A Note: this post was written by a guest writer, and does not necessarily represent my opinion. That said, I think it’s important to host a variety of thoughts and perspectives on the blog and thus, I give you the following article written by Frank Lynn, Proposal Manager at SuccessFactors. As always, please feel free to comment.
Imagine this nightmare – You leave your house in the morning juggling your keys, your coffee and your cell phone as you set off for work where you are the Director of HR at a growing, global organization. As you approach your car you notice your windshield is smashed to pieces and you realize instantly that your laptop is gone, along with a spreadsheet you created last week containing payroll information on your 1,500 employees.
Many companies understand the risk associated with sensitive customer data, but they don’t realize that an employee data breach could be just as serious. In today’s post-HIPAA, post-Sarbanes-Oxley environment, implementing controls to safeguard information such as financial statements and medical records is top of mind. CIOs and Risk Management professionals are under a lot of stress. All it takes is one lost or stolen laptop to put an entire organization at risk – and generate a barrage of negative publicity (e.g., the recent Dept. of Veteran Affairs mishap that exposed 26 million patient health records).
The European Union led the way in protecting employee data privacy with its 1995 directives regarding collection and use of employee data; which included giving employees rights to access and correct data concerning themselves. This means EU residents can check their personnel file for errors like you’d check your credit report. The EU also restricts transfers of personal data to countries that do not ensure “an adequate level of protection.” Many EU nations impose strict fines and penalties in the event of an employee data breach.
Canada has also followed suit with the Personal Information Protection and Electronic Documents Act (PIPEDA) that states companies in certain sectors such as banking and aviation must have a legitimate purpose for collecting, using and disclosing employees’ data records.
In response to foreign data privacy laws, the US Department of Commerce created the Safe Harbor Certification process. Safe Harbor Certification is comprised of an annual self-certification process where companies are required to abide by seven principles of data security. This takes navigating the legalese of foreign laws out of the equation, by adhering to a data privacy standard that is universally acceptable.
This issue is upon us and it is here to stay. Make sure your internal systems and processes are safe, your data is restricted appropriately and your application vendors can live up to the highest security standards.
For more information about data privacy laws, take a look at these sites:
http://www.export.gov/safeharbor/index.html
http://www.privcom.gc.ca/legislation/02_06_01_01_e.asp
August 29th, 2006 at 11:29 am
Max,
After reading your quite intriguing article, I couldn’t help but notice your emphasis on the European Union action in 1995.
“directives regarding collection and use of employee data; which included giving employees rights to access and correct data concerning themselves.”
Now with this statement, it says it allows “employees rights to access and correct data concerning themselves”. Now with that, what is to stop them from viewing or changing another co workers data?
Or maybe we will look beyond that and consider maybe a Higher-up, such as a Supervisor, or Management that has company access to these files. What is to keep true Privacy in the workplace?
Truly Human Resources would be an unreliable source for keeping records, or allowing personnel to check their own status and change, because Humanity is always flawed.
I fully agree with the statement to take the appropriate measures to safeguard your employees.
August 29th, 2006 at 3:07 pm
Jason,
You wrote: “Truly Human Resources would be an unreliable source for keeping records, or allowing personnel to check their own status and change, because Humanity is always flawed.”
You’re absolutely right. Humanity is always flawed. Which is precisely the argument for letting employees check their own personnel files. Much like a credit report can be flawed by showing credit cards you don’t have, or showing loans that you’ve paid off–your personnel record might contain inaccurcies–whether they be clerical oversights or caused by the malicious acts of others. You can’t fix what you don’t know.
As we move further into the digital age where personnel information no longer exists in hard copy files in a file cabinet warehouse, but rather as digital information on servers accessed by a computer interface, safeguarding employee data becomes a strategic responsibility shared by Human Resources and IT.
While companies place a high importance in safeguarding the sensitive data of their customers, I’d bet will begin to see more of a movement to safeguard employee data as well.
August 30th, 2006 at 12:42 pm
Jason,
I am a HR Consultant based in Ireland and have lived with the EU directive in a variety of HR roles. Staff cannot view any information that will identify another employee (or even an external person). Equally, staff have to first show that the information is incorrect. However, the do not have the right to correct it themselves (although they have the right of appeal to an external Data Commissioner).
This Directive goes further than employers, however. It extends to Banks, the Public Sector (such as the Revenue Authorities) and any organisation that holds information on an individual. If we take the trouble, we can always ensure that information is accurate and up to date.
October 18th, 2006 at 4:02 am
i want to know what is the talent pipeline of HR department in the faculty of management sciences
October 31st, 2006 at 5:37 am
this is interesting for me too:
“i want to know what is the talent pipeline of HR department in the faculty of management sciences”