Managing employee information on a global scale when data privacy rules differ by country

Improvements in systems technology mean that global HR systems are possible for any size organisation. This opens up many possibilities from a shared service perspective and for many global companies there are attractive cost savings to be made from the consolidation of their IT operations in this way. However, along with the possibilities that today’s global HR IT systems present there are also many challenges that need to be met.  Not least is the requirement that the data stored on each employee is accessible to those that need it to perform their roles, whilst remaining private to everyone else and compliant with relevant data privacy legislation.

Differences in data privacy requirements

This complexity is further compounded by the fact that data privacy legislation, and therefore the company’s data privacy obligations, differs by country.  For example, in Canada and the US it is illegal to hold information on an employee’s gender, ethnicity and date of birth, with Canadian law also regarding nationality and family details as sensitive.  However, this information may be recorded automatically in other geographical regions and therefore be available across the organisation.

In Europe, the EU Directive (95/46/EC) on the protection of personal data is interpreted differently across each member nation.  Germany, for example, requires details on who is accessing information about an employee, and why.  Other data that is treated differently depending on country includes trade union status, religion and medical records.

So what steps can an organisation take if it wishes to capitalise on the huge opportunities that globalisation of their HR IT systems represent whilst respecting their data privacy obligations?

Interpreting legislation

First and foremost it is important to understand that, like all legislation, data privacy legislation must be interpreted. There are a few hard and fast rules where it is clear that certain employee data should not be stored, but there are a lot more examples where the organisation must determine its own interpretation of what compliance actually means. For example an employee’s social or national insurance number (SIN/NI) would probably be considered sensitive data by most HR departments. However, an organisation might make this information accessible to all HR professionals globally or a much more restricted subset of local HR professionals, depending upon its interpretation of the relevant data privacy legislation.

Interpreting legislation is not an easy task and this is not helped by the complexity of today’s HR systems. Whilst flexible security concepts will enable data restrictions to be implemented in many of these systems it is often difficult to establish which data records should be restricted. The data referred to in relevant legislation will rarely map directly to data held in the system. For example legislation exists to protect information held on employee disabilities but this information might be recorded in the HR system against a field called ‘challenge’ within the employee’s ‘personal data’ record. The implementation of this requirement might be further complicated by the fact that the system only allows restriction of ‘personal data’ and not the individual fields within this record, therefore requiring customisation to configure an appropriate restriction.

Achieving and maintaining compliance

The practicalities of achieving and maintaining compliance are an important consideration. For a large organisation managing thousands of employee records globally there are significant challenges associated with restricting data appropriately. Having overcome these initial obstacles, monitoring and maintaining compliance can also be a costly exercise. It is sometimes more practical to take pragmatic steps towards achieving compliance rather than attempting to restrict every data element through access controls.

Data privacy awareness and responsibility

One such step would be the implementation of a data privacy awareness programme. By making its employees aware of their responsibilities when handing sensitive HR data the company is able to pass on some of the responsibility for compliance to the individuals handling the data. By focusing on what needs to be communicated to staff around data privacy awareness the company is also forced to form an internal view on what compliance actually means, an important step towards compliance.

General awareness can be combined with access controls using an acceptable use policy/end-user license agreement to confirm an employee’s acceptance of these responsibilities before they enter the HR system. Such a control can be strengthened further through the wording of the message itself, the recording of an employee’s acceptance, regular re-validation (e.g. every six months) and/or the removal of access where an employee does not confirm acceptance. This effectively forms a ‘contract for data use’ between the employee and the organisation, which is a very useful tool should a breach need to be defended in court.

Balancing business need with legal obligation

Whilst a global HR system might present compliance challenges it is important to evaluate the risk of non-compliance together with huge opportunities that an HR shared service represents. Global enterprises must balance their business need to hold and access employee data with their legal obligation to comply with local regulations on privacy.  That is not an easy task.

By : Richard Hunt, Managing Director Turnkey Consulting – HRM Guide

—————————–

IHRP HR Management Training Seminars