Companies generate an enormous amount of data simply by operating. When corporate data is discussed, often it is in the context of consumer data, either what the company learns about its customers and their behaviors, or the data the customers provide as part of interacting with the company. However, one of the biggest troves of data in any company is the information it gathers about its employees. Depending on the company, this could include everything from social security numbers or medical records to location data and biometrics.
Much of this data, such as social security numbers and medical information, is typically considered private by law and employees have a reasonable expectation that companies will protect it. Few executives would argue otherwise. However, employees may feel that other types of data—their movements during the day, their digital communications, pay, mental health and biometrics, for instance—should be private as well. Indeed, the world of employee data is enormous. “Think about your email communication, your slack messaging, the amount of time you’re logged on or not, the speed with which you’re typing, all of that generate data about employees and workflows,” says Brian Kropp, distinguished VP, research at Gartner. “And there’s been an enormous uptick in the amount of monitoring of employee activity because of working from home, hybrid work and remote work.”
Although there are often legal privacy requirements that companies must adhere to, such regulations can be a patchwork between jurisdictions, and not everything that employees might think is protected actually is. This leaves Chief Human Resources Officers in a tough position. They must not only guarantee that companies do the legal minimum to maintain employee privacy, but also go beyond those requirements to ensure that they have the trust of their workforces. Guaranteeing employee privacy requires not just protecting confidential information from cyber criminals who want to steal it, but also preventing accidental leaks and communicating clearly to prevent misunderstandings. Nothing will erode trust and productivity more than data collection practices that are seen by employees as overly invasive.
Before CHROs can devise effective and clear policies around employee privacy, they need to understand what kinds of information may be included. Sensitive employee information “normally falls into one of two categories: personally identifiable information (PII) and protected health information (PHI),” says Austin Berglas, global head of professional services at BlueVoyant. PII typically includes information that can be used to identify an individual, and the specific data in this category “depends on the jurisdiction and regulation.” In general, PII is data such as social security numbers, driver’s license numbers, financial accounts, email and password combinations, and birth dates. PHI is similar, but is specific to healthcare: “anything in a medical record that can be used to identify a person.”
While all of this data is sensitive and may be enticing to cybercriminals, “when obtained alone, individual types of this data are not sufficient” to conduct identity theft or fraud schemes, Berglas adds.
Yet the world of data is constantly expanding, and this means that the bounds of what types of information are or are not considered private are constantly changing as well. No longer is it just the basics such as names, contact information, government ID numbers, demographic data or medical information. Now, notes Art Mazor, principal and global leader of Deloitte’s human capital practice, it may include genetic information and biometrics—such as fingerprints or eye scans—used for security access.
Companies, and HR departments in particular, must evaluate not just their own security procedures, but also their “providers of hardware and software and related technologies which enable the capture of biometric data,” Mazor says. Complicating the matter further, this data and the privacy expectations that accompany it isn’t limited just to employees, but also extends to gig workers, contractors and consultants. In the era of work-from-home, boundaries are blurred and private devices interface with otherwise secure corporate networks.
Protecting sensitive employee data requires technical solutions to stop cybercriminals, policy implementation and workforce training, communications with the workforce about what is and is not private, legal review and the evaluation of risks posed by vendors and partners. Consequently, it often requires the involvement of IT, CIOs/CISOs, communications, legal and the CHRO.
This web of leadership and expertise can present an organizational and leadership problem at some companies. “This is a shared responsibility where IT is hoping HR is thinking about, and HR is hoping IT is thinking about it,” says Dave Loeser, former senior vice president of worldwide human resources at Unisys and founder of HR tech consultancy FutureSolve. “It’s a cross-function, and oftentimes, unfortunately, shared responsibility is no responsibility.” Companies that lack clear leadership on employee privacy often wind up in a scenario where IT generates training on common issues such as phishing, which is then deployed by HR. Too often, these trainings cover “very basic stuff that aren’t the threats of the future,” according to Loeser, leaving them exposed to more sophisticated attacks.
Instead, CHROs should ensure that employees receive not only training on basic computer security but also seek to instill a “common culture of security throughout the organization,” Berglas says. In other words, if leadership treats data security as important, employees are more likely to as well. Data security best practices should be a part of onboarding, Berglas adds, and “HR and security need to work together, integrating security updates into weekly or monthly human resources bulletins and coordinating mandatory security training.”
It can be easy to focus on cybercriminals, but more often than not, breaches in privacy occur because of simple human error. “This could be as simple as someone accidentally sending an email with an attachment that was the wrong attachment,” Mazor says. CHROs need to ensure there are technical protections in place, such as scanning information and alerting people when they’re about to send something sensitive, and “having a response team in place…and a special number or access portal that allows a worker to report immediately that something has been breached.”
Rather than relying on trainings prepared by IT, CHROs must take the lead on protecting employee data. This means focusing on who has access to sensitive employee data and why. “The biggest threat to employee privacy is a lack of internal controls limiting employees access to sensitive information combined with unintentional weakness of those employees and end users,” Berglas explains. Frequently, employees themselves are inadvertently responsible for leaks or breaches, either because they are exploited by social engineering or because privileged data is accidentally shared when it shouldn’t be. According to Berglas, one way to mitigate this is to implement “least privilege,” which means “allowing access to only those employees whose job specifically requires it.”
The cloud allows companies to store enormous amounts of data, and many services “provide privacy enhancing tools and security and protections that an organization historically would have needed to have created internally,” Mazor says. Using those services effectively, and regularly auditing the risks posed by these third parties, can improve data security, but it is important that CHROs understand that “just because we’re leveraging cybersecurity providers doesn’t mean that we, as the employer, relinquish our accountabilities for data protection.” While using third-party providers can provide financial security, it does not insulate the company from serious reputational risks.
A Matter of Trust
Not only is protecting private employee data the right thing to do, it makes good sense for the business as well. Failure to protect private employee data “can not only result in a lawsuit or a significant fine imposed by a regulatory body,” Berglas notes. “It can cause great damage to the brand and reputation of your organization.”
Maintaining employee privacy is vital for maintaining trust within an organization. Take the mental health and wellness programs many companies began offering during the pandemic. Companies “must be mindful that if they’re offering up these kinds of programs, there needs to be confidentiality and protections for individual workers to both trust that these are programs they can take advantage of and to be able to take advantage of them knowing that their information will be secure,” Mazor says. Organizations not only bear the burden of accountability for protecting private information, but they must also clearly “convey what’s private and what’s not.” If employees believe some particular type of data is private or protected and it’s not, its exposure or use can rapidly erode trust.
One issue is that companies are collecting an enormous amount of data about their employees but “in all honesty, they’re not sure what to do with it and what it means,” Kropp says. The risk is that this causes employees to—legitimately—start asking questions: “If you don’t know what you’re using this data for, but you’re still collecting it, why are you collecting it?” Gathering data without a specific, pre-defined purpose, can become a trap, putting organizations in possession of private information they may not even realize they have, or lead to bad decision-making motivated by that information.
Kropp cites one company that had to lay-off employees. The executives were debating who to retain and who to let go, and an executive suggested looking at employee data “to see how many hours people are working by tracking how long they’re logged on,” Kropp explains. “His argument was, well, it’s incredibly objective. If you’re working less, you should be fired. We should keep the people that are working more.” However, the problem was that the amount of time people were logged on did not track how productive they were.
When companies collect data about employees, they need to make sure they know why they are doing it, and that their workforce knows the data is being collected, why it is being collected and what it will be used for. “Trust is the number one issue in companies today,” says Loeser. “If there’s no trust at the top, then I can assure you there’s very little trust lower down in the organization. Trust comes from being authentic, caring and listening.” This responsibility ultimately resides within the HR function and with the CHRO.
The Roe vs. Wade Privacy Fallout
It’s easy to say that CHROs ensure that employees trust companies to protect their private data, but in practice, this can be incredibly complicated. In some cases, information that the company and employees both might believe should be private, isn’t protected. “I’m certainly not advocating one side or the other as to what companies should do, but really what they should be aware of,” Kropp says. When the Supreme Court struck down Roe vs. Wade, many major corporations announced policies to pay for transportation for employees to travel to states where abortions are still legal. “It’s not clear if any of that data and information that’s associated with paying for that transportation will actually be kept private.”
While at face value travel for an abortion may seem like something which would be considered a private medical matter, that may not be the case in all jurisdictions. Consider an employee who has to pay to travel for an abortion and is then reimbursed by their company. “That’s clearly not covered through healthcare because it’s a different expense,” says Kropp.
Even if it’s done through a health insurance provider, abortion travel may not be covered by HIPA in states where the procedure has been made illegal because “HIPA does not apply if a law is being broken.” Complicating matters further still, employees will need to notify their managers about why they need to miss work and travel out of state. This discussion becomes particularly fraught in a scenario where the manager is anti-abortion. “For a CHRO or an HR department, you want to be careful about not creating expectations of privacy where it doesn’t exist or can’t be guaranteed,” Kropp cautions.
Face the Changes
Technology, society and the needs of companies and employees alike are constantly changing. Frequently, policies lag these changes. One way to succeed on employee privacy is by making it a core consideration for the HR function. This means working closer with other functions like IT, but it also means that CHROs need to actively prioritize and lead on privacy issues. And CHROs need to understand what data is being collected and why. “Legitimate business questions are not just what the CEO or the senior leadership team think are legitimate business questions. The average employee has to say that’s a legitimate business question” as well, says Kropp. Getting this right may be hard, but it’s fundamental to building a culture of trust and safety.