Workforce Data: Is Legislation Enough?
Written by Tajinder Kumar and Claire Neale
The information explosion and the quantum growth
in computing capability has provided organizations
with unprecedented levels of workforce data. While
the opportunity to collect, integrate, and analyze
employee data in greater volumes can be enticing,
it simultaneously raises several important questions.
What level of employee monitoring is appropriate?
What rights should employees have regarding their
data? How do organizations ensure that its people
analytics approach is not only benefi cial to the
company, but fair to employees?
In the legislative realm, there is growing awareness
and vigilance around the rights of individuals
regarding their data. On May 25, 2018, the
General Data Protection Regulation (GDPR)
entered into effect. The GDPR is based on a key
guiding principle: personal ownership of private
information. For example, the GDPR mandates that
users can access their data, and request to have
their data deleted (the "right to be forgotten").
The GDPR legislation is designed to provide a
coherent system of privacy regulation for EU
citizens. Notably, however, the legal requirements
pertain to any company involved in handling the
data of EU citizens, which includes many companies
outside of the EU.
Moreover, the GDPR may be seen as a guidepost
for how to treat data. In light of the recent scandal
in which Cambridge Analytica leaked private
information from as many as 87 million Facebook
users, Facebook has declared that it will adopt
GDPR standards for user data.
Singapore's data collection act, the PDPA, is similar
to the GDPR in that its reach extends beyond the
Singapore borders and applies to any organization
that collects the personal data of its citizens.1
However, the reach of the GDPR is far more
extensive and the penalties for violating it are far
more severe. While the GDPR is applicable to all EU
organizations and organizations that collect data
on EU citizens, the PDPA has a more limited scope
and includes several exemptions - excluding data
collected by the public sector and for business
contact information.
In addition, the actual defi nition of consent in the
context of the GDPR is far stricter than the PDPA.
While the PDPA considers the voluntary provision of
data consent, the GDPR requires express consent.
The GDPR also requires that data only be used
for the specifi c purpose it was collected, whereas
the PDPA is more lenient in allowing use for
"reasonable purposes".2
Canada's personal data protection act, PIPEDA,
is similar to the GDPR in that it they both ensure
