Do You Know Where Your Employees' Data Is? 2

Human resources execs, pressed to control costs and increase efficiency, are increasingly turning to third-party services providers to process sensitive data. Everything from payroll data to performance reviews to health care and personal background information is being handled in remote data centers maintained by third parties.

Any company considering using these services needs to take extra precautions. "Be mindful of geography," says Jonathan Novich, founder of The Code Works, a staffing and recruitment consultant. "Know where the data is coming from, where it's being held. And consult a lawyer."

As more software-as-a-service vendors process very sensitive employee or company data, that's where security and geography become concerns. The attention SaaS providers pay to these details varies, contends Scott Blackmer, founding partner of InfoLawGroup, an information law specialist in Salt Lake City. "It's not always clear how they're going to provide security, who handles data, where they handle it, who handles breaches, and how they handle them," Blackmer says. "Those are things that can get a company into trouble."

SaaS providers say privacy and security are some of their key assets. SuccessFactors, for instance, says it has layers of security covering data access, handling, and storage. The protections were enough to persuade a multinational giant with 2 million employees worldwide to sign up recently.

Figuring out where data's being stored and processed is particularly important for customers of SaaS and other types of cloud computing such as infrastructure as a service, where a provider rents out capacity that can be anywhere in its network of data centers.

"Some cloud providers say they can store data anywhere around the world, and they won't tell you where it is," says Robert Gellman, a privacy and information policy consultant. "That's a real problem. What if they decide to store data in a country where you have a dispute or in a country where the government wants to look into your data?"

The European Union has stricter privacy laws than the United States. And that can complicate matters. If personal information your company holds winds up being processed on servers located in an EU country, you could end up subject to those stricter laws.

The United States has various federal rules governing different types of data, such as HIPAA requirements for personal health information. Of the states, California and Massachusetts have the strictest rules, requiring notification for certain types of breaches, which has led to questions about jurisdiction. A coalition of tech companies including Google and Microsoft, along with the American Civil Liberties Union, are pushing for a federal law to standardize U.S. privacy rules.

SuccessFactors has ways to deal with the various security and privacy concerns, says Tom Fisher, VP of cloud computing at the company. For example, data can be directed to specific servers to help clients keep track of where it's processed, he says.

Attorney Gellman says it's important to get those types of assurances when choosing to outsource HR functions that deal with sensitive data. "There are answers to all of these questions," he says. "You just have to work through them."

Irwin Speizer is a contributing editor at Workforce Management, an HR management magazine and Web site.

Write to us at [email protected].