Creating Data Protection Policies for Your HR Department

What would you say is Human Resources’ most important asset? One can argue that talent is one of its most valuable and intangible assets but few realize that HR is sitting on another gold mine. HR teams process an enormous amount of data, including but not limited to recruitment data, career progression data, training data, absenteeism figures, productivity data, personal development reviews, competency profiles, and staff satisfaction data. [1]

Using HR data is extremely helpful, especially now in the era of big data, but it can be legally and ethically challenging. Organizations need to create data policies to protect everyone involved and use the data they gathered responsibly. 

The Data Privacy Act

The Data Privacy Act was passed in 2012 “to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.” [2] The law applies not only to businesses with offices in the Philippines, but when equipment based in the Philippines is used for processing. This extends to the processing of personal information of Filipino citizens regardless of where they reside.

Under the law, the collection of personal data must also be a declared, specified and legitimate purpose. Consent is required prior to the collection or sharing of all data, and one must be informed about the extent and purpose of processing the information. 

Privacy Policy Guidelines

The law requires businesses to develop and implement procedures for data. But since HR processes a whole lot of data from candidates, current employees, contractors, and other personnel, it’s wise for companies to have internal data protection policies for HR. 

Risk Assessment. Any sensible data protection policy strategy starts with risk assessment. You need to determine your vulnerabilities when it comes to HR-related data. [3] It’s okay to have faith in the company’s overall data security measures you have now but don’t be complacent. Anticipate where breaches can take place.

Defense or Offense. The Harvard Business Review cites two frameworks for data strategy. [4] The defensive approach’s goal is to ensure data security, privacy, integrity, quality, regulatory compliance, and governance. Meanwhile, the goal of the offensive approach is to improve competitive position and profitability. Strike a balance between the two to achieve the ideal results.

Breach Protocols. Nobody wants to assume the worst but you have to admit that it has certain perks. In case of a data breach, it will be beneficial to have protocols for HR staff to follow. Make sure everybody knows that protocols are in place and hope you never have to use it.

Lost Files. Misplacing or losing files, like CVs and employee review forms, could be classified as an internal breach. Therefore, you should also have a contingency plan for when it happens. Having digital backups for your files is a good place to start.

Policy Implementation. It’s not enough to just communicate your policies to HR staff; you also need to enforce the rules proactively. You don’t necessarily need to have an employee whose job is specifically to oversee data processing. Just make sure that everybody is fully informed of what they should and should not do with data.

Sources:

[1] Why Data is HR’s Most Important Asset

[2] Summary: Philippines Data Privacy Act and implementing regulations, International Association of Privacy Professionals, Inc.

[3] HR Departments Should Have Data Policies, HR Bartender

[4] What’s Your Data Strategy?, Harvard Business Review