Data Privacy and HR: A proposed framework for compliance (Part 2)

In the previous installment, we outlined the potential entry points where personal information or sensitive personal information (PI and SPI, respectively) as defined by the Data Privacy Act of 2012 may enter the organization. We drew up a hypothetical list of processes that an employee will go through, as well as an inventory of the data elements necessary for the processing of every step in the employee life cycle.

This time, I will share my proposed project management approach towards data privacy compliance, and this proposed project management approach will be applied to the pre-employment stage in the hypothetical employment scenario outlined for this series.

Step 1. Create an Inventory of Processes, Documents, and Policies

The following aspects for each HR process must be mapped out into a matrix:

1. HR Function
2. Subprocess
3. Documentary requirements for each subprocess
4. Originator
5. Recipient
6. Rationale for the submission
7. Data elements contained in the document
8. Type of Data

By mapping each HR function’s process in this way, the organization will be able to determine the following:

1. Whether or not such documentary requirement is an absolute necessity for the function;
2. Whether such documentary requirements require additional safeguards such as waivers or undertakings from an employee;
3. Whether or not the policy that necessitates such submission may be adjusted given the new law; and lastly,
4. Whether or not the form containing such data elements need to be revised given the new law

The organization, of course, may find some processes, documentary requirements, and policies no longer germane or relevant for the purposes that they wish to achieve, so this would be the most opportune time for a process review.
Further, this would ensure that the organization has complied with the general data privacy principles set forth in Section 11 of the Data Privacy Law. It is highly recommended that the organization keep records of such an exercise, in the event that the Data Privacy Commission requires that employers submit proof of compliance thereof.

Step 2. Assess and refine, if necessary, existing controls in the processes

This is where a robust business controls and information security support organization comes in handy. What must be assessed at this point? Section 20 of the Data Privacy Law requires that organizations employ three levels of protection over data in its custody- organizational, physical, and technical. Organizational measures would entail separation of duties between and among participants in handling PI and SPI; physical measures would refer to access restrictions to areas where PI and SPI are stored; technical measures would refer to data security measures such as encryption and secure messaging for communications with PI and SPI. Each process, each transaction, would need to be traced for specific security measures in place to ensure that each time PI and SPI changes hands in connection with a legitimate transaction, the integrity and security of data is not compromised.

Further, the Data Privacy Law requires that organizations report data security breaches. This means that security measures in place must not only be preventive in nature, but there must also be a detective component. In other words, the processes and security measures should be built in such a way that it is readily apparent to key stakeholders if and when a data breach occurs.

I applied the proposed framework above and came up with this hypothetical example in assessing the Pre-employment stage, specifically the Pre-employment Kit:

I purposely left out an assessment over the security measures over each kind of data to leave the reader with the flexibility to do a separate assessment, or to assess it side-by-side with the process side.

My recommendation would be to have a separate assessment over the security measures once all the data privacy process assessments have been completed.

For the next installment we’ll apply the same methodology to other HR processes to illustrate further that there is a real need for organizations to review HR processes and bring them up to speed with the requirements of the Data Privacy Law.

Data Privacy and HR: A Proposed Framework for Compliance

(Author’s Note: This is Part 1 of my exploration on the Data Privacy Act)

The Data Privacy Act of 2012 has taken effect last year, yet, until now, no Data Privacy Commissioner has been appointed, nor a set of implementing rules drafted.

This article aims to provide organizations with a sample framework in reviewing their HR processes, with the intent of proposing process improvements, or identifying potential pitfalls for non-compliance, as the case may be.

The author resorted to a hypothetical mapping exercise that shows the employee life cycle with the documentation requirements, at each stage. At specific points in the employee life cycle, relevant social legislation and other pertinent laws will be analyzed and placed side by side with the requirements of the Data Privacy Law.

Let us now chart the human resource journey of a hypothetical employee, as well as the industry-standard requirements at each stage, and apply the Data Privacy Law in classifying the data contained therein.

The typical hiring process in the Philippines necessitates the submission of the CV or resume of an applicant. This document may contain information such as personal details, a summary of job history, and a list of character and professional references. Prior to the interview, the employee will complete a company form called a Job Application Form with data fields substantially similar to the contents of the CV. After the interview, and upon the meeting of the minds of the recruiter and the employee, the employee will now execute an employment contract, and be subject to pre-employment requirements.

A typical pre-employment list of requirements involves the following: Transcript of Academic Records, an NBI Clearance, BIR Form 2316, a Certificate of Employment from previous employer, SSS E-1 Form, and HDMF or PAG-IBIG Fund Member number. Some companies further require the employee to clear a Background Investigation, as well as a Pre-employment Medical Examination.

Let us now assume that the employee has complied with all the pre-employment requirements. For payroll, the employer may require him to open a bank account where the salary will be deposited. Alternatively, the employer may also open for the employee a bank account. In the event that the company offers HMO benefits, the employee may be required to comply with pre-coverage medical examination. Further, in the event of HMO benefit availment, the employee may be required to submit medical certificates, copies of tests, prescriptions, and other medical information. The same goes for availment of leave benefits. If an employee goes on sick leave, he may be required to submit medical certificates substantiating his absence. In the event he goes on emergency leave for illnesses of his spouse or children or other family members, he may be required to submit medical certificates of said family member. These are the regular transactions of HR that involve data elements defined in the Data Privacy Act.

Let us now examine life events, or those milestones in an employee’s life that substantially alter his benefits or tax treatment.

The moment an employee enters into marriage, he may be entitled to greater benefits provided by the employer, such as expanded HMO coverage. In such event, he will need to submit proof of marriage, or the marriage contract.

Once an employee or an employee’s spouse gives birth, this would entitle the employee additional tax exemptions, as well as opening more benefits options for him. He will then be required to submit a documentation evidencing the birth of the child.

In the unfortunate event that a dependent of the employee passes away, he will need to submit proof of such to avail of bereavement leave and bereavement assistance.

Also, year in and year out, employees will celebrate birthdays, service anniversaries, and promotions. Some corporate cultures make company-wide announcements of such events. A schematic is provided for below:

Pursuant to Section 3(g) and (l) of the Data Privacy Act, each documentary requirement in the employee life cycle, detailed above, is tagged as either personal information (PI) or sensitive personal information (SPI), based on the typical contents of such.

This is summarized in the table below:

As can be seen in the table above, all the documentary requirements necessary for regular HR processes may be sources of risk on non-compliance with the Data Privacy Act.

It is thus imperative for HR Leaders to immediately assess their processes, and inventory what sort of documentary requirements are absolutely indispensable to HR transactions. Alternatively, HR Leaders may want to review their process design and execution, so that there is the least amount of processing, handling, retention, and transmission of data, to minimize data privacy risk to the organization.

We will explore further the Pre-employment stage in the next installment.