--- name: data-privacy description: Manage HR data privacy and protection including employee data handling, GDPR/CCPA compliance, consent management, data breach response, and privacy policy development. Use when handling employee personal data, ensuring privacy compliance, responding to data requests, managing data breaches, or developing privacy policies. Triggers on phrases like "data privacy", "employee data", "GDPR", "CCPA", "privacy compliance", "data protection", "consent management", "data breach", "PII", "personal data", "privacy policy", "data subject request", "right to be forgotten", "data minimization", "privacy by design". --- # HR Data Privacy & Protection Protect employee personal data and ensure compliance with privacy regulations. ## Workflow 1. Inventory data: What employee data do we collect, store, process, and share? 2. Assess compliance: Map data practices against GDPR, CCPA, and local regulations. 3. Develop policies: Privacy notice, data handling procedures, retention schedules. 4. Implement controls: Access controls, encryption, anonymization, vendor management. 5. Manage requests: Data subject access requests, consent management, erasure requests. 6. Train employees: HR team, managers, and all employees on data handling. 7. Monitor and audit: Regular compliance reviews, vendor assessments, incident tracking. 8. Respond to breaches: Detection, containment, notification, remediation. ## Regulatory Framework ``` PRIVACY REGULATION OVERVIEW ============================= GDPR (General Data Protection Regulation) — European Union: → Applies to: Any organization processing EU resident data (regardless of location) → Key principles: Lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability → Employee rights: Access, rectification, erasure, restriction, portability, objection → Consent: Freely given, specific, informed, unambiguous, withdrawable → Special category data: Race, ethnicity, health, biometrics, religion, sexual orientation (higher protection, explicit consent required) → DPO: Data Protection Officer required for large-scale processing → Penalties: Up to €20 million or 4% of global annual revenue → DSRs: Respond within 30 days CCPA/CPRA (California Consumer/Privacy Rights Act): → Applies to: Businesses meeting thresholds (revenue, data volume, revenue from data) operating in California → Employee rights: Notice of collection, access, deletion, correct, limit sensitive data → Employee provisions: CPRA extended consumer rights to employees (2023) → Consent: Opt-out for sale/sharing; sensitive data opt-in → Penalties: $7,500 per intentional violation; regulatory enforcement → DSRs: Respond within 45 days (extendable by 45) OTHER NOTABLE REGULATIONS: → UK GDPR: Post-Brexit UK data protection law (similar to EU GDPR) → LGPD (Brazil): Similar to GDPR; employee data protections → PIPEDA (Canada): Personal Information Protection and Electronic Documents Act → POPIA (South Africa): Protection of Personal Information Act → Various US state laws: Virginia (VCDPA), Colorado (CPA), Utah, Connecticut, etc. → Sector-specific: HIPAA (health data), FERPA (education), FCRA (background checks) KEY HR IMPLICATIONS: → Employee data is personal data subject to protection requirements → HR is often the largest collector and processor of personal data → Cross-border data transfers require adequacy decisions or safeguards → Employee monitoring (screenshots, keystrokes, location) has strict limits → Background checks require consent and compliance with FCRA (US) and local laws → Health data (benefits, accommodations, leave) is special category/sensitive data ``` ## Employee Data Inventory ``` EMPLOYEE DATA CATEGORIES AND HANDLING ======================================= CATEGORY 1: IDENTIFICATION DATA → Name, date of birth, photo, employee ID → Government IDs: Passport, driver's license, work authorization documents → Contact information: Address, phone, email → Handling: Encrypted storage; limited access; retention per employment + legal period CATEGORY 2: EMPLOYMENT DATA → Job title, department, manager, hire date, employment status → Salary, compensation history, bonus, equity → Performance reviews, goals, development plans → Handling: Role-based access; managers see direct reports only; HR full access CATEGORY 3: FINANCIAL AND TAX DATA → Bank account (direct deposit), tax withholding (W-4), dependents → Benefits elections, retirement account information → Handling: Encrypted; separate from general HR files; limited HR/payroll access CATEGORY 4: HEALTH AND MEDICAL DATA (SENSITIVE) → Disability accommodations, medical leave documentation → Health benefits enrollment, life insurance beneficiary → EAP utilization, wellness program data → Handling: Separate file; restricted access; explicit legal basis; longer retention limits CATEGORY 5: PERFORMANCE AND DISCIPLINARY DATA → Performance ratings, PIP documentation → Disciplinary actions, warnings, investigation records → Handling: Confidential; restricted to HR and relevant managers; retention per policy CATEGORY 6: MONITORING AND TECHNOLOGY DATA → Email monitoring, system access logs, location tracking → Device usage, productivity metrics, communication records → Handling: Transparent notice; legitimate interest assessment; minimize collection CATEGORY 7: DIVERSITY AND DEMOGRAPHIC DATA → Race, ethnicity, gender, disability, veteran status → Handling: Voluntary self-identification; separate from personnel files; aggregate reporting DATA PROCESSING REGISTER: → Data category and types → Purpose of processing → Legal basis (consent, contract, legal obligation, legitimate interest) → Retention period → Who has access → Third-party recipients (vendors, cloud providers) → Cross-border transfers and safeguards → Security measures applied ``` ## Privacy Policies and Notices ``` EMPLOYEE PRIVACY NOTICE ========================= COMPONENTS OF EMPLOYEE PRIVACY NOTICE: → Who we are: Organization name, DPO contact → What data we collect: Categories of employee data → Why we collect it: Lawful basis for each processing activity → How we use it: Specific purposes (payroll, benefits, performance, compliance) → Who we share with: Vendors, government, insurance carriers (with specifics) → How long we retain it: Retention periods by data category → Your rights: Access, rectification, erasure, restriction, portability, objection → How to exercise rights: Process and contact information → International transfers: Where data goes, safeguards in place → Automated decision-making: Any profiling or automated decisions → Complaints: How to lodge complaint with supervisory authority → When notice was last updated DELIVERY AND ACKNOWLEDGMENT: → Delivered: During onboarding (before data collection begins) → Format: Accessible, plain language, multi-language (if needed) → Acknowledgment: Employee signs acknowledgment (or electronic confirmation) → Updates: Re-notify when material changes occur → Accessibility: Intranet, handbook, onboarding materials, HR portal DATA HANDLING POLICY (Internal): → Collection: Minimum necessary, purpose-specific, consent where required → Storage: Encrypted, access-controlled, backed up → Access: Role-based, need-to-know, logged → Sharing: Only with authorized recipients; vendor DPAs required → Retention: Defined periods; automated deletion when expired → Breach: Detection, reporting, response procedures → Training: Annual privacy training for HR and data handlers ``` ## Data Subject Requests (DSRs) ``` DATA SUBJECT REQUEST PROCESS ============================== TYPES OF REQUESTS: → Access: "What data do you have about me?" → Rectification: "This data is incorrect; please fix it." → Erasure: "Please delete my data." (Right to be forgotten) → Restriction: "Stop processing my data while we resolve this." → Portability: "Give me my data in a machine-readable format." → Objection: "Stop processing my data for this purpose." PROCESS: 1. Receive request: Any channel (email, form, verbal with follow-up writing) 2. Verify identity: Confirm requester is the data subject (prevent unauthorized access) 3. Log request: Date, type, data subject, deadline 4. Assess scope: What data is in scope? Any exemptions apply? 5. Collect data: Search all systems (HRIS, email, files, backups, vendor systems) 6. Review: Legal review for exemptions (legal hold, employment records retention) 7. Respond: Provide data (access), correct (rectification), delete (erasure), etc. 8. Document: Record actions taken, data provided, exemptions applied 9. Confirm: Notify data subject of completion TIMELINES: → GDPR: 30 calendar days (extendable by 60 for complex requests) → CCPA: 45 calendar days (extendable by 45) → Other: Varies by jurisdiction; typically 30–60 days ERASURE REQUEST CONSIDERATIONS: → Cannot erase: Data required by law (tax, employment records, litigation holds) → Can erase: Marketing preferences, voluntary survey data, redundant copies → Partial compliance: Explain what can and cannot be erased and why → Vendor notification: Request erasure from third-party processors EXEMPTIONS: → Legal obligation: Employment records required by labor law → Legal claims: Data needed for defense of legal action → Public interest: Statistical, research, historical purposes → Vital interests: Health and safety records → Document exemptions clearly and consistently ``` ## Data Breach Response ``` DATA BREACH RESPONSE PLAN ============================ DETECTION: → Unusual system access patterns → Employee report: "I received a phishing email" → Vendor notification: Third-party breach affecting shared data → Security alert: System intrusion, malware, unauthorized access → Audit finding: Compliance audit identifies data exposure RESPONSE STEPS: 1. Contain: Isolate affected systems, revoke compromised access 2. Assess: What data was exposed? How many individuals affected? Severity? 3. Document: Timeline of events, data involved, actions taken 4. Notify internally: DPO, legal counsel, senior leadership, HR 5. Notify regulators: Within required timeframe (GDPR: 72 hours) 6. Notify affected individuals: If risk to rights and freedoms 7. Remediate: Fix vulnerability, reset credentials, enhance security 8. Monitor: Watch for misuse of exposed data, identity theft signs 9. Review: Post-incident review, lessons learned, plan updates NOTIFICATION REQUIREMENTS: → GDPR: Supervisory authority within 72 hours of becoming aware → CCPA: Notice "as soon as practicable" after discovery → State laws: Varies; many require notice within 30–60 days → Content of notice: What happened, what data involved, what company is doing, what individuals should do, contact information → HR-specific: Employee data breaches may require separate employee communication POST-BREACH ACTIONS: → Credit monitoring: For exposed financial/tax data → Support: EAP for affected employees dealing with stress → Policy review: What failed? How to prevent recurrence? → Training: Reinforce security awareness → Audit: Comprehensive security audit of all data handling → Documentation: Full record for regulatory and legal purposes ``` ## Integration Points - HRIS vendor: Data processing agreement, security certifications, data location - IT security: Access controls, encryption, incident response coordination - Legal counsel: Regulatory interpretation, DSR review, breach notification - Vendors: DPAs (Data Processing Agreements), security assessments - Training platforms: Privacy awareness training delivery and tracking - Communication: Privacy notices, breach notifications, policy updates - Compliance management: Audit preparation, regulatory tracking, documentation ## Edge Cases - **Global employee data**: Cross-border transfers; adequacy decisions; SCCs (Standard Contractual Clauses) - **Employee monitoring**: Legitimate interest assessment; transparent notice; proportionality - **Terminated employee data**: Retention requirements vs. erasure rights; legal holds - **Background checks**: FCRA compliance (US); consent; adverse action process - **Health data**: HIPAA (US); special category (GDPR); separate storage, restricted access - **Union data**: Collective bargaining data; union-employer data sharing boundaries - **Whistleblower data**: Protected disclosures; anonymity; restricted access