As part of the PeopleSoft HCM Configuration Series, Oracle’s own Julie Alonso and Joe Willever presented on delivered features in PeopleSoft HCM that will help with data privacy through managing sensitive and personally identifiable information. The pair shared what PeopleSoft HCM currently provides for data deletion and employee content as well as how to leverage the recently enhanced Page & Field Configurator to allow your organization to mask any data field in PeopleSoft.
GDPR and Other Data Privacy Legislation
Is your organization affected by the General Data Protection Regulation? The GDPR regulates the “processing” of data for EU individuals, which includes the collection, storage, transfer, or use. Any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the European Union.
This high-level summary includes the primary pieces of information that you need to know about GDPR.
There must be a Request for Consent where employees must be given in an intelligible and easily accessible form, with the purpose of data processing attached to that consent. The Right to Access means that employees can request to obtain from the organization confirmation as to whether or not personal data concerning them is being processed, where, and for what purposes. The Right to be Forgotten entitles employees and applicants to have the organization erase their personal data, cease further dissemination of the data, and potentially have third parties halt the processing of the data.
GDPR came into effect on May 25, 2018. Penalties for organizations in breach of GDPR can be fined up to 4 percent of annual global revenue or $20 million (whichever is greater).
There were also several states in the U.S. that introduced data privacy legislation in 2019:
- January 2019: Massachusetts Consumer Data Privacy Act
- January 2019: New York Privacy Act
- February 2019: Maryland Online Consumer Protection Act
- April 2019: Pennsylvania Consumer Data Privacy Act
- May 2019: Hawaii Act Relating to Privacy
The California Consumer Privacy Act of 2018 (AB378) went into effect on January 1, 2020. The Request for Consent under this new law grants consumers the right to that data and with whom they are sharing it. The Right to be Forgotten gives consumers the right to tell companies to delete their information as well as to not sell or share their data. Children’s rights under this law make it more difficult to share or sell data on children younger than 15. Organizations around the world have to comply if they receive personal data from California residents and if they exceed one of the three thresholds:
- Annual gross revenues of $25 million
- Obtains personal information of 50,000 or more California residents, households, or devices annually
- 50 percent or more annual revenue from selling California residents’ personal information
Penalties under this law can be up to $7,500 per violation.
Data Privacy Features in PeopleSoft
There are several features that are quite useful when working with onboarding and Benefits Enrollment and getting consent. The Acknowledgement Framework allows you to deliver those consent forms to your employees during onboarding. The Person Data Delete process is another feature that allows the exclusion of records and validations overrides. The New Applicant Delete (HCM) and New Learner Delete (ELM) features are also very helpful.
PeopleTools provides a robust Data Archive Framework through Data Archive Manager. It defines templates that identify sets of data to be archived from production to history tables. It also identifies criteria for rows of data to be archived using PS/Queries. In addition, it provides the ability to delete data in a two-step approach. It is also important to note that PeopleSoft delivers templates as examples.
Personal and sensitive data identification has been addressed through the Data Privacy Framework. Categories and classifications can be added or changed. It is also important to note that custom fields should be added. Finally, references can be found for custom object references.
Page and Field Configurator for Data Masking
Page and Field Configurator is a very useful tool for data privacy. It can be used to modify field labels, gray out fields, hide the fields, provide a default value, and add required field edit for fields within the component. Page and Field Configurator can make a page display-only or control the visibility of pages within the component.
Both the masking profile and the field group are very important to the masking configuration. The masking profile is where you decide how the user will see the information on the page. The field group is where you identify a default masking profile to a group of fields that have a similar masking requirement.
There have been several recent enhancements to the Page and Field Configurator. There is now data masking and the ability to apply multiple configurations additively. It is now extended to secondary pages (modal windows) and has also extended user criteria to include/exclude multiple roles. Another enhancement is inactive sequences. It is also now extended to Fluid components and additional criteria.
Enhancements for Data Privacy in PeopleSoft
The image below shows recent enhancements for data privacy in PeopleSoft.
Oracle hopes to provide more data privacy Enhancements in the future. Data masking prevents the display of sensitive or personal data. In the future, Oracle hopes to provide PS Query Output Viewer, PS Query APIs, BI Publisher Reports, and the ability to mask fields for authorized query users.
Frequently Asked Questions About Data Privacy
One frequently asked question relates to data masking and scrambling in non-production environments. Oracle Consulting provides a comprehensive masking solution at the database level that is intended to assist in making personal and sensitive data more confidential and secure. It is intended for non-production environments such as a development and test. It supports the scrambling of personal data, such as a name or social security number, and the masking of sensitive data, such as compensation details.
Another frequently asked question relates to allowing view auditing. PeopleTools provides the ability to do audit changes made to employee data. It does not provide the ability to audit who has views the data in components, pages, and fields.
The final commonly asked question relates to two-factor authentication and access control. The two Oracle products that support 2FA/MFA are OAM and OAAM. Oracle Documentation that assists in this process is “Implementing PeopleSoft Single Sign-On” and “Implementing Oracle Access Manager for PeopleSoft.” Oracle does have multiple partners offering solutions, but they are not in the position to recommend any particular third-party since they do not perform any security testing on their products.
Data Privacy Resources
There are several additional resources available to help you learn more about data privacy and data masking in PeopleSoft, including:
- Knowledge documents on My Oracle Support
- PeopleSoft HCM 9.2 – Personally Identifiable and Sensitive Data (Doc ID 2313438.1)
- PeopleSoft HCM 9.2 – Implementing Sensitive Data Masking (Doc ID 2375376.1)
- PeopleSoft HCM Acknowledgement Framework Red Paper (Doc ID 2377140.1)
- PeopleSoft ELM 9.2 – Personally Identifiable and Sensitive Data (Doc ID 2415109.1)
- PeopleSoft FSCM 9.2 – Personally Identifiable and Sensitive Data for HCM sourced data in FSCM (Doc ID 2415089.1)
- Privacy and Security Feature Guidance for Oracle PeopleSoft (Doc ID 113.1)
- Legislative Blog
- Video Feature Overviews
To learn more about Page and Field Configurator and data masking in PeopleSoft HCM, check out the PeopleSoft HCM Configuration Series presentation attached below. For more webinars in the series, check out the Quest Events page.
COLLABORATE 20 will take place April 19-23, 2020 at the Mandalay Bay Resort and Casino in Las Vegas, Nevada! Don’t miss this chance to share inspiration, insights, and solutions with your peers, vendors, and the Oracle team! Register before March 6, 2020, to take advantage of Early Bird pricing.
If you’re looking for more PeopleSoft content, join us next year at RECONNECT 20, the premier deep-dive PeopleSoft focused event of the year! The event will take place July 21-23, 2020 in St. Louis, Missouri. Keep an eye out for more information on this event!