For many employers, having their employees’ health or financial information online might be useful for ease of access, but concerns have been raised around the question of personal privacy. Kavitha Sivasubramaniam explores how organisations can use analytics to improve their benefits offerings while keeping data secure.
There is no denying that HR departments have access to some of an organisation’s most important data, including information relating to the employer’s most valuable – and most costly – assets; its people. If used wisely, this data can be used to inform key business decisions, enriching benefits decisions and in turn helping recruit and retain top talent within the organisation. But HR teams have both a moral and legal responsibility to ensure this data is protected. If they fail to do so they could face significant fines, as well as reputational damage.
For this reason, in some contexts data analytics are a cause for concern. However, given the good that they can do in respect of improving understanding of and outcomes relating to employee benefits, data protection should not be seen as barrier to using them.
In terms of benefits data in particular, employers should focus on how employees engage with their benefits package, according to Jeff Fox, principal at Aon Employee Benefits.
“This has traditionally been measured in a simplistic way by looking at take-up, which is a pretty blunt instrument. It doesn’t tell you how employees have used the benefit, if they are an advocate of the product, etc,” he explains. “It needs to be more profound than this. Data must be used to drive and enrich employee engagement. The challenge is how you define engagement. It should connect with employees’ jobs – they need to become advocates of the services you offer. That’s how data can and should be used.”
Helen Baker, partner at Sackers law firm, agrees that analytics can be very valuable to employees and their employers because they can help to identify issues and ways to address them. That said, she identifies the following points that should be looked at:
- Who will be carrying out the analytics? How will they work and does this mean that they will be a data controller, a joint data controller or a data processor?
- Are suitable appointment terms in place that reflect the work that will be being done, and that limit how the data can be used to what the employer, scheme or benefit arrangement is aiming to achieve?
- Has the use of analytics been explained to the individuals whose personal data will be reviewed so that the communication requirements have been met?
- Do consents need to be obtained?
- How will the output of the analytics be used? Analytics are often associated with influencing decisions. Employers, schemes and the providers of benefit arrangements will want to strike the right balance here.
“The concern is that over-reliance on analytics could lead to employees being encouraged to make decisions relating to their benefits that do not reflect all of their needs and circumstances,” explains Baker. “Giving to great a steer towards a particular course of action could lead to someone making a decision that isn’t the right one for them, and to claims. It may well be preferable to use the analytics to help to inform communication and engagement with employees and members and to provide information rather than seeking to influence decisions.”
With technology constantly evolving, much of the employee data is obtained from different sources. This includes online platforms, smartphones, and wearable technology. According to Baker, technology is “double-edged” and there are many ways in which it can help since data held electronically may be much easier to access and to update.
“However, with the use of technology comes cyber security risk and the potential for an error on the part of someone using the data to result in it being shared very widely very quickly,” she says. “The reality of the world in which we operate is that technology is being used, and it is here to stay. Steps therefore need to be taken to address the risks, and to keep on top of them.”
Baker adds that those who carry out hacks and who want to access data to carry out fraud will aim to stay ahead of security measures and to adapt what they do as security systems are tightened, so addressing security cannot be a one-off exercise.
TAKING THE RIGHT STEPS
So how can employers ensure that the data they have can be protected? Fox says that when it comes to keeping employee data secure, the starting point is always to keep the Data Protection Act (DPA) in mind.
“These days everything involves data and the risks around data breaches and employees’ concerns are as high now as they’ve ever been,” he explains. “The spotlight is on employers to obtain data in the most appropriate way. When they get the data, they need to carefully consider what they are going to do with it. They shouldn’t get data without a purpose and often have more than they really need.”
There are two aspects to getting it right, according to Baker.
“The first is compliance with legal requirements, which provide a framework for managing personal data appropriately and securely,” she says. “The second is the practical steps which can be taken to protect data. These range from practical steps that can be taken to keep data securely and to minimise the risk of human error resulting in a data breach to IT security.”
From 25 May 2018, a new European data regime known as General Data Protection Regulation (GDPR), will be effective. Alongside a new Data Protection Bill, GDPR will replace the existing DPA, building upon individuals’ current protections and rights while also creating some new legal responsibilities for businesses that process personal information.
Much of what GDPR covers is familiar, but there are a number of new requirements that are very relevant to employers and to the provision of employee benefits. These are in areas such as communication (more will need to be said to individuals about the personal data that is held), individual rights (individuals will have more extensive rights to make requests in respect of their personal data) and in respect of the governance of personal data.
The work that employers will need to do to achieve compliance depends on what the personal data is, what is used for, where it is and who is using it. It is a good idea to start by carrying out checks or data mapping to understand what is being held. This forms the foundations of the work that needs to be done on compliance. This work is also valuable in the context of considering whether there is scope to take steps such as making changes to what is held and to consider how the data is used and managed. This should assist with making work on compliance more manageable and reduce the potential for breaches.
“Having thorough and efficient information management systems and processes is important – carry out an audit of what information you have, why you have it and where it is. This will make it easier to comply,” advises Information Commissioner’s Office (ICO) group manager for private and third sector engagement, Garreth Cameron. “Data protection training for staff is vital, as is a sound information management regime and ensuring there are adequate security measures in place to protect the personal information you hold.”
Currently, organisations are not legally obliged to report data protection breaches to the ICO, but under GDPR they will be required to do so if it’s likely to result in a risk to people’s rights and freedoms.
“Ultimately, HR teams are going to be held accountable for where data is kept, how is stored and how it is used,” says Fox. “They will be the first port of call for any issues that may happen. The buck is going to stop with HR when it comes to maintaining standards.”
Under the GDPR, the maximum fine has been substantially increased from £500,000 under the DPA to €20,000,000 or 4% of the data controller’s annual worldwide turnover, whichever is higher. However, the ICO believes that concentrating on fines can be counter-productive and urges employers to look at the other possible consequences of failing to protect employee data.
“Organisations should also consider the potential for significant reputational and brand damage if a data breach becomes public,” warns Cameron. “This can also have financial implications for an organisation in terms of public trust and confidence, and for the individuals responsible.”