Data privacy and data retention: What should employers do? Imagine the following case: Your company receives a visit from an ex-employee who asks that you remove certain sensitive data from the company database. The head of HR kindly explains that those records must be preserved for three years due to U.S. legal requirements. The former employee, citing existing data privacy and data retention regulations, threatens to file a lawsuit to have the documents erased.
This scenario is not at all unbelievable. The legal requirements for data retention—that is, how long records must be retained to be in compliance—and data privacy and data retention have always been at odds with one another.
For the time being, let’s ignore the reasons behind employee departures and how businesses are reacting. The obvious problem is that businesses are now losing a record number of staff. And this is bringing up the problem of keeping private employee information. This, along with tougher privacy regulations and sanctions for excessive data retention, explains why data retention has emerged as one of the most important issues in relation to data security and privacy.
At Mage, yeuesports.com do not pretend to be attorneys and we do not offer legal advice. However, we may discuss the best practices for data protection and access control to address both the requirement for data retention and privacy concerns.
What Counts as Private Employee Data?
The first thing to understand is that there is no single, accepted definition of what constitutes private or sensitive employee data, either legally or otherwise. But it’s evident that some things fit into this category for everyone:
- Employee addresses/places of residence
- Social Security numbers
- Dates of birth
- Salary information
- Insurance information
- Medical records
- Bank account information
Anything that an employee would typically have a “reasonable expectation” will be kept private and used solely for the employee’s benefit is considered sensitive data. As a result, it covers the kinds of data that firms typically collect to handle tasks like processing payroll and overseeing benefit programs for employees.
The Tension Between Data Privacy and Data Retention
When it comes to record keeping and data retention, data privacy and data retention
becomes a problem. For instance, even after an employee has left a company, employers above a particular size are required to preserve payroll records for at least three years under the U.S. Fair Labor Standards Act (FLSA).
Consider what must occur for a business to be in compliance with, instance, the GDPR of the European Union (which applies to any business doing business in the EU, regardless of whether they have a location there). Employees must be informed of the following under the GDPR:
- What data of theirs is collected
- Who owns or controls that data
- Any third parties that receive their data (such as payroll providers or benefits providers)
- Their rights and protections under the GDPR
Some organizations will have a substantial amount of sensitive information relating to former employees because records must be preserved for three years. As a result, these former employees will also need to be informed about their data.
Additionally, the GDPR includes a provision known as “The Right to Be Forgotten.” This translates to the ability to ask for the removal of personal data from a system. As a result, a former worker may ask a corporation to delete any personal information that was gathered about them while they worked there.
Things worsen. What would happen if a business wanted to perform analytics on, let’s say, benefit usage? Data from the company’s current and former employees will be needed. But it’s possible that the business might want to hire a third party to handle these analyses. In addition to the privacy restrictions that would need to be followed, giving the actual data to an analytics company would also stir up a hornet’s nest when it crossed international boundaries.
Best Practices for Data Privacy of Ex-Employees
Can an employee genuinely request that you delete their data, then? No and yes.
For instance, the GDPR makes it explicit that there are situations in which an employer might decline to comply with a request to be forgotten, such as where the data or the processing of the data must be kept for legal reasons or is necessary for an ongoing legal matter. Therefore, if a law explicitly mandates the retention of data, it should be complied with.
If the data is kept after the legal window for retention, things become more complicated. Due to this, a lot of businesses are using automated methods to delete data records on a predetermined period (like our own Data Minimization, which is a component of the Mage Data Minimization suite).
Care must still be taken with regard to data that is still inside the retention window. Consider the aforementioned analytics example. The risk of a data breach is substantially larger when data is transferred to third parties, which is a sensitive activity. Sending masked data with a technology that maintains the links between data items makes more sense than sending sensitive data. Due to this, third parties can offer helpful insights without having access to personal data directly.
Finally, it pays to regularly examine your data to identify the locations of sensitive employee data. There’s a considerable chance that a sizable amount of employee data “lives” in locations that routine records deletion might miss. Regarding data privacy and data retention, this could be problematic. When it comes to data privacy and data retention laws, an organization can “plug the holes” by performing sensitive data discovery, either by erasing the information or concealing it (if it is already a part of ongoing business processes).