Employee Data Privacy

Presenters: Carla G. Gracen, CPP, Ceridian
Deborah King, SPHR, Evolution Management, Inc.

More than ever, employers need to be concerned with data privacy, security, and confidentiality within their organizations, Carla Gracen, CPP, of Ceridian, said as she spoke to participants at the American Payroll Association Congress’ workshop, “Employee Data Privacy.”

Employee data privacy makes good business sense, and there are a lot of benefits to having a good privacy strategy, she said.

Some Definitions

With identity theft on the rise, employers need to take extra precautions to protect individuals from misuse of information--this is the definition of “privacy,” Gracen noted. Gracen then defined “security” as the protection of data from unauthorized access and alteration, while “confidentiality” protects companies from misuse of sensitive information. Personally identifiable information is “any information relating to a person who can be identified directly or indirectly by reference to an ID number or to one or more factors of physical, physiological, mental, economic, cultural, or social identity.”

The identity theft issue is all about data protection, Gracen said.

While several laws have been passed that take into account privacy issues and require employers to take certain steps to ensure data is protected, developing a well-formed privacy strategy plan will reap benefits for an employer. These benefits include increased customer trust and confidence, improved employee morale and trust, and limited exposure to penalties and risk of data loss, Gracen said. Being well organized and consistent with data is a key to developing a successful privacy strategy, she noted. Look at how payroll records can be accessed, and throw out payroll registers that no longer need to be retained, she added.

Security Standard Keys

In creating and implementing data privacy policies, employers must first identify people (or positions) who should be authorized to access the information, as well as those who need to be restricted, said Deborah King, SPHR, of Evolution Management.
Appropriate authentication measures should be set up to enable the system to know a person attempting to access data is who they say they are, King said. Develop an audit trail for data management that allows monitoring of access to the secure data, what, if anything, changed in the data while it was being accessed, when this occurred, and who looked at it, she said.

King also noted that a person’s “signature” can be as simple as the name automatically inserted into the “from” line on an e-mail, a click in a box indicating acceptance of licensing terms, or a command to close an already-reviewed e-mail. Digital signatures include a unique piece of data about someone that is contained in a digital certificate which allows the computer to verify the person authorizing a transaction, said King.

Maturing technologies are allowing for the development of more security features in data management systems, including using a public-private key system, King said. For an electronic timesheet process, for example, an employee accesses the “public” employer system to fill a timesheet out. To submit the timesheet, the employee needs a “private” key to verify that the person identified by the timesheet is the same person who submitted it. Biometrics and “smart” cards are helping to create a more secure transactional system, King said.

On the organizational end, King said employers should be identifying someone who can fill the role of “Chief Privacy Officer.” This is a position that, by need, is growing in corporations. The role of the CPO is to communicate and educate about privacy issues, participate in audits and reviews, and provide leadership should any kind of crisis develop.

Payroll’s role, according to King, is to maintain security access to sensitive data, assist in creating new applications and policy compliance procedures, and stay up-to-date on security trends.

Workshop participants were then asked to identify privacy issues related to a case study example of a company looking to implement plans to create electronic processes for employees.

By Michael Baer, CPP