The information explosion and the quantum growth in computing capability have provided organizations with unprecedented levels of workforce data. While the opportunity to collect, integrate, and analyze employee data in greater volumes can be enticing, it simultaneously raises several important questions. What level of employee monitoring is appropriate? What rights should employees have regarding their data? How do organizations ensure that its people analytics approach is not only beneficial to the company, but fair to employees?
In the legislative realm, there is growing awareness and vigilance around the rights of individuals regarding their data. On May 25, 2018, the General Data Protection Regulation (GDPR) will enter into effect. The GDPR is based on a key guiding principle: personal ownership of private information. For example, the GDPR mandates that users can access their data, and request to have their data deleted (the “right to be forgotten”). The GDPR legislation is designed to provide a coherent system of privacy regulation for EU citizens. Notably, however, the legal requirements pertain to any company involved in handling the data of EU citizens, which includes many companies outside of the EU. Moreover, the GDPR may be seen as a guidepost for how to treat data. In light of the recent scandal in which Cambridge Analytica leaked private information from as many as 87 million Facebook users, Facebook has declared that it will adopt GDPR standards for user data.
Singapore’s data collection act, the PDPA, is similar to the GDPR in that its reach extends beyond Singapore’s borders and applies to any organization that collects the personal data of its citizens.
However, the reach of the GDPR is far more extensive and the penalties for violating it are far more severe. While the GDPR is applicable to all EU organizations and organizations that collect data on EU citizens, the PDPA has a more limited scope and includes several exemptions – excluding data collected by the public sector and for business contact information. In addition, the actual definition of consent in the context of the GDPR is far stricter than the PDPA. While the PDPA considers the voluntary provision of data consent, the GDPR requires express consent. The GDPR also requires that data only be used for the specific purpose it was collected, whereas the PDPA is more lenient in allowing use for “reasonable purposes”.
Canada’s personal data protection act, PIPEDA, is similar to the GDPR in that they both ensure individuals have the right to access data stored about them. GDPR goes beyond PIPEDA legislation by ensuring the right of portability – organizations are required to present this data to individuals upon request “in a structured, commonly used and machine-readable format”.
Although many of these pieces of legislation share similarities, these contrasts highlight the importance of fully understanding the nuances of all data-privacy legislation that applies to your organization.
While adhering to legal guidelines is an important baseline, we believe companies must do more than adhere to legal requirements. As noted in a report by IBM, what companies can do with employee data and what companies should do with employee data are altogether different questions. Legality does not imply ethicality, and so employers must carefully consider the impact of collecting and analyzing employee data.
Technology is advancing faster than legislators can keep up with, and there are areas that legislation may not be able to anticipate.
For example, some employers are now outfitting their workforce with fitness tracking devices, to measure employee health and wellness. While these types of initiatives can be helpful from, they may also have a negative impact on employee morale. As another example, there is increasing opportunity to track data on employees and candidates from the web, including social media profiles. Where should the line be drawn in terms of what information employers should collect?
Companies will need to carefully consider how their people analytics strategy and implementation impacts employees. At the heart of this matter is the issue of trust. When introduced to new people analytics approaches, employees will likely be wrestling with the following questions, whether explicitly or implicitly:
- Do I trust my employer’s intentions when it comes to collecting and analyzing my data? Is it in my interest for me to share my data, or the interest of the company?
- Do I trust the data itself? Is the data on me accurate? Does it appropriately represent me, or my contribution to the company?
- Do I trust the decisions that are being made based on the data? Are the analyses based on my data likely to result in better and fairer decisions?
We believe that responsibility falls on employers to earn employees’ trust in their people analytics efforts. In order to build this trust, we recommend the following in collecting and handling employee data:
- Disclose what types of data are being collected, for what reasons, and how the data will be used
- Clarify the rights of employees in terms of what data is collected and how it is used.
- Encrypt and secure all databases
- Eliminate identifying information from data once data has been integrated
- Aggregate data and report on results at the aggregated level
Today, organizations have the ability to track, monitor, and analyze their workforce to an unparalleled degree. While people analytics can provide huge strides in organizational efficiency and effectiveness, it is important to not only abide by the legal requirements when collecting and utilizing this data, but to also consider the ethical implications. Beyond considering this for the sake of ethical behavior, using workforce data in a manner that employees are uncomfortable with may neutralize any gains by damaging morale and reducing employee engagement.
This article has been adapted from “The People Analytics: Steps toward Data-Driven Decisions”. A copy of the paper in full is available upon request from Percipient Solutions Ltd. Please contact firstname.lastname@example.org for more information.
Hannah YeeFen Lim, June 2017. GDPR matchup: Signapore’s Personal Data Protection Act. International Association of Privacy Professionals. https://iapp.org/news/a/gdpr-matchup-singapores-personal-data-protection-act/
Timothy M. Banks, May 2017. GDPR matchup: Canada’s Personal Information Protection and Electronic Documents. Act. International Association of Privacy Professionals. https://iapp.org/news/a/matchup-canadas-pipeda-and-the-gdpr/
Nigel Guenole, PhD, Sheri Feinzig, PhD, David Green. January 2018. The Grey Area: Ethical Dilemmas in HR Analytics. IBM Corporation. https://www.ibm.com/watson/talent/talent-management-institute/ethical-dilemmas-hr-analytics/hr-ethical-dilemmas.pdf