012, p. 20. 4 TeliaSonera, Sustainability Report 2012, p. 6. 5 TeliaSonera, Sustainability Report 2012, p. 6. 6 TeliaSonera, Sustainability Report 2012, p. 4. 7 TeliaSonera, Annual Report 2012, p. 30. 8 TeliaSonera, Sustainability Report 2012, p. 11. 9 TeliaSonera, Sustainability Report 2012, p. 6. 10 TeliaSonera, Corporate Responsibility Report 2011, p. 8, Available at: http://annualreports.teliasonera.com/global/download%20center/en/ts_cr2011.pdf?epslanguage=en, accessed on 31 May 2012 11 See further: United Nations Guiding Principles on business and human rights, UN Doc A/HRC/17/31, 21 March 2011. Available at: http://www.business-humanrights.org/media/documents/ruggie/ruggie-guiding-principles-21-mar2011.pdf. Accessed on 30 January 2013. 12 TeliaSonera, Annual Report 2012. p.13. 13 TeliaSonera, Sustainability Report 2012. p.. 12. 14 TeliaSonera, Sustainability Report 2012. p.. 12. 15 Some exclusions were made to this scope. See further the sub-section entitled Limitations in this report. 16 TeliaSonera, Annual Report 2012, p.37. 17 TeliaSonera, Annual Report 2012, p.37. 18 See further, United Nations Guiding Principles on human rights and business, Principle 13. 19 TeliaSonera acts as a local company in each of its countries of operation. 20 See Guiding Principle number 12, available at: http://www.businesshumanrights.org/media/documents/ruggie/ruggie-guiding-principles-21-mar-2011.pdf, accessed on 22 Feb 2013. 21 TeliaSonera, Annual Report 2012, p.3 22 TeliaSonera, Annual Report 2012, p.3. 23 TeliaSonera, Annual Report 2012, p.6 24 TeliaSonera, Annual Report 2012, p.9. 25 TeliaSonera, Annual Report 2012, p.14. For a country-by-country break-down of this subscription base, please refer to TeliaSonera, Sustainability Report 2012, p. 18. 26 TeliaSonera, Sustainability Report 2012, p. 19. 27 TeliaSonera, Sustainability Report 2012, p.10. 28 TeliaSonera, Sustainability Report 2012, p.10. 29 TeliaSonera, Annual Report 2012, p.12. 30 European Commission, Guidance for the Information and Communication Technologies (ICT) Sector on Implementing the UN Guiding Principle on Business and Human Rights, Draft Version for Public Consultation 14 December 2012- 13 February 2013, page 52. 31 United Nations Guiding Principles, Principle 23(c). 32 TeliaSonera, Annual Report 2012, p. 5. 33 TeliaSonera, Sustainability Report 2012, p.12 34 TeliaSonera, Sustainability Report 2012, p.12-13. 35 TeliaSonera, Corporate Responsibility Report 2011, page 10 states that: In our associated companies, MegaFon and TurkCell, TeliaSonera relies on these companies established risk management structures. We also strive to use our board presence and active ownership practices to promote the implementation of ethical business practices, respecting human rights, and stringent governance. 36 TeliaSonera, http://www.teliasonera.com. 37 Issues might include: Storing and sharing of user data (protection of customer data, customer profiling); Disclosure of user identity; Enabling illegitimate profiling; behavioral advertising; data mining; Enabling surveillance;
2 1
66
Customer/user consent; Accuracy of user data; Technical and organizational measures; Confidentiality and deep packet inspection; Location awareness; Product stewardship of surveillance equipment; Re-identification of anonym zed data; Relations with government authorities, including handling of legally permissible vs. extra-legal requests for information, disclosing customer information (e.g. call records, message content) to public authorities with/without a lawful court order; compliance of nationally-lawful court orders with international human rights standards on privacy, as well as impact linkages, including so-called chilling effects on freedom of expression. 38 TeliaSonera, Annual Report 2012, p. 36. 39 TeliaSoneras associated company Turkcell in Turkey is also a signatory of the Global Compact. Five TeliaSonera group companies, TEO and Omnitel in Lithuania, Kcell in Kazakhstan, Geocell in Georgia and Moldcell in Moldova, were already participants in their respective national Global Compact Local Networks. TeliaSonera, Sustainability Report 2012, p. 4. 40 TeliaSonera has been an active participant in the Telecommunications Industry Dialogue on Freedom of Expression and Privacy since its inception, and has been closely involved in the development of the Dialogues forthcoming Telecommunications, Freedom of Expression & Privacy Principles. TeliaSonera has also participated actively in the development of the forthcoming European Commission Guidance for the Information and Communication Technologies (ICT) Sector on Implementing the UN Guiding Principles on Business and Human Rights. 41 As per the TeliaSonera Annual Report 2012, page 36, the Code of Ethics and Conduct only covers all entities in which TeliaSonera holds more than a 50 percent ownership, although the Code itself specifies that the company will also work towards adopting the principles of the Code in all the operations in which TeliaSonera has ownership interests. 42 TeliaSonera, TeliaSoneras board reconfirms Group strategy and tightens risk management, 16 October 2012. Available at: http://www.teliasonera.com/en/newsroom/press-releases/2012/10/teliasoneras-board-reconfirmsgroup-strategy-and-tightens-risk-management/. Accessed on 4 April 2013. 43 TeliaSonera, Sustainability Report 2012, p. 9. 44 TeliaSonera, TeliaSonera launches action programme for protection of privacy and freedom of expression, 27 April 2012. Available at: http://www.teliasonera.com/en/newsroom/press-releases/2012/4/teliasonera-launches-actionprogramme-for-protection-of-privacy-and-freedom-of-expression/ . Accessed on 3 April 2013. 45 TeliaSonera, TeliaSonera appoints Mannheimer Swartling to lead an external review of its investment in Uzbekistan in 2007, 3 October 2012. Available at: http://www.teliasonera.com/en/newsroom/pressreleases/2012/10/teliasonera-appoints-mannheimer-swartling-to-lead-an-external-review-of-its-investment-inuzbekistan-in-2007/ Accessed on 4 April 2013. 46 TeliaSonera, Sustainability Report 2012, p. 19. 47 TeliaSonera, Sustainability Report 2012, p. 20. 48 TeliaSonera, Privacy and freedom of expression issues focus of shareholders meeting, 23 August 2012. Available at: http://www.teliasonera.com/en/newsroom/press-releases/2012/10993/mr-issues-focus-of-shareholdersmeeting/. Accessed on 2 April 2013. 49 TeliaSonera, Sustainability Report 2012, p. 11. 50 TeliaSonera, Privacy and freedom of expression issues focus of shareholders meeting, 23 August 2012. Available at: http://www.teliasonera.com/en/newsroom/press-releases/2012/10993/mr-issues-focus-of-shareholdersmeeting/. Accessed on 2 April 2013. 51 TeliaSonera, Sustainability Report 2012, p. 5. 52 TeliaSonera, Sustainability Report 2012. 53 See further: FTSE4good, http://www.ftse.com. 54 TeliaSonera, Sustainability Report 2012, p. 7. 55 TeliaSonera, Sustainability Report 2012, p. 15. 56 Example issues could include: Blocking, filtering, and removal of content (as prescribed by law as well as per TeliaSoneras own policies), enforcement of copyright laws, removal of potentially harmful content e.g. illegal gambling sites, music-sharing, and marketing of illegal pharmaceutical products etc.; Disconnecting users; blocking access to networks; Blocking or interfering with virtual/online assembly/association; Hardware/software/services that enable surveillance, interception, and monitoring of communications; Net neutrality and content appropriate pricing, product disclosure, appropriate marketing practices, product offerings, traffic/speed/service/application limitations, fair usage, traffic management; Relations with government authorities, including e.g. as regards universal service provision, net neutrality/openness, user access to content; and impact linkages, including so-called chilling effects on freedom of expression from interference in the right to privacy. 57 TeliaSonera, Privacy and freedom of expression issues focus of shareholders meeting, 23 August 2012. Available at: http://www.teliasonera.com/en/newsroom/press-releases/2012/10993/mr-issues-focus-of-shareholdersmeeting/. Accessed on 2 April 2013.
TeliaSonera, Sustainability Report 2012, p. 11. TeliaSonera, Privacy and freedom of expression issues focus of shareholders meeting, 23 August 2012. Available at: http://www.teliasonera.com/en/newsroom/press-releases/2012/10993/mr-issues-focus-of-shareholdersmeeting/. Accessed on 2 April 2013. 60 TeliaSonera, Sustainability Report 2012, p. 12 61 TeliaSonera, Sustainability Report 2012. p.. 12. 62 TeliaSonera, Sustainability Report 2012. p.. 12. 63 TeliaSonera, Sustainability Report 2012, p. 20. 64 TeliaSonera, Sustainability Report 2012, p. 15. 65 In addition to being a business ethics challenge in-and-of-itself, corruption is also a material human rights issue for telecommunications companies. As noted in TeliaSoneras 2011 Corporate Responsibility Report (page 10): Transparency Internationals research on governance practices across industries in 2010 indicates that issues related to human rights and corruption pose a high risk to the telecom industry. The main risks include being complicit in violating human rights due to a failure to uphold customer privacy and network integrity, excessive governmental requests to the detriment of privacy and freedom of expression, and the risk that telecom services could be used in the sexual exploitation of children. The research also mentions risks related to illegitimate financial transactions or inappropriate political contributions to governmental parties or authorities in connection with license negotiations. 66 TeliaSonera, Annual Report 2012, p. 36. 67 TeliaSoneras associated company Turkcell in Turkey is also a signatory of the Global Compact. Five TeliaSonera group companies, TEO and Omnitel in Lithuania, Kcell in Kazakhstan, Geocell in Georgia and Moldcell in Moldova, were already participants in their respective national Global Compact Local Networks. TeliaSonera, Sustainability Report 2012, p. 4. 68 Telia Sonera, Sustainability Report 2012, p. 14. 69 Mannheimer Swartling, Rapport till styrelsen i TeliaSonera AB: Har TeliaSoneras investering i en 3G-licens tillsammans med frekvenser och nummerserier i Uzbekistan r 2007 och drefter inneburit att fretrdare fr TeliaSonera gjort sig skyldig till korruptionsbrott eller penningtvtt?, Stockholm, 31 January 2013. Available by request from: http://www.mannheimerswartling.se/en/News/New-office-in-Stockholm-and-a-newwebsite/Reviewer-criticises-TeliaSonera/. 70 Issues may include: Effective take-down, blocking, and filtering of child pornography / child abuse material, service solutions; Age-appropriate privacy settings / access to content; Content classification; Safe and responsible use by children and young people; Enabling user reporting of harmful content and contact, abuses and concerns; Parental controls / empowerment of parents and care-givers; Promoting user-awareness of how to ensure safety and responsible behavior online; Provision of accessible, clear and transparent information. 71 TeliaSonera, Annual Report 2012, p.39. 72 TeliaSonera, Sustainability Report 2012, p.16. 73 TeliaSonera, Sustainability Report 2012, p.16. 74 See n 11, above. 75 See n 30, below. 76 Telecommunications Industry Dialogue on Freedom of Expression and Privacy Guiding Principles, March 2013. Available at: http://www.teliasonera.com/Documents/Public%20policy%20documents/Telecoms_Industry_Dialogue_Principles_Ve rsion_1_-_ENGLISH.pdf. Accessed on 8 April 2013. 77 See TeliaSonera, Annual Report 2012, p.13. 78 http://www.teliasonera.com/en/newsroom/news/2012/human-rights-within-the-international-framework/ 79 Available at: http://www.unglobalcompact.org/docs/issues_doc/AntiCorruption/RiskAssessment_ConsultationDraft.pdf 80 See further : http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf (section 4) 81 Google, Transparency Report. Available at: http://www.google.com/transparencyreport/. Accessed on 28 February 2013.
59
58
68

TeliaSonera Human Rights Impact Assessment Report

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

TeliaSonera Human Rights Impact Assessment Report

Încărcat de

Drepturi de autor:

Formate disponibile

HUMAN RIGHTS IMPACT ASSESSMENT

TELIASONERA FINAL REPORT 10APRIL 2013

KEY FIN DINGS

INTEGRATION & EMBEDDING

TRACKING & MONITORING COMMUNICATION & REPORTING

INTEGRATION & EMBEDDING ANTI-CORRUPTION

REGULATORY & LEGISLATIVE REQUIREMENTS

Regulatory and legislative requirements

ASSOCIATED COMPANIES EXTERNAL REPORTING REMEDIATION MARKET ENTRY/EXIT

INTERNAL TRACKING & MONITORING

EXTERNAL COMMUNICATION & REPORTING

RISK & IMPACT ASSESSMENT

INTEGRATION & EMBEDDING

INTERNAL TRACKING & MONITORING

Sustainability data gathering. See User Privacy, above.

EXTERNAL COMMUNICATION & REPORTING

Addressing companys provide for remediation processes freedom of

INTEGRATION & EMBEDDING

defines compliance follow-up as a the responsibility of all management staff.

GUIDANCE & TRAINING

INTERNAL TRACKING & MONITORING

EXTERNAL PUBLIC REPORTING & COMMUNICATION

possibility of using the web-based whistle-blowing function.

PROTECTION OF CHILDREN ONLINE

INTEGRATION & EMBEDDING

INTERNAL TRACKING & MONITORING

EXTERNAL COMMUNICATION & REPORTING

IMPACT ASSESSMENT INTEGRATION & EMBEDDING

INTERNAL TRACKING & MONITORING EXTERNAL COMMUNICATION & REPORTING

SUPPLY CHAIN MANAGEMENT

INTERNAL TRACKING & MONITORING

EXTERNAL COMMUNICATION & REPORTING

HANDLING OF GOVERNMENT REQUESTS

MANAGEMENT OF USER DATA

PROTECTION OF CHILDREN ONLINE

OPERATING LICENSES& LEGISLATIVE REQUIREMENTS

EXTERNAL REPORTING & COMMUNICATION

RESPONSIBLE SUPPLY CHAIN MANAGEMENT

JOINT INDUSTRY ACTION

ANNEX 1 DETAILED FINDINGS

Baltic (Estonia, Lithuania)

Nordics (Denmark, Finland)

ANNEX 1.2 - FREEDOM OF EXPRESSION FINDINGS

ANNEX 1.3 ANTI-CORRUPTION FINDINGS

ANNEX 1.4 PROTECTION OF CHILDREN ONLINE FINDINGS

ANNEX 1.5 EMPLOYMENT PRACTICES FINDINGS

ANNEX 1.6 RESPONSIBLE SUPPLY CHAIN MANAGEMENT FINDINGS

ANNEX 1.7 PRODUCT STEWARDSHIP FINDINGS

1,2,3,4 1,2,4 1,2,3,4,5 4,5, 4,5 4 3,4 4 4 4 4 4 4 1,2,4,5

ASSESSMENT TEAM Assessment Team Danish Institute for Human Rights

Assessment Coordinators TeliaSonera

Validation Interview Participants TeliaSonera

Hkan Kvarnstrm Head, Corporate Security

S-ar putea să vă placă și