Our advice: Confidentiality is a two-way street. Just as employees and contractors are obligated to maintain the nondisclosure of confidential company information, likewise the company is obligated to maintain the nondisclosure of personally identifiable information about its employees, such as earnings, home address, marital status, and Social Security number. The key phrase here is "personally identifiable," since nonpersonally identifiable information may be disclosed in accordance with corporate and government policies for statistical and other aggregate purposes.
- Reduce the need for duplicating computer facilities in each office or plant location.
- Reduce the number of times a particular piece of data must be entered into a database and ensure greater accuracy and transparency.
- Reduce the number of software programs and database types that the company must support.
- Speed up and secure the delivery of data to managers and employees.
- Permit more uniform and better enforced information policies, procedures, training, controls, and security across a corporate group, facilitating compliance with, for example, data-protection codes and information-security policies.
- Develop a code of conduct for HR professionals which specifies what data is considered confidential and the circumstances under which it may be released. This HR code of conduct must be aligned with the company code of conduct, which embodies respect and honor in the workplace.
- Workplace monitoring of employees, their actions, and their communications is permissible for several reasons, including prevention of crime, theft, discrimination and sexual harassment, compliance with laws, and maintenance of productivity. However, any and all data collected must be used in accordance with the principles set forth in the code of conduct. In addition, workplace monitoring also may in itself be used to ensure employee compliance with the code of conduct.
- Recruitment and selection of personnel and contractors may require background checks and pre-employment screening procedures. It's critical that these be conducted in accordance with the appropriate regulations to ensure that excessive personal information is neither requested nor divulged by either party.
- Use of business contact data is generally acceptable except when used to harass employees or to provide critical corporate information to competitors. Care must be taken to ensure that employee listings don't get in the hands of recruiters from competitor companies.
- Minimizing cross-border data transfer to ensure that sensitive employee information doesn't end up in the wrong hands in a country where the laws regarding data and information protection are significantly different or lax compared with the host country.
- Explicit consent of the employee is required in circumstances where the employment contract, regulation, or laws don't specifically permit the sharing of employment data. For example, this applies in the context of health care.
- Sensitive data may be collected and used in accordance with regulation, but must be secured at all times from unauthorized parties. Typical security mechanisms include physical security, hardware security, and software security, all designed to work together to ensure the protection of company data on enterprise-resource-management systems.
The protection of HR information isn't significantly different from the protection of other types of company information, albeit some of the regulations around the specific types of data differ. The respect for such information must be ingrained in a company's fiber, strategies must be put in place to ensure that confidentiality is maintained, and tactics must be enforced to ensure compliance with these strategies.
-- Sanjay Anand
Wes Melling, TAC Expert, has more than 40 years of IT experience with a focus on enterprise IT strategies. He is founder and principal of Value Chain Advisors, a consulting boutique specializing in manufacturing supply-chain optimization. He has been a corporate CIO, a Gartner analyst, and a product strategist at increasingly senior levels.
Bill Spernow, TAC Expert, has more than 20 years of experience successfully mitigating internal and external events that threaten IT infrastructures. A Certified Information Systems Security Professional, he specializes in developing and implementing policies, procedures, security controls, and security-awareness training programs that not only work, but make sense to all involved. He also is a guest instructor for the Federal Law Enforcement Training Center and the University of New Haven.
Sanjay Anand, TAC Expert, has more than 20 years of IT and business-process-management experience as a strategic adviser, certified consultant, speaker, and published author. More than 100 personal clients, large and small, have included companies from a diverse array of industries and geographies, from academia to technology and from Asia to the Americas. Often referred to as a "consultant's consultant" for training and mentoring skills. He is author of books "The Sarbanes-Oxley Guide for Finance and Information Technology Professionals" and "J.D. Edwards OneWorld: A Beginner's Guide."