Technology hurts and helps privacy management

Earlier this year, someone walked into a University of California, Berkeley office and walked out with a laptop containing personal data about more than 98,000 people, including social security numbers. This theft highlights the need for simple and basic physical security; it also emphasizes a misplaced reliance on technology. Apparently, the university had instituted encryption technology. However, while they had scheduled the laptop for encryption, no one had yet encrypted the notebook’s hard drive at the time of the theft.

The privacy and security of personal information is highly dependent on the existence and enforcement of the business processes that are created to collect, use, retain, secure, and destroy it.

Most organizations will use a combination of manual and automated systems to manage personal information. The technology of those automated systems can be a great help — but it also creates potential security gaps and the accompanying need for HR processes to protect information.

HR professionals would prefer that human resource management systems (HRMS) be the tool that collects personal information, preferably through the system’s “self service” capabilities. Self-service — direct access by employees and managers to read and write data — has become a reality since most systems offer the relative ease of web-based access. Direct data-entry by the original source — the employee — is as good as it gets.

But while the HRMS is a focal point for employee information, employers require comprehensive security that takes into account all information systems and files — both electronic and paper copy. The security matrix constructed around all data is critical, particularly for personal information, and the major issue is the “need to know.”

Who has the need to know personal information, and why? Make no assumptions. Analyse each data element. Would reasonable people think that a specific person or role needs that personal information to get the job done? Does a supervisor need to know someone’s home address? What about birthdays?

Regardless of how data is collected, employers need to show that knowledgeable consent was received from the person whose information has been collected. How is this done? Ideally, the HRMS will have fields that document what’s needed:

•the personal information that is collected;

•the purpose for which the personal information is required, an indication that the individual has consented (and the date that was done);

•the date consent was withdrawn (if necessary); and

•the date and method of data destruction.

The HRMS needs to track the path of the data without actually storing the data itself. Are HR software vendors helping?

Although several vendors have stated that they “are working on it,” there are just two vendors which I am aware of that have taken positive action: HRWare and NOW Solutions (disclosure — both are clients of mine).

The other alternative is to acquire specialty, privacy management software. Of the few that are available, the best fit for HR and payroll is eQuest. That product is designed to allow the management of personal information.

The technological challenge

Just as technology can be a great help, it also represents the largest privacy challenge.

The complaint about administrative systems for many years has been that they may be great data buckets, but information that’s useful and can be acted upon has been difficult to obtain. That is changing. The reports generated by today’s systems need never be printed as hard copy; they can be displayed on a screen. But most end up on paper. Perhaps the most useful technology from a privacy perspective is a quality paper shredder.

The accepted definition of personal information comes from the federal Personal Information Protection and Electronic Documents Act (PIPEDA). Personal information is “factual information, recorded or not about an identifiable individual.” Although each word in this definition deserves attention, let’s focus on those last two: “identifiable individual”. Who is an identifiable individual?

Clearly it includes someone who is named, but people can also be identified by position. If there is only one vice-president of marketing, then using that identifier is the same as using a name.

What else?

Data warehouses, executive dashboards, and reporting tools are getting increasingly sophisticated, with data from a number of sources being co-mingled and compared, often generating interesting and valuable information.

But what if an individual can be identified by combining the information of the two (or more) reports? The employee is an identifiable individual just as clearly as if the person were named.

Another challenge is that sharing and sending data is very easy today. E-mail, faxes, even instant messaging can transmit huge amounts of data in milliseconds. By themselves these methods are not secure unless specific measures are taken. But let’s not blame the computer; hard copy also has a way of wandering off into the wrong hands, and is usually more untraceable than its electronic cousins.

Data retention is also a major problem. PIPEDA and provincial privacy legislation all state that personal information should only be retained for as long as it is required for the purpose for which it was collected. That view, while politically laudable, suggests a degree of certainty that rarely exists in our organizations.

It assumes that every iteration of personal information is known, tracked, and managed — every electronic and hard copy, every backup and every notepad. And it assumes that the organization can somehow co-ordinate the data management of each piece of personal information. Even eQuest and similar systems struggle with that degree of complexity.

Not just technology

Today’s top security blunders, as identified by John McCormick in an April 4, 2005, Tech Republic article, revolve around technology, but are centered on human behaviour:

Security expertise: The complexity of technology suggests that technical staff are best equipped to make the rules, but physical security is just as important. Encrypting e-mail is a great idea, but leaving the printout on your desk compromises that. Every organization, regardless of size, needs to designate someone to be responsible for security — technical and physical.

Enforce policies: The best rules in the world won’t help if they aren’t followed. Electronic and physical security make the protection of personal information possible, but both demand rigour in their enforcement. What is the penalty in the organization for leaving personal information accessible?

Stay current: New viruses and scams arrive daily but many organizations don’t have the staff to manage the challenge. Unless you’ve carefully configured that firewall and maintained the antivirus software, you really haven’t done much of anything.

Hire smart: Respect for privacy does not mean that HR shouldn’t properly screen candidates. Background checks on criminal and financial history can weed out suspect job candidates who can be a security threat. More than 70 per cent of identity theft occurs in the workplace, so who gets hired is a big issue.

The security of personal information makes privacy possible, but only if organizations assess their information structures, create proper policies and procedures, and then enforce them. Technology can make the art of management far more precise, but it is not the panacea that is suggested.

Ian Turnbull is a director of the Canadian Privacy Institute and author of Privacy in the Workplace — The Employment Perspective. He can be contacted at (416) 410-3877 or at www.canadianprivacyinstitute.ca. He is also managing partner of Laird & Greer Management Consultants, which helps organizations assess, and if necessary, replace their HRMS. Laird & Greer’s contacts are (416) 618-0052 or www.lairdandgreer.com.




On Jan. 1, 2004, three new privacy laws, similar to existing laws in Quebec, came into effect: Canada’s federal privacy law, The Personal Information Protection and Electronic Documents Act (PIPEDA), as well as Alberta’s and British Columbia’s Personal Information Protection Acts (PIPA-Alberta and PIPA-BC, respectively).

For information on these acts, as well as other privacy issues, select “Advanced search,” enter category “Employment Law,” sub-category “Employee Privacy.”

Latest stories