Data Privacy Becoming an HR Issue

    Jul 21, 2014

    Until lately, data privacy has been regarded as a primarily IT issue. Some – particularly in the legal community – contend it is also becoming a human resources issue as hackers are starting to take aim at employee personal information as well as customer information. Take the monstrous Target breach as an example. The hackers attacked both customer and employee personal data.

    In the Connecticut Employment Law blog, publisher Daniel Schwartz, a partner at Shipman and Goodwin LLP, also noted an article in The New York Times that reported hackers recently tried to access government employee files that included in-depth personal information required for security clearances. Four months later, the administration says there is no indication that the breach was successful.

    The motivations for the attacks may be different, but both instances drive home Schwartz’s point that HR departments have some skin in the game of data privacy. He recommended that HR develop a data privacy policy to cover security concerns; continually train and educate all employees – including senior executives – on the steps they need to take to protect confidential information; conduct regular audits of information in all formats, including paper; and insert clauses into employment contracts that clearly prohibit employees from accessing confidential data during and their employment with the company.

    Of course, ARMA International would suggest that issues of data privacy and proper protection of personal information properly belongs in the realm of information governance and should be addressed on an enterprise-wide basis. Yes, policies should be developed, employees need to be trained, audits should be conducted, and employees should be held to strict standards of proper conduct in their use and handling of records and information.

    However, it is important to consider all of the relevant requirements at the same time so policy statements are consistent and don't contradict one another. Information governance professionals must also balance the requirements for how the information is used in the organization in order to conduct business and requirements that arise out of litigation and regulatory investigations. This is why ARMA calls for unified information governance based on the Generally Accepted Recordkeeping Principles® (Principles), initially issued in 2009.

    Only by considering all of these concerns within a consistent information governance framework will organizations be able to balance their use of information with the rights of individuals to have private information protected and the technology needed to provide the desired levels of protection.

    This unified or holistic approach to information governance is explained in ARMA's web pages devoted to the Principles, the Information Governance Maturity Model, the Information Governance Assessment product, and the Information Governance Professional certification program.

    © 2017, ARMA International