Should You Be Sharing That?
Managing employee information on a global scale when data privacy rules differ by country
by Richard Hunt, Managing Director Turnkey Consulting (www.turnkeyconsulting.com)
May 14 2012 - Improvements in systems technology mean that global HR systems are possible for any size organisation. This opens up many possibilities from a shared service perspective and for many global companies there are attractive cost savings to be made from the consolidation of their IT operations in this way. However, along with the possibilities that today's global HR IT systems present there are also many challenges that need to be met. Not least is the requirement that the data stored on each employee is accessible to those that need it to perform their roles, whilst remaining private to everyone else and compliant with relevant data privacy legislation.
Differences in data privacy requirements
This complexity is further compounded by the fact that data privacy legislation, and therefore the company's data privacy obligations, differs by country. For example, in Canada and the US it is illegal to hold information on an employee's gender, ethnicity and date of birth, with Canadian law also regarding nationality and family details as sensitive. However, this information may be recorded automatically in other geographical regions and therefore be available across the organisation.
In Europe, the EU Directive (95/46/EC) on the protection of personal data is interpreted differently across each member nation. Germany, for example, requires details on who is accessing information about an employee, and why. Other data that is treated differently depending on country includes trade union status, religion and medical records.
So what steps can an organisation take if it wishes to capitalise on the huge opportunities that globalisation of their HR IT systems represent whilst respecting their data privacy obligations?
First and foremost it is important to understand that, like all legislation, data privacy legislation must be interpreted. There are a few hard and fast rules where it is clear that certain employee data should not be stored, but there are a lot more examples where the organisation must determine its own interpretation of what compliance actually means. For example an employee's social or national insurance number (SIN/NI) would probably be considered sensitive data by most HR departments. However, an organisation might make this information accessible to all HR professionals globally or a much more restricted subset of local HR professionals, depending upon its interpretation of the relevant data privacy legislation.
Interpreting legislation is not an easy task and this is not helped by the complexity of today's HR systems. Whilst flexible security concepts will enable data restrictions to be implemented in many of these systems it is often difficult to establish which data records should be restricted. The data referred to in relevant legislation will rarely map directly to data held in the system. For example legislation exists to protect information held on employee disabilities but this information might be recorded in the HR system against a field called 'challenge' within the employee's 'personal data' record. The implementation of this requirement might be further complicated by the fact that the system only allows restriction of 'personal data' and not the individual fields within this record, therefore requiring customisation to configure an appropriate restriction.
Achieving and maintaining compliance
The practicalities of achieving and maintaining compliance are an important consideration. For a large organisation managing thousands of employee records globally there are significant challenges associated with restricting data appropriately. Having overcome these initial obstacles, monitoring and maintaining compliance can also be a costly exercise. It is sometimes more practical to take pragmatic steps towards achieving compliance rather than attempting to restrict every data element through access controls.
Data privacy awareness and responsibility
One such step would be the implementation of a data privacy awareness programme. By making its employees aware of their responsibilities when handing sensitive HR data the company is able to pass on some of the responsibility for compliance to the individuals handling the data. By focusing on what needs to be communicated to staff around data privacy awareness the company is also forced to form an internal view on what compliance actually means, an important step towards compliance.
General awareness can be combined with access controls using an acceptable use policy/end-user license agreement to confirm an employee's acceptance of these responsibilities before they enter the HR system. Such a control can be strengthened further through the wording of the message itself, the recording of an employee's acceptance, regular re-validation (e.g. every six months) and/or the removal of access where an employee does not confirm acceptance. This effectively forms a 'contract for data use' between the employee and the organisation, which is a very useful tool should a breach need to be defended in court.
Balancing business need with legal obligation
Whilst a global HR system might present compliance challenges it is important to evaluate the risk of non-compliance together with huge opportunities that an HR shared service represents. Global enterprises must balance their business need to hold and access employee data with their legal obligation to comply with local regulations on privacy. That is not an easy task.
Since Richard Hunt wrote this article, systems technology has continued to improve and information sharing has become increasingly important. At the same time the rise in publicity about international hacking of IT systems has drawn attention to the major significnce of data and systems protection while preserving employee accessibility. This is where IT security services come in handy. Small businesses in particular need to be conscious of the need to safeguard their systems from external attack while allowing safe and convenient access to employees, both on-premise or remotely located.
Turnkey Consulting is a specialist GRC and IT security company that combines business consulting with technical implementation to deliver information security solutions in support of SAP systems. It focuses on the delivery of specialised services in support of SAP solutions in the areas of security, governance, risk and compliance (GRC) as well as the SAP NetWeaver Portal. It works with service providers, audit partners and SAP clients directly to provide the security controls and solutions that safeguard and complement a company's implementation of an SAP system. Clients include systems integrators, blue chip organisations and a number of government agencies.
The company was established in 2004 by Richard Hunt, and now has offices in the UK, Australia, Germany and the US.
Richard has worked in the IT security industry for more than a decade. His career began as a security consultant at PricewaterhouseCoopers (PwC), where he specialised in SAP security implementations and IT security reviews. Throughout his career, he has been involved in more than 50 IT security projects working across a range of business processes and industry sectors in the UK, Asia and Australasia. These include the implementation of SAP HCM on a global basis for some of the world's largest companies.
Follow Turnkey Consulting on Twitter at @TurnkeySAPGRC