Professional Documents
Culture Documents
Practical Privacy —
Managing HR Data
Practical Privacy — Managing HR Data
Refreshed 8 July 2022, Published 25 January 2021 - ID G00740474 - 22 min read
FOUNDATIONAL This research is reviewed periodically for accuracy.
Overview
Key Findings
■ Maturity in both capabilities and granularity of data control varies greatly between
HR applications, particularly around reporting, record keeping and subject rights
management. Furthermore, data protection implications are not consistently
considered in the acquisition process.
Recommendations
Security and risk management leaders responsible for technology, information and
resilience risk should:
Introduction
In the shadow of a growing list of maturing privacy regulations inclusive of the General
Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA) and
Lei Geral de Proteção de Dados (LGPD) — HR data is regarded as highly sensitive,1
requiring proportionally more due care and due diligence. Be it demographic details
regarding gender and identity, salaries or just notes from an assessment or an internal
investigation, human capital management (HCM) applications often represent substantial
privacy risk in any organization where the data is stored for long periods of time and
shared with third-party suppliers.
Security and risk management (SRM) leaders must ensure that HR data is only processed
for deliberate, predefined and documented processing purposes. Mishandled employee
data does not merely carry a regulatory impact, but it also erodes trust, affects morale,
and leaves employees in a compromised and dependent position, conflicted about
whether to take legal action against their employer. Furthermore, the resulting reputational
damage and employee distrust hinder the organization’s capacity to hire and retain the
best and the brightest.
Analysis
Assess and Manage Your HR Workflows
The aim of HCM applications is to help ensure the efficient allocation of staff, support
the talent management life cycle, improve employee engagement and, often, manage
contingent worker data. (For more detail see Market Snapshot — Human Capital
Management, Worldwide, 2020.) They manage HR workflows and track role
assignments of an employee’s tenure within an organization from start to finish.
Furthermore, with a majority of core HR applications residing in, or transitioning to, the
cloud, data residency concerns arise, such as those following the Schrems II ruling (July
2020), and the invalidation of Privacy Shield. (For further detail, see Practical Privacy —
Balancing Data Residency Requirements With Business Needs.)
The three subsections outlined in Figure 1 focus on an organization’s duty to assess the
impact of HR workflows on employee privacy and adequately protect employee data —
past, present and future. The research goes on to address concerns while selecting
service providers (processors) and solutions that are able to handle personal
information appropriately.
Past Employees
Basic mathematical modeling shows that with moderate staff growth of 10% and an
average turnover of 15%, 3 the number of past employees surpasses the current
headcount by year 10. Many organizations are holding more personal data on their past
employees than their current staff. In some countries, such data retention may be required
by law, but holding the data in active storage exposes it to unnecessary risk. This requires
whole teams and multiple outsourced providers to deal with pensions and complementary
services for past staff members.
SRM leaders who do not take steps to minimize these records will find themselves with a
higher privacy risk for unused data than for that held to maintain the active employee
population.
SRM leaders should ensure that HR data on departing employees, held both internally and
with service providers, follows a clear and strict data retirement process that is audited
periodically. This transition (from current to former employee) is a natural opportunity for
risk minimization through a variety of options (see Practical Privacy — Managing Data
Retention and Backups). The core focus at this stage is that the data held provides a
healthy balance between utility to the organization (for example, through talent analytics)
and privacy risk to the departing employee.
HCM applications come with varying degrees of governance capabilities. Issues often
arise as organizations blur the lines between the data they need or are required to hold
and data held due to unclear or unenforced retention policies. (To employ further security
rigor, please review How to Use the Data Security Governance Framework.)
With the move to remote work, employee activity data is increasingly collected and
analyzed as an alternative to in-person mentorship. This is exceedingly done in non-HR
applications without adequate due diligence. The Microsoft Productivity Score mines
employee behavioral data across the Office 365 ecosystem, which makes it a very strong
tool for digital transformation. This offering was launched in November 2020, and by
December concern over privacy was so great that Microsoft updated the product to
exclude specific employee data and only show aggregate insight.
Note regarding the CCPA: Data collected in the process of employment activities is not
currently covered by the California Consumer Privacy Act. That exemption would have
expired4 at the end of 2021; but following the approval of the consumer privacy rights act
(CPRA) on 3 November 2020,5 that moratoria has been extended by a year to the end of
2022. This is not to say that the parties involved in the negotiation will not reach an
agreement ahead of that deadline. SRM leaders should put a plan in place to offer the
same rights available to consumers to their employees.
The data associated with each candidate increases substantially as the hiring process
moves forward. For SRM leaders, understanding the steps where data is collected during
this process is crucial so as to best identify the associated systems where that data will
need to be purged at the conclusion of the process. The following three steps outline the
main data collection junctures, where transparency is a crucial aspect:
■ Post/assess — A position is opened and prospects are added to the process either
actively (though application) or passively (selection from the existing talent pool).
The assessment of the existing candidate data starts, as well as the collection of
complementary information (such as background checks).
SRM leaders must evaluate the systems associated with the steps of the hiring process.
This should ensure that the decision to hold, purge or treat candidate data is conducted
purposefully and with a lawful basis justification. Clear guidelines reflected in technical
controls within the HCM solution maintain valid purposes of processing and remove
guesswork as well as conflicting opinions from the process.
The following two outcome-driven scenarios in the hiring process provide an example of
policy applications.
Negative Outcome
■ The HR team sees value in the applicant and the organization holds the resume for
future opportunities, given the appropriate consent. Most organizations hold this
data for a period of six months to a year, though this may vary per country, as some
have applicant data retention requirements to help ensure compliance with
antidiscrimination laws.
■ Mask personal data and maintain only anonymized data to feed into talent-
matching algorithms and models.
■ Delete all information gathered about the applicant within four weeks. Most
organizations view this period to be a reasonable time frame.
Positive Outcome
When the applicant is successful, the HR team will transfer only the relevant information
collected in the hiring process to the active employee record.
For new hires, access to data regarding their previous experience may in fact help them
acclimate better by connecting with new colleagues who have had similar experiences. It
may also help them access new opportunities later in their tenure at their new employer,
leveraging previously acquired skills and knowledge.
Common Considerations
The following considerations represent common concerns raised through analyst
inquiries around the handling of HR data and the thought process involved in tackling
them.
Some highly regulated data points, such as background checks, may be required by law
(for example, when working with children and vulnerable individuals). However, they are
quite intrusive and must therefore be applied transparently (by informing the applicant in
advance) and with due care (possibly through a specialized vetting agency). Avoid
holding data from background checks. Consider developing a scoring system for your
third-party provider, and based on its findings, it returns only the final score, upon which
you can base your hiring decision. This ensures that the aforementioned sensitive data
does not exchange hands and is subsequently stored unnecessarily.
Table 1, originally published by the French data protection authority,7 demonstrates the
mapping organizations should maintain for employee data processing activities against
clear purposes of processing and legal basis.
Table 1: Mapping Purpose and Legal Basis When Processing Employee Data
(Enlarged table in Appendix)
■ An organization installs biometric readers at all entry and exit points to facilitate
access control, increasing security, reducing the cost of access cards and the
overhead involved when employees misplace them. Six months after deploying the
system, management decided to use the log data to measure employee attendance.
This may seem fairly innocuous, but the organization collected biometric data
(deemed sensitive in most jurisdictions) for the explicit purpose of access control
and later used it for a different purpose (attendance). This is viewed by most
regulators as a violation of the “Use Limitation Principle,” which is quite common in
most privacy regulations.
For further detail on this space, please review the Market Guide for Employee-Monitoring
Products and Services.
Data gathered through the employee life cycle is used for many types of metrics and
insights that help HR leaders and other executives make more data-driven talent
decisions. For example, it may be used to determine which hiring sources produce the best
candidates, or which candidate characteristics are most predictive of fitness for a role
and subsequent performance (see Technology Options for Talent Analytics).
Many HCM applications have introduced the automated processing of historical data to
provide suggestions to employees, managers and HR staff. Examples of such capabilities
include:
■ Fitness for a new role or a next career step — Commonly referred to as succession
planning, this allows organizations to identify how performance, peer assessments
and skill development indicate when an employee is ready for advancement.
As HR explores more use cases for predictive analytics and machine learning to mine
historical data, SRM leaders must flag and, in some instances, block significant privacy
risks associated with purpose limitation violations relating to sensitive personal data. In
flight-risk-predictive models, solutions that are used for communication purposes (such as
email) may also be considered to track whether an employee is at risk of leaving the
organization by looking at patterns of slowing responsiveness.
The first task when tackling privacy concerns in HR systems is to create a risk register
associated with common, employee-facing processing activities. These activities span the
employee life cycle and may include new role requisition, onboarding, ongoing employee
life cycle management and managing worker transitions through offboarding and
postemployment services. The risk assessment is not limited to full-time employees.
Seasonal workers (such as temporary staff, interns and contractors) should see their data
processed with equal care.
■ Handling subject rights requests. For further guidance on this subject, see Market
Guide for Subject Rights Request Automation.
■ A data retention register to apply applicable laws and regulations to different classes
of employee records across jurisdictions.
Vendor Responsibility
HCM software comes in all shapes and sizes. A cloud-based deployment will see more of
the stack managed by the vendor, whereas an on-premises deployment will see much of
the responsibility held within the organization. The deployment approach will impact the
organization’s shared responsibility model regarding managed personal data.
Vendors developing HCM solutions and managing HR data should clearly differentiate
themselves along two axis:
■ Solutions should not expose clients to disproportionate privacy risk owing to the
way they process personal information. Vendors should be able to independently
quantify (through external audit) the privacy risk their solutions represent and how
they mitigate these risks.
SRM leaders must support their HR counterparts when reviewing HCM products by
running a detailed data protection impact assessment (DPIA). This process audits the
vendor’s capacity to provide for the principles of privacy engineering. In turn, this places
the data owner’s (the employee’s) privacy at the heart of the decision-making process.
HCM vendors may choose to focus on their core offering, embedding privacy
management capabilities through partnership with specialized vendors (for further
detail see Market Guide for Subject Rights Request Automation).
Common Considerations
Be it fully managed in the cloud or part of an owned on-premises deployment, these
considerations should always be taken into account during the selection, administration
and periodical review of the systems and providers that handle HR data:
■ Data loss — Recruitment systems are developed to connect and integrate with third-
party services such as LinkedIn or Twitter. In many cases, these integrations expose
the organization to risk through misconfiguration, resulting in unintentional data
loss. Exposing personal data to a third party with no lawful basis is a violation of
most privacy regulations.
■ Create a clear and concise set of general processing guidelines for personal
information in line with the organization’s policy and the associated regulatory
requirements. This document will be the same for any third-party service provider.
■ Define an oversight structure that encourages a “check first” approach for service
providers. This will foster a transparent relationship in which the organization has
visibility and control over further subprocessing and the overall compliance posture,
allowing it to provide feedback and guidance on an ongoing basis.
■ Include third parties that process personal information in scheduled drills (incident
response and SRR fulfillment), as they now form part of the extended data-
processing chain.
■ Document clear exit terms for the data held by third parties. This should include how
data should be returned (structure and format), as well as data retention guidelines
and subsequent data destruction attestations.
Finally, a close collaboration with legal counsel is necessary for the contract draft to
ensure that the guidelines follow the data and are not limited by geography or the
handling party (see Key Privacy Considerations for Vendor Selection and Control).
Evidence
1
Art. 9 GDPR: Processing of Special Categories of Personal Data, Intersoft Consulting.
2
Workers Can Sue Employer for Failing to Protect Personal Data, Hutchison & Steffen
Attorneys.
3
What Is the Ideal Employee Turnover Rate? Monster.
4
California Extends Employee and B2B Exemptions under the CCPA, JD Supra.
5
California Voters Approve CPRA, JD Supra.
6
Greek Data Protection Authority Fines PwC Over Unlawful Processing of Employee
Data, Birketts.
7
Relatif aux Traitements de Donnees a Caractere Personnel Mis en Oeuvre par des
Organismes Prives ou Publics aux Fins de Gestion du Personnel, CNIL.
8
Why Hiding From Managers Can Increase Worker Productivity, Forbes.
9
New German Fine: EUR 10.4 Million for Unlawful CCTV, Norton Rose Fulbright.
10
Barclays Scraps ‘Big Brother’ Staff Tracking System, BBC.
11
PwC Facial Recognition Tool Criticised for Home Working Privacy Invasion, Personnel
Today.
How to Harness Voice of the Employee Insights for Continuous Employee Experience
Improvement
© 2022 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of
Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form
without Gartner's prior written permission. It consists of the opinions of Gartner's research
organization, which should not be construed as statements of fact. While the information contained in
this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties
as to the accuracy, completeness or adequacy of such information. Although Gartner research may
address legal and financial issues, Gartner does not provide legal or investment advice and its research
should not be construed or used as such. Your access and use of this publication are governed by
Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its
research is produced independently by its research organization without input or influence from any
third party. For further information, see "Guiding Principles on Independence and Objectivity."
Recruitment Processing of applications (CVs and cover letters) Contractual obligation (precontract)
and interview management.
Career Management and Onward Mobility Professional assessment of personnel in Legitimate interest
accordance with labor laws.
Training and Awareness Management of training requests and completed Contractual obligation
training records.
Social and Cultural Activities Management of social and cultural activities Legitimate interest
directly organized by the employer, excluding
activities relating to medical and social service.
Already a client?
Get access to even more resources in your client portal. Log In
Connect With Us
Get actionable, objective insight to deliver on your mission-critical
priorities. Our expert guidance and tools enable faster, smarter
decisions and stronger performance. Contact us to become a client:
Become a Client
© 2022 Gartner, Inc. and/or its affiliates. All rights reserved. CM_GBS_2070600