Earlier this month, US media giant Time Warner told 600,000 current and former employees that their personal information had gone missing. In the UK, under the Data Protection Act (DPA) 1998, employers are ultimately responsible for the use – and possible abuse – of data. An organisation could be fined if the wrong person was allowed to see the wrong part of an employee’s record.
However, employers are not alone in having to keep on top of data protection issues. Technology providers are also working to respond to legislation that affects their systems – in the UK and around the world.
“It is a very complex task to keep track of every piece of legislation – especially on a global scale,” says Sudhir Jha, manager for enterprise application services at Bangalore-based Wipro Technologies. “The laws are reinterpreted almost on a monthly basis. A company may have multiple data systems covering their people and if one of those systems is not robust, their entire data is at risk,” he says.
Jan Paxton, senior product strategy manager at Northgate HR, says: “Last year, there was some concern about absence data because people were not sure what they were allowed to hold and what they were allowed to see,” she says.
It is acceptable for someone from payroll to see that an employee has been off sick, but not acceptable for them to see why. On the other hand, a health professional accessing the same system may be entitled to see the reason for absence.
To overcome this problem, an HR system holds an employee’s record in one place, but allows access to different parts of that data to different people within the organisation. At the same time, under the Freedom of Information Act, the system must allow an employee to have complete access to all data held about them.
Even before a system starts processing or managing data, there are issues at the point of data entry. “Employees need to give consent to their data being held and managed by these systems,” says Vince Smallhorne, head of workforce excellence at Oracle UK. “We offer a self-service function for employees to enter and update their own information, and at that point, organisations can input their own text to explain why they need that data and how it will be used.”
As Smallhorne notes, this process is not simply required for full-time employees, but for trainees, potential applicants submitting their CVs, temporary workers and contractors – everyone who has contact with the organisation.
“One of the other issues is the expiry of data,” says Mike Richards, managing director of HR software provider Snowdrop Systems. “Some data – such as disciplinary information – may have a time limit on how long you should hold it. However, from a data management point of view, you don’t want to create a system that automatically deletes information.”
Instead, the Snowdrop system uses a programme that checks for data which might require deletion and flags it up for HR managers. “It’s easy to overlook this side of data management and be in breach of the legislation,” he says.
Richards confirms that technology providers do reflect changes in the law in their systems, either by installing updates or advising customers of potential risks. “It can be difficult with existing customers,” he admits. “We need to be particularly vigilant as there can be multiple versions of the same product sold over a number of years – and you can’t force buyers to upgrade.” In these cases, Snowdrop will warn users of a likely ‘administration burden’ connected with legislative changes.
Falling foul of the DPA brings a maximum penalty of £5,000, which if applied to each individual breach across a badly managed set of employee records could prove expensive.
However, according to the Information Commissioner’s Office, this outcome is extremely unlikely. “A reported breach would be investigated and, if proved, the commissioner would issue an enforcement notice requesting the practice to be changed,” says a spokesperson. “That is generally enough to put things right, as people don’t deliberately breach the Act – usually, they don’t realise they are doing it.”
To date it has not been necessary to levy any financial penalty on an organisation. The commission is run on the belief that the DPA is not intended to catch people out but to improve the way information is handled. As long as organisations show a commitment to that improvement, there’s no reason to take further action.
– Data Protection Code Part 4: employee health records www.personneltoday.com/27599.article
– Keep yourself protected www.personneltoday.com/26859.article
– Be safe, be secure www.personneltoday.com/26766.article
– Information Commissioner’s Office www.informationcommissioner.gov.uk