Data privacy deals with the proper handling of an individual’s sensitive and personal information. Many organizations face the challenge of using employee and applicant data while protecting a person’s privacy and personal identifiable information. Following legislative requirements across many regions, like the EU and California, employees and applicants need to be informed about the purpose and use of their data before you ask them to provide consent to process their data.
While many countries have data privacy laws, the European Union’s General Data Protection Regulation (GDPR) has the broadest regulations with the highest penalties. Similar legislation includes the California Consumer Privacy Act, passed by the state of California and going into effect in January 2020.
PeopleSoft has delivered features that comply with data privacy laws and allow you to:
- Identify sensitive and personable identifiable information
- Delete employee and applicant personal data
- Obtain employee acknowledgment and consent
- Mask or hide personal data
Acknowledgment Framework in PeopleSoft HCM
For new hires going through the employee onboarding process in a company, one of the steps in the process is to acknowledge that they understand and agree to the company’s terms and conditions. The Acknowledgment Framework is a configurable feature used to capture an employee’s consent, acknowledgment, and agreement. The onboarding process leverages the Acknowledgment Framework to capture the employee’s consent with terms and conditions that comply with data privacy laws. The framework can also capture electronic signatures and an audit trail of changes.
Depending on your business process, the onboarding activity guide may even be configured to not allow employees to complete other steps until they acknowledge and agree to the terms and conditions. They will have to select a checkbox and click “Save” to accept the terms and conditions of the company and move forward with the onboarding process.
For sensitive data, such as ethnic groups or veteran status, you have the option to include a tailored message to inform the employee about whether this information is voluntary or required.
Data Masking in PeopleSoft HCM
As a manager, you can use the Installation Table to mask personal data. Select “HCM Options” within the Installation Table. For personal and sensitive information shared by employees, it’s important that the data is only accessed by authorized administrators like HR administrators or HR service representatives—each requiring different access levels depending on security roles.
PeopleSoft HCM provides role-level security for administrator components and ensures that only authorized users have access. However, this doesn’t secure access to fields on the page that show sensitive information like date of birth. For protecting sensitive data, you can mask highly sensitive fields like an employee’s national ID, date of birth, bank account number, drivers license number, and passport number. To enable data masking, select the “Enable Masking” checkbox on the Installation Table and click “Save.”
To enable data masking at the component and field group level, search for “Set Up Component Level Masking.” For users without authorized roles, the system masks the sensitive fields and hides the associated fields. For example, you can choose to mask an employee’s drivers license numbers. You can enable full or partial masking. When HR representatives with limited security access review new hire tasks for the newly hired employee, they are able to verify the presence of a drivers license number, but the number will be partially masked.
Deleting Data in PeopleSoft HCM
The right to be forgotten, also known as data erasing, is a key part of data privacy laws. To erase employee data for a new hire, you can go to the Applicant ID Delete page. From there, search for your new hire. The right to be forgotten entitles an employee or applicant to compel the organization to erase his or her personal data. If an applicant requests to have his information deleted, the administrator selects the applicant to be deleted and runs the Applicant Delete process.
In another scenario, let’s say an employee has worked for an organization for a year but has now decided to pursue another opportunity and requested that all of his personal information be forgotten. To enable this request, the administrator needs to go to the Person ID Delete page. Once you’re on the page, search for the employee. The administrator can exclude certain tables from deletion. For example, you may want to delete all of the employee’s personal information but keep his payroll data. You can limit the ability to skip the record control and exclusion checks to specific roles. This prevents unauthorized users from deleting personal data that might legally need to be retained.
Access to Sensitive or Identifiable Information in PeopleSoft HCM
While not all attributes can be masked through configuration, it’s important for an organization to know which sensitive data and identifiable fields are in PeopleSoft HCM, where they are used, and who has access to them. To view this information, go to the View References page. This page can be used to search for sensitive data and identifiable fields within PeopleSoft HCM.
For example, the nationality and ethnicity information entered during the onboarding process is considered sensitive or identifiable information. When searching for nationality and ethnicity, you can see where the ethnic group information is accessed throughout the HCM application. You can enter further filter criteria to restrict access or download this information to Excel.
PeopleSoft delivers a sample of personal and sensitive fields in HCM. You can use the Maintain Data Privacy Settings page to see the sample fields that are provided to you within PeopleSoft HCM. Customers are encouraged to add their own custom personal and identifiable fields to this page. You can either add them to existing categories and classification or include your own custom values with the “Add” button.
Organizations can use the Update References option to reflect the use of these fields, including your custom pages and queries. In the Select Reference Type module, you can select the reference type that needs an update or refresh.
Conclusion
Now, more than ever before, it’s vital for organizations to maintain a high level or data privacy for their employees and applicants. It’s a good practice to review the national and local laws covering the locations in which you conduct business. PeopleSoft HCM provides several capabilities to assist customers in managing data privacy. To stay current with legislative updates in PeopleSoft HCM, keep up with the PeopleSoft Legislative Updates page full of Oracle blogs and updates.