Skip to Content

***Note that the content below has already appeared in my personal blog; I am adding it here as I’ve often seen questions raised on the topic***

Ever since I have been working with HRIS in the context of global companies, I’ve been collecting notes on how the HR data, sensitive and private as it is, can be protected. I’ve decided to publish this blog, but here goes the DISCLAIMER: these notes are of an informative and general nature, and share my personal ramblings and thoughts on the matter. It should not be construed as an attempt to offer or render legal opinion or engage in the practice of law. Please consult the advice of a licensed professional experienced if you require it. 

What is what?

Data privacy in general is a question many IT professionals are wondering about, to the point that the 28th of January has been appointed “Data Privacy Day“. The day has been chosen to remember the signing of the EU agreements in …. ; the day is meant to raise awareness about data privacy rights, and is “celebrated” in the US, Canada and all the countries of the EU (27 at the time of writing).


One of the modern-age most compelling frauds includes one form or another of identity theft (identity cloning, financial ID theft, medical ID theft); most have seen first-hand phishing attempts received by mail and e-mail, and are careful in shredding personal documents rather than just throwing them on the recycling pile. As HR professionals, working with HR information, we are aware of the sensitivity of the data entrusted upon us by our company; and as employees, we expect that our information will be appropriately protected and remain private. 

Governments have produced laws and guidelines, and since 1981, groups of countries have entered agreements to decide how data (and in particular, HR data) can be shared across borders.

Plenty of information is available, often fairly indigestible and written in “legalese”. Several terms appear to be used in alternance, are they really synonyms? Not quite.

  • Data integrity addresses the concern that data should be correct and complete for the use we want to make. As a simple example, if the address held about your employee is not updated, correspondence will fail to reach him/her, and consequently data is trash.
  • Data security is focused in keeping information safe, seeking protection from access by unauthorized entities. The idea is to avoid hacking and intruders; both to prevent theft of ideas or valuable information and to protect the integrity of the data (as above) against corruption (either accidental or willful).
  • Data privacy is often confused with data security, but actually spans a wider area. Its concern is to ensure legal compliance with the multiple international regulations controlling and protecting the individuals’ rights to keep their data safe and private; it isn’t merely protecting against external intrusions, but supervising the way HR data is shared internationally, where it is stored, how it is accessed. It means providing adherence to data privacy guidelines and regulations, all around the world where your organization is active.

As an individual, my concern is to keep my data secure – I make sure my passwords are up to the task (by the way, here is a great post on Password Security), that my firewall protects my home computers, that my antivirus is up to date. As a corporation, or as an individual representing a corporation, I must gain an understanding of what my responsibility entails and extend my concern to data privacy.

The recent NSA scandal has made painfully obvious how unaware we are of who is looking at the information we share; in NSA case we are only talking about metadata, but the fact remain that the same can be done with other data types and/or systems.

Is this also true if working for a company is based and/or incorporated in the US? Yes, of course! Living in a more and more global world, our companies are involved in the global market and our employees are global citizens.  Information is easier to access from anywhere, and can be moved across borders without the data owner even realizing it, nor knowing who is accessing it. If your company has operations in more than one country, you are immediately concerned by Data Privacy International regulations. You need to keep an eye out to know what are the requirements, how can you ensure compliance, and how it evolves.

Laws

Lets start with the European Data Protection Regulation (EDPR), released on the 25 Jan 2012. The EDPR regulates the processing and movement of personal data within, to and from the European Union. Still, keep in mind that EDPR only sets the standard accepted by all 27 member states, while single states often require additional local compliance obligations.

I’d like to go through the meaning of this regulation in steps.

  • Personal data or “Personally Identifiable Information” (PII) is defined as all information relating to an identified or identifiable natural person. Any information that distinguishes two individuals can be used for identification – so it isn’t just about names and date of birth, social security and credit cards, but is a much more extensive set of data that in combination can provide identification.
  • EDPR defines how it is acceptable to move personal data out of the European Economic Area (EEA: EU plus Iceland, Lichtenstein and Norway), and is pretty restrictive. In fact, all movements are prohibited UNLESS specific conditions are met.
  • When we talk about moving data out of the EEA, it doesn’t apply only to European companies’ data, but all personal data referring to employees of European subsidiaries from corporations headquartered in other geographies must also comply. This has an immediate impact on a company designing global HRIS.
  • Personal data movement is permitted to a set of countries that the European Commission has recognized as offering adequate protection for the data: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. It is important to note that the US are not included in this list.
  • US and EU companies requiring to share data across the borders can adopt a Safe Harbor process to streamline the compliance. Safe Harbor is undersigned by a specific company and must be re-certified on a yearly basis. It is based on the following 7 principles:
    • Notice – right of being informed: employees must know what data is collected and stored by the company, and made aware of how it is used and disclosed.
    • Choice In case information is to be shared onward to third parties, it must be clearly explained to the employee and an opt-out option is to be made available.
    • Onward Transfer – In addition with Notice and Choice, transfers of data to third parties may only occur to other organizations follows Safe Harbor.
    • Security – Reasonable efforts must be made to prevent disclosure, loss or alteration of collected information.
    • Data Integrity – Data must be relevant and reliable for the purpose it was collected for.
    • Access – Reasonable access to the stored information is to be provided, both to the EU subsidiary and to the individual. The means of such access aren’t specified (paper vs. Self-Service, for instance).
    • Enforcement – Commitment to cooperate with authorities to ensure investigation and resolution of complaints.

For more information on the 7 principles and on how Safe Harbor applies to HR, export.gov has a good FAQ.

  • The Safe Harbor sign-off is the solution in case of EU to US (and back) data transfers; so in these terms it is NOT SUFFICIENT to allow global companies to consolidate data globally.
  • In the case of a multinational corporation, the geographical extension require the adoption of Binding Corporate Rules, covering the steps taken to ensure compliance with “adequate protection”. To put it simply, a BCR document is an internal, company-wide privacy policy, drafted to meet specific business needs relative to the operation of the company. Drafted by the corporation, it is subject to approval by authority; not all EU countries require such an approval, but many do. (ex. GE approach here or BP here).

Please share your notes and comments on the subject, and thank you in advance for pointing out missed or incorrect details! It is a work in progress.

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

  1. Sven Ringling

    Hi Chiara,

    Thank you for your insightful and helpful “ramblings”!

    There is only one point I’d like to comment on: the emphasis on HR data being particularly sensitive. Of course it is sensitive, but the notion you often hear that it’s the most sensitive of all data is just not true. I’d like to see HR pros climb off that throne.

    I remember an HRD of a bank talking about how HR data is more sensitive than anything else and I only said “Oh, thanks for letting me know that the security of my current account data is considered second priority here – I shal switch banks tomorrow”.

    Yes, the law in most countries protects personal data in particilar, but customer data can also fall into this category.

    And then, how about a little thought experiment: “someone calls the CEO of an engineering company, claiming to have 3 CDs with all the company’s HR data incl pay, customer data incl volunes, prices and terms, and technical designs of their products resoectively. He’d publish one of them online now, but the CEO could choose which.” – how confident are you, yout CEO would not go for the HR CD to be published as the lesser of 3 evils?

    I don’t want to take anything away from anybody’s effort in HR data security ( after all, HR authorisations is one of my specialisations, so I would cut my own revenue 😉 ).

    However, HR pros are often seen as out of touch or arrogant, when taking this stance. It just adds a bit to the notion that HR doesn’t realy understand the real business – and unnecessarily so.

    (0) 
    1. Chiara Bersano Post author

      Great point, Sven.

      I focus on HR simply because that is what I do… but indeed, I believe that the type of data that each company and its leaders will protect most would be whatever is the “differentiators” – think recipes for a food/drink company, or code for an IT group, or – algorithms for Google.

      The specific bank account data you mention is not technically HR, but somewhat fits in it – as it is PII data, no?

      Perhaps the reason governments are trying to protect data is because “differentiating data” will be protected by corporations for the obvious reasons.

      In my mind, there is no arrogance really – but sadly, often us HR folks are seen as such.

      (0) 
      1. Sven Ringling

        Hi Chiara,

        I count myself as HR – or HRIS as well and I’m not suggesting there’s more arrogance than anywhere else.
        My (possibly biased) observation is that many HR pros seem to believe their data is more important thus adding to the far too common perception that “HR doesn’t get Business”. That’s what I find sad, as HR functions are mostly struggling to sell themselves as a strategic business partner.

        I absolutely agree with your view that legislation is (and needs to) force organisations to look after personal data (be it in an HR system or a transaction banking system), whilst companies will not need much encouragement to protect the data that brings them their competitive edge in the market, like recipes etc.

        (0) 

Leave a Reply