As rules change, HR managers ask: Should employees have access to data on themselves?
By Kathryn Moody | HRDive
Now that you, a forward-thinking HR person, have begun the complicated dance of data analysis, storytelling and employee management, get ready for the next twist: employees having access to all of the data on themselves.
Employers worldwide are on a spectrum of data literacy, but soon, any organization with any sort of global presence will need to establish a data ethics program — and fast, if haven’t already. The European Union’s General Data Protection Regulation (GDPR) may set the pace for worldwide transformation of employee data management at almost every global company, and it’s only the first rule of its kind that promises to do so.
But while GDPR is the shiny new expectation, HR is by now quite familiar with the ever-shifting nature of data management.
Jewell Parkinson, head of human resources at SAP North America, has witnessed the transformation first hand, she told HR Dive.
“When HR was focused on transactional work, the prospect of assembling data was a herculean effort, especially data with a high degree of truth,” she said. But now she is leading an HR department that plays a key strategic role in a company that has been “heavily involved” in the GDPR regulations.
In today’s modern employee tracking ecosystem, HR is both people manager and data ethics steward; the two functions are now blended.
Global changes in regulation mean big shifts ahead
For starters, employers that are thinking about a data ethics management strategy should have been planning for the GDPR months ago — and U.S. employers are behind, Shon Ramey, general counsel at NAVEX Global, told HR Dive. Messages telling employers to prepare should have come out at least a year ago, he said, as any employer with employees in the EU will be affected by the new regulations.
“[GDPR] is impressive in its reach and incredible in its scope, especially when we start talking about employee data,” he added.
The GDPR will go into effect on May 25, 2018, and includes broad-reaching data protection requirements that will impact all businesses and individuals in the EU. A more specific FAQ on its reach can be found here.
At its core, the requirements of GDPR adoption mirrors the questions data-forward employers must consider for all of their employee data, including:
- Do employees give consent for collection of their data and how much consent is required?
- How is the data collected? Through which means?
- What is being done with the data? How is it shared?
- How is the data disposed of?
It’s common, for example, to put notes in an employee file to establish a succession plan, Didier Elzinga, CEO and founder of Culture Amp, told HR Dive, but it isn’t common to share that information with an employee. GDPR “wants you to do that,” he said. It aims to give employees access to data on themselves.
This particular issue is still developing stateside, but it’s jumpstarting a “fundamental shift” in how employers think about the data they have on employees and when they can see it.
“Why shouldn’t they see what’s in the HRIS on them?” Elzinga said, reflecting on this trend.
The expansion of data privacy rights in the GDPR demands an additional heavy lift from employers, Ramey said, including proactively informing employees about how long data is kept, how it will be used and where it goes. Throw in the complexities of how the cloud manages computing by bouncing data between data centers (some in, yes, the EU), and unprepared employers could have a veritable mess on their hands.
But even for those who are out of reach of the GDPR for the time being, the questions it raises are ones that all HR professionals should be asking themselves as they wrestle with increasing amounts of employee data.
Grappling with data ethics and sensitivity
Having solid systems in place to manage data is a key first step in managing data ethically — and HR likely has an idea of what this needs to look like, anyway.
“HR is no stranger to this because they are used to thinking of the data being important and needing to be protected,” Elzinga said. HR has a long track record of handling sensitive personal data, including case notes and personally identifiable information.
But now that much of HR’s employee strategy building relies on gathering massive amounts of data, HR must be doubly sure to have systems in place to protect employee identities during data analysis.
“You can’t just strip all your data out and stick a data machine learning process over it,” Elzinga said. Employers have an obligation to ethically handle that data and ensure that analysis done in aggregate doesn’t make it so employees can be personally identified. But how do you build those systems?
Slowly, Ramey said.
“It is an elephant,” he said. “One bite at a time. It’s truly figuring out and asking the right questions. And from a list of priorities standpoint, you aren’t going to be able to do it all. Prioritize the risks and be asking the right questions.”
Perhaps among the more difficult but most important priorities, according to Ramey, is understanding the type of consent you have from employees regarding their data.
Benefits need a strong system
If you need an example of this type of data management in action, look no further than benefits administration. Data access has changed how employers approach employee health, allowing better insights and an improved focus on ROI — but privacy is paramount with sensitive health data. Employers have to be extra cautious about personally identifying information.
“It’s definitely opened people’s eyes to what you can do,” Dan Shields, vice president of specialty product sales at Health Advocate, told HR Dive. “Taking sample sizes that are too small can identify people. If there aren’t enough people in a data set, we don’t display it.”
The adoption of wellness programs has spurred interest in health incentives, which naturally requires an employer to identify individuals who complete required tasks in order to grant them said incentives. Even something as simple as giving an employee a prize for attending a check-up requires specific policies and procedures to ensure the employee is protected and the company is compliant with health data requirements, such as those in the Health Insurance Portability and Accountability Act (HIPAA).
Benefits providers and their third-party associates often know what conditions employees have, who has shopped for care, where they received care and why, Marcia Otto, vice president of product at Health Advocate, told HR Dive. Companies like Health Advocate also try to be proactive in reaching out to employees that need care. So they must balance not coming off as Big Brother while also legitimately personalizing healthcare to specific needs.
Since personalization is increasingly part of the HR function, expect that strange dance to affect management in more than just benefits.
Stewards of data — most of the time
HR practitioners may need to take initiative and become true stewards of the vast amounts of people data that runs through their department. Names, social security numbers, healthcare information and compensation details all run through HR, Parkinson noted.
“And it will be the evolving role of HR as stewards to be able to determine how best to navigate the use of information,” Parkinson said.
Luckily, data management provisions have largely improved and grown with organizations — and HR has undergone a lot of “changes for the better.”
“20 years ago I was personally keying data into master systems,” she said, “but now having the ability to readily access information in real time, it really has radically shifted the function.”
Something as simple as headcount was more difficult to gather in the earlier days of HR, and even that can still be difficult for organizations depending on where they are regarding data analysis. But understanding how to manage that data will be key in establishing a strong company culture going forward.
In some cases, particularly around benefits, outsourcing data management to a trusted and vetted third-party partner may be a useful way to arrange some of these processes.
“The smart HR people are realizing they probably shouldn’t be doing this stuff themselves,” Shields said. Often, HR practitioners don’t need to personally know many employee health specifics to do a proper analysis, Otto said. To avoid violating HIPAA or the Genetic Information Nondiscrimination Act, employers need to be very careful with the processes around health data.
After all, for HR to truly innovate in the space, it needs to have the trust and support of both leadership and the employee base. How the department handles data management now can define the future success of the organization.
“How do we safeguard our brand and reputation and live by our value of trust and transparency?” Parkinson said. “That is a real challenge we will face.”