Data Privacy Compliance, PII, and PeopleSoft

Data Privacy Compliance and PeopleSoft

Organizations must continuously keep abreast of both the regulations and the system capabilities to maintain data privacy compliance.  One such regulation change is the new General Data Protection Regulation (GDPR) set to go into effect on May 25, 2018.  In response to this particular legislation and in anticipation of clarifications and other future regulatory changes, new capabilities related to data privacy have been in the PeopleSoft development queue for some time – some enhancements have been released recently via HCM Images 25 & 26, and more functionality is on the future roadmap. 

What is GDPR? 

The concepts embodied in this regulation were actually put out in the mid-1990’s; however, they were issued only as a directive for the European Union with individual countries complying at their own discretion.  Effective May 25^th, GDPR becomes a formal regulation with potentially stiff penalties for non-compliance (i.e. up to 4% of annual profit, or €20M whichever is greater).  Also, the regulations are not dependent upon whether the company is based in the EU, but rather whether any EU constituents are involved – in other words, a U.S. company that stores data on an EU citizen is subject to GDPR compliance.

GDPR is based on the following principles:

1. Lawful, fair and transparent processing – means of using the data must be understood
2. Purpose limitation – must be a legitimate reason for using the data
3. Data minimization – only the data that is needed should be collected, no more no less
4. Accurate and up to date processing – organization is responsible for data stewardship
5. Limitation of storage in a form that permits identification –redundancy and replication of data should be reduced
6. Confidential and secure – ensure security of data across systems, paper and physical access
7. Accountability and reliability – demonstrate ability to address security threats and respond to breaches

Based on the above general principles, GDPR specifically provides for:

1. Privacy by Design – companies need to implement measures specifically intended to meet the expectations of this regulation
2. Request for Consent – employees are provided an easily understood form specifying the use and processing of the data that they agree to share with the company
3. Right to Access – employees can request that the organization show to them how their data is being used
4. Right to be Forgotten – employees can request that the organization completely erase their data from the systems (superseded by any regulations that require data retention).

NOTE – this provision has some potentially significant implications to an organization’s data analysis and business processes.  For example, analyses based on historical data, such as trends and forecasting, are obviously disrupted if certain historical data is no longer accessible.  Business processes, such as treating a former employee as a ‘rehire’ or mining for former applicants for a current job opening, are impacted without the historical data in the application.

5. Right to Data Portability – employees can request that company provide their data in electronic format (i.e. to take with them to a new employer)

Note that different countries define what is considered Personally Identifiable Information (PII). The key relevant data elements are typically National ID, Birthdate, Bank Account Number but sensitive data elements also include Name, Ethnicity/Race, Political Affiliation, Membership, Physical/Mental Health, Criminal/Civil Offenses, IP Address, Photo and even Meal Preferences.

How Will PeopleSoft Help Support GDPR Compliance?

Some capabilities around securing data have been available for many releases now, and new features are becoming available starting with recent HCM 9.2 Images (note that many of the new features will not be back ported to earlier versions…another reason to upgrade to 9.2 if your company hasn’t done so yet).  Some capabilities and available tools include:

1. Spreadsheet identifying all PII data – inventory of every sensitive data field and its component page and navigation (Doc ID 2313438.1 on My Oracle Support). The current version is focused on EU countries; therefore, it does not include products such as Payroll for N.A., Benefits Administration and country extensions for non-EU countries. Also, the spreadsheet is based on the HCM suite and does not yet include FSCM, ELM or CRM.  This spreadsheet is expected to be expanded with more content over time and should serve as a useful reference in confirming comprehensive policies and procedures around securing these elements.
2. Online PII identification and usage – via an online PS component, organizations will have the ability to maintain record/field information to designate whether each element is considered PII or sensitive.
3. Online Data Masking – administrators now have the ability to set masking rules for Birthdate (entire date or just year), National ID (by national ID type) or Bank Account Number (all but last 4 digits).

Note – this masking is only at the UI level.  Therefore, (a) database fields themselves are not masked or scrambled, and (b) because PS Query is based on security access trees, customization is still required to enforce field-level security in queries.

4. Data Privacy Framework is a planned enhancement coming in a future Image. Some expected features include field level security (specify masking, hiding or display only); provide full or partial masking; provide for custom masking formats; extend the capabilities to any field (beyond Birthdate, National ID and Bank Account Number); and provide controls by role and/or country.
5. Person Delete – especially relevant for complying with the Right to be Forgotten, the ability to delete a Person ID has been available for some time. This function continues to be enhanced, notably in recent Images, to allow administrators more options in controlling which tables are excluded or added to the delivered Delete function.  A similar function is also available in Talent Acquisition to delete an applicant, and a Learner Delete function in ELM is expected in a future image.  Another future enhancement will provide messaging to other integrated systems to notify them when employee data has been deleted.  Although not specifically committed, evaluation of a data scrambling function is also being evaluated in order to make historical data anonymous for someone who wants to be “forgotten” yet would still make the data available for trend analysis and forecasting (would still not solve business challenges for rehire or applicant mining).
6. Data Archive Manager – a PS function that has been around for some time to remove volumes of “old” data from the system. This tool may have some use in data privacy compliance; however, since it just relocates certain data from the primary application to secondary storage, it may not fully support a particular regulation (i.e. GDPR provision of Right to be Forgotten).
7. Acknowledgement Framework – a recent HCM Image introduced this new framework which provides a pluggable configurable component for communicating terms and conditions to a worker and requesting consent via digital approval. For example, an online form can be added as a step in the Onboarding activity guide for the employee to provide consent to use their PII data.  Refer to the Oracle red paper for more details (Doc ID 2377140.1)
8. Data Auditing – another tool that has been available for some time to track changes to data. However, in its current form, it does require some custom development to enable the functionality, and it only tracks changes to data values but does not track actions of a user just viewing the data.  Ability to track which user and what data elements were simply viewed is under evaluation for future roadmap.
9. Data Portability options – multiple options are already available to support creating an extract of data to provide to a worker. PS Query and BI Publisher reports can create output files.  Certain online pages can create Excel downloads (i.e. from PS grids).  Other development tools (i.e. SQR) can also be used to create data extracts.

Oracle continues to monitor worldwide regulations related to data privacy, and we can continue to expect investment in the PeopleSoft suite of products to provide more robust functionality to support compliance.  Review the Planned Features and Enhancements page on My Oracle Support for new capabilities expected within the next 18 months, and review the PS PUM Image homepage for details on features recently released in HCM Images.

Further information on GDPR and Oracle products.