Dear Colleagues! This is Asrar Qureshi’s Blog Post #846 for Pharma Veterans. Pharma Veterans aims to share knowledge and wisdom from Veterans for the benefit of Community at large. Pharma Veterans Blog is published by Asrar Qureshi on WordPress, the top blog site. Please email to asrar@asrarqureshi.com for publishing your contributions here.
If we ask any organization here if they are ‘collecting’ employees data, they will flatly say no. They will be right in their understanding because the organizations believe they are ‘recording’ available data, not ‘collecting’ it. This may be a fine difference, but it is critical. When the organization understands that they are collecting employees data systematically, they become liable for its security and protection. If they think they are only recording available information, they are rather careless about it. This is what is happening particularly in the HR departments in most organizations.
The reality is that the organizations capture a wide range of employee data for various purposes, including HR management, performance evaluation, workforce planning, and compliance. This data is valuable for improving operations and decision-making. However, it also raises implications and risks related to privacy, security, and ethical concerns. To minimize problems associated with employee data collection, organizations need to adopt responsible data practices. Let’s look into the types of employee data, their implications, risks, and mitigation strategies:
Types of Employee Data
Personal Information – Basic personal data includes names, addresses, contact information, CNIC – Computerized National Identity Card number, education history, disabilities if any, family members names, ages, and emergency contacts. Every new joiner is required to fill in an employment form which has columns for submitting detailed information. It also needs history of past and current positions, job titles, start and end dates, and salary history. This is the most sensitive information as it may lead to identity theft if it reaches wrong hands.
Financial Data – Information related to back accounts, salary, bonuses, tax withholdings, provident fund contributions, incentives earned, increments, and any other financial benefits that the employee may be receiving. Staff salaries and increments in any organization are an open secret because these are handled by lower staff without discretion. This is also highly sensitive information which could lead to fraud or exploitation.
Performance Data – Targets, objectives, metrics, achievement or lack of it, appraisals, comparison with peers, placement within the context of the whole organization. This is also sensitive information. It includes information on participation in employee engagement surveys, climate surveys, feedback sessions, and performance evaluation.
Work Habits Data – Information on attendance, work hours, leaves, sick report days, vacations, overtime etc. This gives the work habits profile of the person, which could impact his/her future in this or any other organization.
Training and Development Data – Data on training courses attended, certifications, and professional development; it also shows the performance in these programs, comments from the trainers etc. This is another important aspect of work profile.
Communications Data – Records of hundreds or thousands of emails, chat messages, and other forms of communication within the organization are preserved. These are important for the organization but also reflect upon the employee.
Need for Employee Data Collection
Employee data collection is mandated by relevant laws and has real real benefits. If analyzed properly, the information is highly valuable. Unfortunately, this is not happening in Pakistan. The organizations are sitting on heaps of information, and not making use of it.
Improved Decision-Making – Employee data can help to make informed strategic decisions, such as workforce planning, talent acquisition, and performance management.
Enhanced Employee Experience – Personalized development plans and benefits packages can be tailored based on employee data, improving job satisfaction.
Legal Compliance – Accurate records of employee data are essential for compliance with labor laws, taxation regulations, and reporting requirements.
Concerns About Employee Data Collection
Privacy Concerns – Collecting sensitive personal data may infringe on employees’ privacy if not handled with care. Some of the information is really personal and private.
Data Security – Storing and transmitting employee data pose security risks. Data breaches can lead to identity theft and financial loss. Unauthorized use of any part of data can have social implications also. Data security is our weak area anyway.
Bias and Discrimination – Data collection and analysis may inadvertently reinforce biases in decision-making, leading to discrimination. This can be especially damaging if analyses are not completely impartial. We carry many biases about gender, caste, family background, zodiac signs and what not. And we carry these social biases to workplace also.
Steps to Minimize Problems with Employee Data Collection
- Clearly communicate to employees what data is being collected, why, and how it will be used. Obtain informed consent when necessary.
- Collect only the data necessary for specific purposes, minimizing the amount of sensitive information stored.
- Implement robust cybersecurity measures, encryption, and access controls to protect employee data from unauthorized access and breaches.
- Train employees and managers on data privacy, security, and ethical considerations.
- Establish clear policies and procedures for data collection, storage, and disposal.
- If using external vendors for data management, ensure they follow stringent data protection standards. Presently, HR and Accounts are outsourced by some organizations. In these cases, third party vendors must be forced to follow data protection practices.
- Establish guidelines for the retention and deletion of employee data to reduce data storage risks.
- Create channels for employees to report concerns about data handling and privacy violations.
In conclusion, employee data collection offers numerous benefits for organizations, but it also brings ethical, privacy, and security challenges. To minimize problems associated with employee data collection, organizations must adopt responsible data practices, prioritize transparency, and adhere to legal and ethical standards, thus striking a balance between data-driven decision-making and safeguarding employee rights and privacy.
Pakistan Data Protection Landscape
The right to privacy of a citizen is enshrined in the Constitution of Pakistan, however, this right has not been developed into a law till date. Despite several draft laws since 2005, Pakistan still does not have a dedicated law on Data Protection. Pakistan promulgated the Prevention of Electronic Crimes Act 2016 – PECA – which beside protecting people against cybercrimes, also provides for protection of identity data of citizens. The Act came under light recently when the government wanted to add certain clauses detrimental to public rights. The Act provides that any identity data may only be processed, stored, transmitted with the permission of the data owner.
There are no official guidelines on Data Protection in Pakistan. There are no specific rules or regulations regarding data collection in the form of CVs, tests, and evaluations. There are no specific parameters within defined law how background checks shall be conducted.
The Employer can ask questions and request references which they think should be required to be answered by a candidate. A candidate can of course refuse to reply but the same would negatively impact his/her chances of gaining employment and the employer would be within his/her legal rights in refusing employment.
There is no law which protects the right of the candidate in not revealing information which he or she does not want o reveal.
Since Recruitment Record falls in the category of content data under sections 3 and 4 of the PECA Act, these shall be applicable in the protection of the same. Ideally, permission from the candidates should be sought for retention of the records.
Sum Up
We in Pakistan, are operating in a huge void as far as data protection is concerned. The cases of data breach are not uncommon. A lot of scammers calling from State Bank of Pakistan and FIA already know the name, CNIC number, and some bank account details. Mobile companies are selling consumer data to banks and property dealers and other vendors, and no one stops them. Apparently, the government is not paying attention because it relates to common people in whom no government is interested. Meanwhile, we must be careful with our own data.
Concluded.
Disclaimer: Most pictures in these blogs are taken from Google Images and Pexels. Credit is given where known; some do not show copyright ownership. However, if a claim is lodged at any stage, we shall either mention the ownership clearly, or remove the picture with suitable regrets.
References:
https://iclg.com/practice-areas/data-protection-laws-and-regulations/pakistan
