Privacy and Security Measures in Computing

Article excerpt

Privacy and security are two topics usually mentioned together. Although the technical and procedural solutions to security problems and privacy issues are, to some extent, identical (codes, passwords, access limits and so on), the subjects are conceptually different and are driven by different objectives.

Data-base security is the protection of human resources data and systems as propriety, company-owned investments that should be protected from theft or damage. Security measures should treat the HRIS and its data as corporate property whose quality and content have value.

Data-base privacy proceeds from an entirely different perspective: data in a personnel system that's particular to employees is essentially private, or in one sense, owned by individual employees. The keepers of this information have a responsibility to ensure that this data is protected from careless dissemination, prying eyes or inappropriate use. Legal privacy rights exist in some situations, but the overriding concerns of HRIS privacy are usually employee morale, perception of the HRIS as a confidential repository of data and business requirements for accurate, complete records.

Despite dissimilar objectives, the reasons that privacy and security measures are likely to escalate in importance are related to the same twin trends: more data elements in the HRIS and more access to data by users.

The more powerful, high-capacity computer systems made possible by today's technology have expanded the amount and type of information that can be kept in an HRIS. It comes with a high price tag, though. At the same time, social management and regulatory developments have created apparent needs for an increased amount of mechanized data about individual employees and their families. For example:

*Government requirements under the Tax Reform Act of 1986, COBRA and other laws affecting benefits require comprehensive data on employee benefits, dependents, marital relationships and other private information.

*Pre-employment and post-employment testing (for drug abuse, AIDS, personality traits, intelligence, veracity and other personal physical and psychological characteristics) is on the rise in industry, and the sometime-dubious results of these tests are finding their way into mechanized personnel files.

*The soaring costs of medical, life and other forms of insurance have propelled the growth of medical data gathered and maintained for insurance carriers, administrators of self-insurance plans and other benefits planners and administrators.

*Management needs for more data about human resources are being met with expanded measurement indicators, new codes and text on performance evaluation and management succession criteria, work history information, total compensation cost data, outside interests and skills, more educational data, and a host of their new and expanded fields of information made possible by today's technology.

Typically, the first issues to be addressed by any organization beginning to evaluate its own employee data privacy policy is what information is kept and why. The first step in resolving potential privacy problems is usually to clean up stored information so that the contents of manual or electronic files don't include unnecessary information -- from political affiliations to inquires from law enforcement agencies. The rule always has been that personnel records should contain only data that is business related. This approach has made sense to system staffers, especially considering the amount of data about infinitely diverse people that can be stored electronically.

The expanded capacity made possible by today's HRIS technology --together with the growing business need for more data -- are the underlying forces that may make data proliferation a central privacy issue.

Human resources systems, perhaps more than any other computer-based systems, are designed and meant to be exploited as access systems. …