HR AI Skill

Data Privacy

Manage HR data privacy and protection including employee data handling, GDPR/CCPA compliance, consent management, data breach response, and privacy policy development. Use when handling employee personal data, ensuring privacy compliance, responding to data...

HR Data Privacy & Protection

Protect employee personal data and ensure compliance with privacy regulations.

Workflow

Inventory data: What employee data do we collect, store, process, and share?
Assess compliance: Map data practices against GDPR, CCPA, and local regulations.
Develop policies: Privacy notice, data handling procedures, retention schedules.
Implement controls: Access controls, encryption, anonymization, vendor management.
Manage requests: Data subject access requests, consent management, erasure requests.
Train employees: HR team, managers, and all employees on data handling.
Monitor and audit: Regular compliance reviews, vendor assessments, incident tracking.
Respond to breaches: Detection, containment, notification, remediation.

Regulatory Framework

PRIVACY REGULATION OVERVIEW
=============================

GDPR (General Data Protection Regulation) — European Union:
  → Applies to: Any organization processing EU resident data (regardless of location)
  → Key principles: Lawfulness, fairness, transparency, purpose limitation, data minimization,
    accuracy, storage limitation, integrity/confidentiality, accountability
  → Employee rights: Access, rectification, erasure, restriction, portability, objection
  → Consent: Freely given, specific, informed, unambiguous, withdrawable
  → Special category data: Race, ethnicity, health, biometrics, religion, sexual orientation
    (higher protection, explicit consent required)
  → DPO: Data Protection Officer required for large-scale processing
  → Penalties: Up to €20 million or 4% of global annual revenue
  → DSRs: Respond within 30 days

CCPA/CPRA (California Consumer/Privacy Rights Act):
  → Applies to: Businesses meeting thresholds (revenue, data volume, revenue from data)
    operating in California
  → Employee rights: Notice of collection, access, deletion, correct, limit sensitive data
  → Employee provisions: CPRA extended consumer rights to employees (2023)
  → Consent: Opt-out for sale/sharing; sensitive data opt-in
  → Penalties: $7,500 per intentional violation; regulatory enforcement
  → DSRs: Respond within 45 days (extendable by 45)

OTHER NOTABLE REGULATIONS:
  → UK GDPR: Post-Brexit UK data protection law (similar to EU GDPR)
  → LGPD (Brazil): Similar to GDPR; employee data protections
  → PIPEDA (Canada): Personal Information Protection and Electronic Documents Act
  → POPIA (South Africa): Protection of Personal Information Act
  → Various US state laws: Virginia (VCDPA), Colorado (CPA), Utah, Connecticut, etc.
  → Sector-specific: HIPAA (health data), FERPA (education), FCRA (background checks)

KEY HR IMPLICATIONS:
  → Employee data is personal data subject to protection requirements
  → HR is often the largest collector and processor of personal data
  → Cross-border data transfers require adequacy decisions or safeguards
  → Employee monitoring (screenshots, keystrokes, location) has strict limits
  → Background checks require consent and compliance with FCRA (US) and local laws
  → Health data (benefits, accommodations, leave) is special category/sensitive data

Employee Data Inventory

EMPLOYEE DATA CATEGORIES AND HANDLING
=======================================

CATEGORY 1: IDENTIFICATION DATA
  → Name, date of birth, photo, employee ID
  → Government IDs: Passport, driver's license, work authorization documents
  → Contact information: Address, phone, email
  → Handling: Encrypted storage; limited access; retention per employment + legal period

CATEGORY 2: EMPLOYMENT DATA
  → Job title, department, manager, hire date, employment status
  → Salary, compensation history, bonus, equity
  → Performance reviews, goals, development plans
  → Handling: Role-based access; managers see direct reports only; HR full access

CATEGORY 3: FINANCIAL AND TAX DATA
  → Bank account (direct deposit), tax withholding (W-4), dependents
  → Benefits elections, retirement account information
  → Handling: Encrypted; separate from general HR files; limited HR/payroll access

CATEGORY 4: HEALTH AND MEDICAL DATA (SENSITIVE)
  → Disability accommodations, medical leave documentation
  → Health benefits enrollment, life insurance beneficiary
  → EAP utilization, wellness program data
  → Handling: Separate file; restricted access; explicit legal basis; longer retention limits

CATEGORY 5: PERFORMANCE AND DISCIPLINARY DATA
  → Performance ratings, PIP documentation
  → Disciplinary actions, warnings, investigation records
  → Handling: Confidential; restricted to HR and relevant managers; retention per policy

CATEGORY 6: MONITORING AND TECHNOLOGY DATA
  → Email monitoring, system access logs, location tracking
  → Device usage, productivity metrics, communication records
  → Handling: Transparent notice; legitimate interest assessment; minimize collection

CATEGORY 7: DIVERSITY AND DEMOGRAPHIC DATA
  → Race, ethnicity, gender, disability, veteran status
  → Handling: Voluntary self-identification; separate from personnel files; aggregate reporting

DATA PROCESSING REGISTER:
  → Data category and types
  → Purpose of processing
  → Legal basis (consent, contract, legal obligation, legitimate interest)
  → Retention period
  → Who has access
  → Third-party recipients (vendors, cloud providers)
  → Cross-border transfers and safeguards
  → Security measures applied

Privacy Policies and Notices

EMPLOYEE PRIVACY NOTICE
=========================

COMPONENTS OF EMPLOYEE PRIVACY NOTICE:
  → Who we are: Organization name, DPO contact
  → What data we collect: Categories of employee data
  → Why we collect it: Lawful basis for each processing activity
  → How we use it: Specific purposes (payroll, benefits, performance, compliance)
  → Who we share with: Vendors, government, insurance carriers (with specifics)
  → How long we retain it: Retention periods by data category
  → Your rights: Access, rectification, erasure, restriction, portability, objection
  → How to exercise rights: Process and contact information
  → International transfers: Where data goes, safeguards in place
  → Automated decision-making: Any profiling or automated decisions
  → Complaints: How to lodge complaint with supervisory authority
  → When notice was last updated

DELIVERY AND ACKNOWLEDGMENT:
  → Delivered: During onboarding (before data collection begins)
  → Format: Accessible, plain language, multi-language (if needed)
  → Acknowledgment: Employee signs acknowledgment (or electronic confirmation)
  → Updates: Re-notify when material changes occur
  → Accessibility: Intranet, handbook, onboarding materials, HR portal

DATA HANDLING POLICY (Internal):
  → Collection: Minimum necessary, purpose-specific, consent where required
  → Storage: Encrypted, access-controlled, backed up
  → Access: Role-based, need-to-know, logged
  → Sharing: Only with authorized recipients; vendor DPAs required
  → Retention: Defined periods; automated deletion when expired
  → Breach: Detection, reporting, response procedures
  → Training: Annual privacy training for HR and data handlers

Data Subject Requests (DSRs)

DATA SUBJECT REQUEST PROCESS
==============================

TYPES OF REQUESTS:
  → Access: "What data do you have about me?"
  → Rectification: "This data is incorrect; please fix it."
  → Erasure: "Please delete my data." (Right to be forgotten)
  → Restriction: "Stop processing my data while we resolve this."
  → Portability: "Give me my data in a machine-readable format."
  → Objection: "Stop processing my data for this purpose."

PROCESS:
  1. Receive request: Any channel (email, form, verbal with follow-up writing)
  2. Verify identity: Confirm requester is the data subject (prevent unauthorized access)
  3. Log request: Date, type, data subject, deadline
  4. Assess scope: What data is in scope? Any exemptions apply?
  5. Collect data: Search all systems (HRIS, email, files, backups, vendor systems)
  6. Review: Legal review for exemptions (legal hold, employment records retention)
  7. Respond: Provide data (access), correct (rectification), delete (erasure), etc.
  8. Document: Record actions taken, data provided, exemptions applied
  9. Confirm: Notify data subject of completion

TIMELINES:
  → GDPR: 30 calendar days (extendable by 60 for complex requests)
  → CCPA: 45 calendar days (extendable by 45)
  → Other: Varies by jurisdiction; typically 30–60 days

ERASURE REQUEST CONSIDERATIONS:
  → Cannot erase: Data required by law (tax, employment records, litigation holds)
  → Can erase: Marketing preferences, voluntary survey data, redundant copies
  → Partial compliance: Explain what can and cannot be erased and why
  → Vendor notification: Request erasure from third-party processors

EXEMPTIONS:
  → Legal obligation: Employment records required by labor law
  → Legal claims: Data needed for defense of legal action
  → Public interest: Statistical, research, historical purposes
  → Vital interests: Health and safety records
  → Document exemptions clearly and consistently

Data Breach Response

DATA BREACH RESPONSE PLAN
============================

DETECTION:
  → Unusual system access patterns
  → Employee report: "I received a phishing email"
  → Vendor notification: Third-party breach affecting shared data
  → Security alert: System intrusion, malware, unauthorized access
  → Audit finding: Compliance audit identifies data exposure

RESPONSE STEPS:
  1. Contain: Isolate affected systems, revoke compromised access
  2. Assess: What data was exposed? How many individuals affected? Severity?
  3. Document: Timeline of events, data involved, actions taken
  4. Notify internally: DPO, legal counsel, senior leadership, HR
  5. Notify regulators: Within required timeframe (GDPR: 72 hours)
  6. Notify affected individuals: If risk to rights and freedoms
  7. Remediate: Fix vulnerability, reset credentials, enhance security
  8. Monitor: Watch for misuse of exposed data, identity theft signs
  9. Review: Post-incident review, lessons learned, plan updates

NOTIFICATION REQUIREMENTS:
  → GDPR: Supervisory authority within 72 hours of becoming aware
  → CCPA: Notice "as soon as practicable" after discovery
  → State laws: Varies; many require notice within 30–60 days
  → Content of notice: What happened, what data involved, what company is doing,
    what individuals should do, contact information
  → HR-specific: Employee data breaches may require separate employee communication

POST-BREACH ACTIONS:
  → Credit monitoring: For exposed financial/tax data
  → Support: EAP for affected employees dealing with stress
  → Policy review: What failed? How to prevent recurrence?
  → Training: Reinforce security awareness
  → Audit: Comprehensive security audit of all data handling
  → Documentation: Full record for regulatory and legal purposes

Integration Points

HRIS vendor: Data processing agreement, security certifications, data location
IT security: Access controls, encryption, incident response coordination
Legal counsel: Regulatory interpretation, DSR review, breach notification
Vendors: DPAs (Data Processing Agreements), security assessments
Training platforms: Privacy awareness training delivery and tracking
Communication: Privacy notices, breach notifications, policy updates
Compliance management: Audit preparation, regulatory tracking, documentation

Edge Cases

Global employee data: Cross-border transfers; adequacy decisions; SCCs (Standard Contractual Clauses)
Employee monitoring: Legitimate interest assessment; transparent notice; proportionality
Terminated employee data: Retention requirements vs. erasure rights; legal holds
Background checks: FCRA compliance (US); consent; adverse action process
Health data: HIPAA (US); special category (GDPR); separate storage, restricted access
Union data: Collective bargaining data; union-employer data sharing boundaries
Whistleblower data: Protected disclosures; anonymity; restricted access