The governance role over employee information of human resource professionals has long been established. The very nature of employee information, from payroll details to performance reports, requires discretion and confidentiality. In recent years, emerging laws worldwide, including the General Data Protection Regulation (GDPR, 2016) in the European Union and the California Consumer Privacy Act (CCPA, 2021), delineate between those who own the information and who lawfully gather it for business purposes. This article outlines the difference between data ownership and data gathering to raise awareness among the HR community of changing terminology and the impact upon governance and execution of employee recordkeeping.
From Operator to User to Owner
For decades technology operators have been called “users.” The term depicts the relationship between humans and computers. Similar to the early days of telephone or radio, users were called “operators.” These technologies required assistance from people directly working with the technology as surrogates for the parties communicating with each other.
As highlighted in the film, Hidden Figures (IMDB, 2016), people, called “computers,” performed mathematical calculations before the invention of electronic computing systems. They manually processed equations with limited aids like slide rules, mechanical adding machines, and look-up tables. With the creation of electronic devices that stored and manipulated information, the term was widely aptly applied around World War II to machines that performed these functions. And like its technological predecessors, the phrase “computer operators” was similarly adopted and applied to those who worked directly with the machines.
Eventually, the broader term “user” was affixed to anyone working with a computer or computer network. Over time the industry yielded new roles and titles, e.g., computer programmers, software developers, software technicians, and other symbols of maturity.
These words specified the type of person operating or designing the computer or its programs. Almost no consideration was given to distinguishing roles of ownership versus collection. Emerging laws, repeated breaches, increasing cybercrime, and an emphasis on personal online privacy in the past decade led to a new delineation and nomenclature, one that carries practical and legal consequences for employers as data gatherers.
“Data ownership is the act of having legal rights and complete control over a single piece or set of data elements. Ownership as an attribute defines and provides information about the rightful owner of data assets and the acquisition, use, and distribution policy implemented by the data owner” (Techopedia, 2012). Although the United States has established laws that govern healthcare, financial, and personally-identifying information, e.g., HIPAA, FACTA, HITECH, and several others, the European community leads the world in defining the rights of data owners, codified as the GDPR in 2016. Around the same time, the World Economic Forum began to address the retention and transborder sharing of information, culminating in the Presidio Principles published in 2020, just as the world was battling the Coronavirus pandemic.
Information Gathering Challenges Penumbral Right of Privacy
The US Supreme Court has considered and supported the right of privacy based on two different law theories. The first saw the right to privacy emanating from the Bill of Rights (Griswold v. Connecticut, 381 US 479 (1965)), and the second examined the due process rights guaranteed by the Fourteenth Amendment (Lawrence v. Texas, 539 US 558 (2003)). Notwithstanding, a right to privacy is subject to the right of Free Speech explicitly stated in the First Amendment.
The founding documents of the United States speak of inalienable rights, including the right to liberty and the pursuit of happiness. Whether or not specific laws, regulations, or statutes directly and explicitly protect these does not nullify their practical basis in the common law. In his analysis of the Warren and Brandeis article on the subject (1890), Matthew Bycer says, “The common law embodies the roots for a right to privacy, a right to be free from harassment and exposure.” Bycer noted, “…new technology had launched a tabloid industry that profited on the most prurient interests without care to modern morals.” Similar concerns about the unregulated use of information by data gatherers in the social media industry appeared in the 2020 Netflix film, The Social Dilemma, a documentary about “the dangerous human impact of social networking, with tech experts sounding the alarm on their creations.”
A century later, technology companies have created and mastered lawfully collecting and sharing personal and private information, aided by terms and conditions published on websites and within programs where many waive meager rights as the data owners. Unfortunately, massive databases are under constant attack by hackers, cybercriminals, and other nefarious agents seeking sensitive and private information to exploit, including employee records (Reuters, 2015).
Laws like GDPR and CCPA offer individuals legal “teeth” to assert their right to privacy in the digital space, as well as their control over online personas based on personally identifying information, behaviors, and trends. Law has always lagged technology, and until recently, technologies like blockchain and 5G security protocols were not available for commercial applications (Bertino, 2020).
The Threats Remain Real
According to the 2019 Internet Security Threat Report by Symantec (Symantec, 2019), supply chain attacks are up 78%, malicious PowerShell scripts have increased by 1000%, and Office files account for 48% malicious email attachments. Like cameras and routers, attacking Internet-Of-Things devices accounted for 90% of targets in 2018, and nearly 58,000 webforms in websites stole credit card data in 2018, up 117% year-over-year. Known takeovers of online accounts rose from 380,000 to almost 680,000 in the same timeframe.
Just as Y2K presented a worldwide challenge and stimulus to information technology development, the year 2038 poses a similar problem called the Unix Millennium Bug (Verma, 2017). The number of seconds elapsed since 1/1/1970, a date commonly found in operating systems, will exceed the four-byte capacity of storable information in many operating systems based on Unix. Most computers will need an extra byte of data to preserve time, and therefore, operating systems, networks, and applications require updates. Given the vast, global deployment of devices today, the potential for exposing sensitive and private data about individuals and enterprises is far more likely to occur than the malfunctions predicted for Y2K.
As society approaches the end of the first quarter-mark of this century, emerging technology and new applications can empower individuals as the owners of their personally identifying information, certified and validated by trusted third parties, and accessible only with their knowledge and approval.
The Presidio Principles in a Nutshell
From the WEF,
“Blockchain technology, a pillar of the Fourth Industrial Revolution, can unlock not only radical improvements across the public and private sectors but also enable new business and governance models that help enhance security, accountability, and transparency for people worldwide. However, [the] innovation that progresses without sufficient consideration for governance and [owner] protection often leads to undesirable outcomes for individuals, companies, and organizations, and society at large.”
A participant in the information ecosystem may be the data owner or the data gatherer. Based on the Presidio Principles, there are four significant values necessary to preserve participant rights:
- Transparency and accessibility – The right to information about the system.
- Agency and interoperability – The right to own and manage one’s data.
- Privacy and security – The right to data protection.
- Accountability and governance – The right to understand available recourse.
Three to five practices accompany each value, and these can be accessed online (WEF, 2020). The Presidio Principles presume the eventual creation of applications based on blockchain technology and public access to them. Nevertheless, the emergence of more secure technologies to build new applications and networks is at hand, and new apps are inevitable. Companies and individuals can sign onto the Presidio Principles, acknowledging the data owner’s “bill of rights.”
HR Data Governance and Response
The COVID-19 pandemic catalyzed the adoption of many new technologies, like video conferencing, at unprecedented speed. Everyone’s patterns to transact routine activities, from banking to purchasing food, have changed, yielding recent debates over personal privacy rights, such as vaccine passports and incident tracking. Should employers require a certification from employees seeking to return to work, now or in the future? Who should administer the information gathered, and what about HIPAA and health privacy? What will happen to these records after the pandemic has subsided, revealing the “next normal,” especially when employers do not require evidence of any other vaccinations?
A casual examination of human resource information and applicant tracking systems reveals that employers retain far more information about candidates and employees – past, present, and future – than they realize. In many cases, keeping everything is unnecessary and places the company in jeopardy if a data breach occurs. In 2019 a major credit card company admitted to a breach of its database of cardholders and applicants, revealing personal information for 106 million people in the US and Canada. Surprisingly the breach included information on people to whom the company did not extend credit. Recently, Facebook announced a new process for requests to remove data from its site from the platform’s customers. The last national election cycle was fraught with controversy as social media sites deleted, suspended, and banned customer accounts. In both cases, the Presidio Principles are not legally binding. Still, they express the intent of one of the most influential organizations in the world to help guide the future of ownership and gathering. Even the use of the word “owner” in this regard may be controversial to some since the United States lacks a national law that mimics the European GDPR. Simultaneously, the CCPA only applies to California residents, government agencies, and businesses, but be assured that sufficient laws in significant jurisdictions suggest the writing is on the wall.
As the professionals within most organizations responsible for some of the most sensitive information collected and distributed, it is incumbent upon HR professionals to be aware of the distinctions between data ownership and data gathering as existing applications are updated, and new products emerge. Knowing the difference and the liability assumed by employers as data gatherers is a start for the time being.
Note: IHRIM is a signatory to the Presidio Principles and cofounder of the Consortium for Decentralized Human Resources (DeHR.org). To learn more about the development, deployment, and discussions surrounding blockchain and other technologies in human resources, as well as the influence of the Presidio Principles in HR information management, please visit www.DeHR.org or email [email protected].
Bertino, Elisa, et al. “5G Security and Privacy – A Research Roadmap.” Computing Community Consortium, Mar. 2020.
Bycer, Matthew. Understanding the 1890 Warren and Brandeis “The Right to Privacy” Article, nationalparalegal.edu/UnderstandingWarrenBrandeis.aspx.
“California Consumer Privacy Act (CCPA).” State of California – Department of Justice – Office of the Attorney General, 3 Mar. 2021, www.oag.ca.gov/privacy/ccpa.
Douglas, Rob. “Trends and Statistics about Identity Theft.” ConsumerAffairs, ConsumerAffairs, 5 Apr. 2021, www.consumeraffairs.com/finance/identity-theft-statistics.html.
“Hidden Figures.” IMDb, IMDb.com, 6 Jan. 2017, www.imdb.com/title/tt4846340/.
Palmer, Danny. “What Is GDPR? Everything You Need to Know about the New General Data Protection Regulations.” ZDNet, ZDNet, 17 May 2019, www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/.
Reuters, Staff. “‘Outrageous Failure’: Database Hack Compromised All US Federal Workers – Union.” Reuters International, 2015, www.rt.com/usa/266689-federal-employees-data-hacked/.
“The Social Dilemma.” IMDb, IMDb.com, 9 Sept. 2020, www.imdb.com/title/tt11464826/.
Spacey, John. “6 Examples of a Data Owner.” Simplicable, 16 Sept. 2017, simplicable.com/new/data-owner.
Symantec, Staff. “The Internet Security Threat Report.” Symantec, Feb. 2019.
Vol. 24 https://img03.en25.com/Web/Symantec/%7B984e78e2-c9e5-43b8-a6ee-417a08608b60%7D_ISTR_24_2019_April_en.pdf?elqTrackId=136e2f99e16c42e0805cb48597af9016&elqaid=6820&elqat=2
Tearle, Oliver. “The Curious Origin of the Word ‘Computer’.” Interesting Literature, 25 Jan. 2020, interestingliterature.com/2020/02/origin-word-computer-etymology/.
Techopedia. “What Is Data Ownership? – Definition from Techopedia.” Techopedia.com, Techopedia, 29 Oct. 2012, www.techopedia.com/definition/29059/data-ownership.
Verma, Adarsh. “What Is The Year 2038 Problem In Linux? Will Unix Clocks Fail On Jan. 19, 2038?” Fossbytes, 26 Apr. 2017, fossbytes.com/year-2038-problem-linux-unix/.
WEF, Staff. “Presidio Principle: Foundational Values for a Decentralized Future.” World Economic Forum, May 2020, www3.weforum.org/docs/WEF_Presidio_Principles_2020.pdf.