By Amy Dufrane
Managing and tracking paperwork was a labor-intensive undertaking in the 1800s. During the 1890’s, the introduction of filing cabinets was a godsend to HR departments. This simple piece of office furniture transformed HR’s ability to store, organize and retrieve employee data. Whether sorted alphabetically or color-coded to maximize searchability, employee files securely locked away in vertical cabinets became the information storage backbone of every HR professional.
Yet, standards for tracking paper-based recordkeeping were very cumbersome. With a growing list of rules guiding privacy, records management and retention of paper copies – and “gotchas” such as having to maintain I-9 forms separately from employee files and retain them for three years after the date of hire – more HR departments moved off paper to electronic documentation, albeit some using Excel and others moving to more sophisticated data platforms and applications.
With every twist-and-turn in the data storage and retrieval journey, came a new HR technology partner in need of data access. Request from third-party providers such as payroll and background screening vendors were routinely honored in order to deliver new and improved HR services to employees, the employer and others in the data lifecycle. The number of participants in this data pipeline potentially grows to the extent that no one individual can readily identify all of the players, leaving considerable opportunity for something going wrong.
The problem is that data privacy was not built into the core of managing employee data. That little lock and key on the original file cabinet was rudimentary protection, at best. Fast-forward to the complex world in which HR operates today and one longs for a lock and key. The heightened sensitivity to what we’ve willingly opt-into and where our data is going means HR has taken on another role: Data Steward. Let’s examine what that means:
Map Your Data: With so many data sources – your HR portal, your career site, and your employee hotline to name a few – do you know what they are, where they go and how to protect this sensitive data? The big picture needs to be well-documented and categorized by sensitivity. While all employee data is confidential, operational information such as facility or department do not have the same risk potential as social security numbers. Much in the manner that a manufacturer will map its supply-chain, you should know from where employee data is emanating and with whom it is being shared.
Sharing Requires Caring: Speaking of sharing, some HR departments do not fully realize how their own employee data is being used without the expressed permission of their employees. In return for the promise of easy access to employment and income verification services, employers share payroll information with big-three consumer credit bureaus. This circular model of allowing credit agencies to collect, organize and potentially re-sell employees’ performance income information and work history supports the ability of a lender, property manager or pre-employment screener to verify an employee’s background or credit worthiness. Except the employee rarely understands their data is being shared in this manner, meaning the quest for efficiency compromises trust. HR needs to know where employee data goes and why.
Always Be Learning: A commitment to continuous learning will pay dividends. Has your vendor earned SOC II? Is your employee data encrypted? Have your vendors embraced sophisticated blockchain-like data management? Do your employees understand what they should or should not do with their private information? In all fairness, most of us aren’t literate about the latest in cybersecurity and new ways of managing data privacy but HR leaders need to understand how to protect the organization. As the department that maintains a company’s most personal information, knowing how to encourage a culture in which everyone understands risks falls on HR’s shoulders.
Avoiding Data Debacles: Compliance requirements and governance mandates abound. Speaking of acronyms, start by knowing what’s behind FCRA (Fair Credit Reporting Act), FACT (Fair and Accurate Credit Transactions) Act, and GDPR (General Data Protection Regulation.) The last one is specific to the European Union and guides the processing, handling and story of personal data. Since the U.S. doesn’t have a federal data privacy protection agency, following GDPR as a best practice can help avert pitfalls. GDPR states that employees must be aware of who the “controller” of their data is; the purpose of processing their personal data; any changes to their contract, company handbook or data handling; who the third parties are who receive their data; and that an employee has the right to revoke consent at any time.
Speaking of ever-changing vendor contracts, it’s wise to have a stated employee data privacy policy that can be shared with third-party providers. Keeping vendors accountable and aware of how seriously your organization takes responsibility for data privacy needs to be clearly communicated. The privacy policy should include its purpose; HR data steward contact details; a description of the data and legal basis on which it’s being shared; how long it needs to be stored; and, most importantly, the rights that employees have in relation to their data, including the right to revoke consent or request corrections.
Strong corporate cultures and solid employer brands are built on trust. They’ve invested heavily in protecting their reputations and preventing risks. These are the leaders in the private and public sectors that value their employees and shield them from bad actors and bad business decisions. The stakes are too high not to know who, what and where your employee data is going.