Earlier this month, US media giant Time Warner told 600,000 current and former employees that their personal information had gone missing. In the UK, under the Data Protection Act (DPA) 1998, employers are ultimately responsible for the use - and possible abuse - of data. An organisation could be fined if the wrong person was allowed to see the wrong part of an employee's record.
However, employers are not alone in having to keep on top of data protection issues. Technology providers are also working to respond to legislation that affects their systems - in the UK and around the world.
"It is a very complex task to keep track of every piece of legislation - especially on a global scale," says Sudhir Jha, manager for enterprise application services at Bangalore-based Wipro Technologies. "The laws are reinterpreted almost on a monthly basis. A company may have multiple data systems covering their people and if one of those systems is not robust, their entire data is at risk," he says.
Jan Paxton, senior product strategy manager at Northgate HR, says: "Last year, there was some concern about absence data because people were not sure what they were allowed to hold and what they were allowed to see," she says.
It is acceptable for someone from payroll to see that an employee has been off sick, but not acceptable for them to see why. On the other hand, a health professional accessing the same system may be entitled to see the reason for absence.
To overcome this problem, an HR system holds an employee's record in one place, but allows access to different parts of that data to different people within the organisation. At the same time, under the Freedom of Information Act, the system must allow an employee to have complete access to all data held about them.
Even before a system starts processing or managing data, there are issues at the point of data entry. "Employees need to give consent to their data being held and managed by these systems," says Vince Smallhorne, head of workforce excellence at Oracle UK. "We offer a self-service function for employees to enter and update their own information, and at that point, organisations can input their own text to explain why they need that data and how it will be used."
As Smallhorne notes, this process is not simply required for full-time employees, but for trainees, potential applicants submitting their CVs, temporary workers and contractors - everyone who has contact wi