Employee Data Privacy is up to HR
On the 24th of August, 2017, the Supreme Court of India declared that "The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution".1
Many HR professionals rightly celebrated this enlightened and forward-looking landmark judgment by the highest court of the land. What most them missed was the stark contrast between the spirit of the judgment and the bounds of privacy which HR practitioners are increasingly transgressing in relation to their own employees. To pick just one example in the recruitment domain, when the people being scrutinized are not even the organization’s employees, already by 2015 "43 percent of organizations used public social media profiles or online searching to screen candidates,”2 in most cases without the consent of the individual. What is more, 36 percent of organizations disqualified candidates because of "concerning information" found on public social media profiles or online search engines.2 The threat is so real that entire businesses have been spawned to help individuals clean up and cosmeticize their online personas. BrandYourself, for example, makes this claim on its homepage: Use our world-class software and services to clean up and improve your online reputation. Readers who are curious about their own online profiles can use BrandYourself’s free, reputation report generator.
As active citizens, we applauded the recent Supreme Court decision that safeguards the privacy we value so much. Should we not then be more restrained about the intrusions we almost unthinkingly authorize, as HR practitioners, into the privacy of employees and job-seekers? Here are some suggestions for doing so.
The Gold Standard
The Indian legal framework provides limited protection for employee data privacy. Most of the protection provided by the Information Technology Rules, 2011, (under the Information Technology Act, 2000) relates to Sensitive Personal Data or Information (such as passwords, financial information, health conditions, sexual orientation, medical records and biometric records). It is not very likely that the long-awaited comprehensive legislation on the 'Right to Privacy' will make significant advances in data privacy for employees.
There is, of course, no reason for progressive employers to limit their policies to the minimum of what the law provides — we certainly don’t stick to the minimum wage law for everyone! Moreover, many of our corporates are global and will have to adopt more stringent policies on employee data privacy for their overseas employees. It would be very peculiar if their employees in India were exposed to the risks attendant on looser privacy guidelines.
As in many other domains, it is the EU that has had the most progressive legislation on employee data privacy and it has become increasingly stringent over the years. As far back as 2001, it specified3 that employers should:
- ensure that data is processed for specified and legitimate purposes that are proportionate and necessary;
- take into account the principle of purpose limitation, while making sure that the data are adequate, relevant and not excessive for the legitimate purpose;
- apply the principles of proportionality and subsidiarity regardless of the applicable legal ground;
- be transparent with employees about the use and purposes of monitoring technologies;
- enable the exercise of data subject rights, including the rights of access and, as appropriate, the rectification, erasure or blocking of personal data;
- keep the data accurate, and not retain them any longer than necessary; and
- take all necessary measures to protect the data against unauthorized access and ensure that staff are sufficiently aware of data protection obligations.
Some additional rules were adopted in 2017 and it was clarified that all of them were "intended to cover all situations where there is an employment relationship, regardless of whether this relationship is based on an employment contract."3
The following discussion seeks to place Indian corporates in a position to operate globally without falling foul of employee data privacy guidelines. Even more importantly, this standard of compliance can be a powerful magnet for attracting the newer generation of rights-conscious and tech-savvy millennials.
Permission and Parsimony
The most fundamental principle governing data privacy is that no organization can collect any data about an individual without that person’s specific and unforced agreement about the information being collected after being made aware of the purpose for which it will be used. This principle brings into immediate question a series of HR practices that have crept in with the growing data gathering, storing and analyzing capabilities the computer and Cloud revolutions have brought.
To revert to our starting example, surreptitious social media mining for recruitment or other purposes is clearly outside the bounds of permissibility. Even information available in the public domain must be utilized only if it can be shown to be required for assessing specific risks and provided the prospective candidates have consented to such scrutiny. In my estimation, the improvement in the selection decision through such mining is not worth the hazard of contravening privacy guidelines. Reliance on social media data for selection and other decisions betrays either an inability to use the more established tools of evaluation or laziness in putting in the effort required for doing so. Neither is acceptable.
Even proceeding with employee consent is not always an adequate safeguard. As the 2017 guidelines issued by the EU working party state, "consent is highly unlikely to be a legal basis for data processing at work unless employees can refuse without adverse consequence."3
Organizations need to have protocols for clearly explaining to employees what data is being collected, how it will be used and why it is in the employees’ interest, before asking for their consents.
The other part of the solution is to obtain only the minimum information compatible with managing individuals’ performance and careers. This is a great contrast to the data collection practices of several corporates today which seem to take great pride in recording the locations of employees’ kitchen sinks and the names of all their pets!
Whose data is it, anyway?
Once employee data is in a corporation’s possession, it automatically has to assume the responsibility for protecting it — and this is one more reason for gathering as little sensitive information as possible. In 2015, Sony Pictures Entertainment agreed to settle a class-action lawsuit filed by former employees in the wake of a data breach that took place the previous year. According to some estimates, the settlement touched US$ 8 million. Sony’s efforts to dismiss the lawsuit because the employees did not suffer any harm due to the data breach were unsuccessful. Such suits and damages have yet to reach Indian shores but many of our MNCs have significant employee populations in countries like the US and some have already burned their fingers on class action lawsuits.
Of course, it is not only electronically stored or leaked information that one has worry about. In many organizations, it is garrulous guys (have you noticed, women gossip less than men?) from HR who use the privileged access they have to employee information to spread stories through their networks. This is unprofessional conduct in any case but in an age when people are sensitive about data privacy breaches, it can be an expensive legal risk for the company concerned.
To demonstrate that individual data is really owned by the employee (and not the corporate) organizations must permit employees free access to it on-demand and with minimal hassle or red tape. Few of our IT systems for people are designed to give such access. While redesigning them, it will be important to remember that it is not only data provided by the employee to which s/he must get access but information that is recorded about the employee by others as well. Hopefully, the days of confidential assessments by back-stabbing bosses are behind us, so these requirements should not cause major upsets in progressive organizations.
Multi-locational and multinational corporates have to take particular care in transmitting data across boundaries. Quite apart from additional security safeguards, there is a morass of legal restrictions that prevent the free-flow of employee information.4 I recall the frustration I felt when a global HRMS project I was leading out of Paris faced hurdles in employee data transfers from Germany to France, which are neighbouring EU countries!
Another rock-strewn shoal that few organizations have yet navigated is the process to be followed when an employee leaves. It is all very well to generalize that an employee has the right to be forgotten once s/he is out of the company but to what extent is this excision necessary or even possible. Surely some track of the person’s service has to be retained, if for no other reason than to provide references for welfare payments and to meet other statutory obligations.
Most corporates in India have assumed that they have the right to monitor employee communications at the workplace as well as those made using company equipment or software provided by the company.
The matter may not be as straightforward as that. Once again, it is the EU that leads the way and a judgment pronounced by the European Court of Human Rights in September, 2017, made it clear that "It won’t be sufficient for employers to have a general policy permitting monitoring — the policy will need to be much more detailed, outlining why, how and where employees may be monitored and explaining how any information gathered through monitoring may be used."5 Here too courts are pushing employers in the direction of informing employees before undertaking any surveillance. In the Australian Capital Territory and the state of New South Wales, unless a covert surveillance authority is obtained from a magistrate, only overt surveillance of emails can be conducted by employers. This requires the employee to be given 14 days’ written notice before commencing surveillance, and this notice must identify how the computer surveillance will be conducted, its start date and its duration.6 Indian law may not yet have reached this stage but the direction for progressive employers to take is clear.
So if email and telephonic interception are becoming increasingly proscribed, what about other forms of employee surveillance, whether without or even with the employees’ knowledge?
Earlier this year there was a report in The Verge that said, "Amazon has been granted a pair of patents for a wristband that can pinpoint the location of warehouse employees and track their hand movements in real time... While the patent describes this tech as a time-saving system, tracking workers in this way seems dystopian." 7
Big Bad Brother
Speaking of dystopian environments, let’s go back to the situation described presciently by George Orwell way back 1949. Orwell described the telescreen present in every flat, working place, building and square. The metal plaque received information on what was going on in front of it and emitted propaganda.8 In Orwell’s words, "There was, of course, no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate, they could plug in your wire whenever they wanted to. You had to live – did live, from habit that became instinct – in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized." 9
Apart from the availability of much more potent, portable, ubiquitous and intrusive technology to us, is the workplace that some organizations are seeking to create today very far from the surveillance scenario Orwell described? Whatever happened to the trust that is almost a given in the core value statements of most companies? Does the Supreme Court decision on the right to privacy have no bearing on the corporate world?
If this is really the future of work, I want no part of it.
1. Order of the Court, 2 (iii) page 546, delivered on 24 August 2017, by the Supreme Court of India in the case of Justice K.S. Puttaswamy vs Union of India.
2. Tanya Mulvey et al, SHRM Survey Findings: Using Social Media for Talent Acquisition – Recruitment and Screening, 7 January 2016.
3. Working Party set up under Article 29 of Directive 95/46/EC of the EU, Opinion 2/2017 on data processing at work, Adopted on 8 June 2017.
4. Nigel Cory, Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost?, Information Technology and Innovation Foundation, May 2017.
5. Stephen Ravenscroft, quoted in European Court Limits Employers’ Right to Monitor Workers’ Email, New York Times, 5 September 2017.
6. Vanessa Andersen and Olivia Hillier, Can you check an employee’s emails without their knowledge?, Human Resources Director Australia, 16 June 2017.
7. By Thuy Ong, Amazon patents wristbands that track warehouse employees hands in real time, the Verge, 1 February 2018.
8. Nevena Lovrinovi, Surveillance in Brave New World and Nineteen Eighty-Four, Diploma Thesis, Filozofski fakultet u Zagrebu, Department of English Language and Literature, 1 April 2015.
9. George Orwell, Nineteen Eighty-Four, Part 1 Chapter 1, 1949.