Why HR Must Be Experts on Data Governance

On Aug. 18, 2014, Community Health Systems (CHS) announced that hackers had stolen information from 4.5 million patients' records. What might not have been clear from the news reports on the incident was just how much CHS will be financially hurt by this breach.

The more common story of late is that of credit or debit card data stolen from retailers, but in these cases, the companies are covered somewhat by the fact the financial institutions that supply the credit cards offer some forms of theft protection and act as another layer of security before the end user is affected. In the case of Social Security numbers, which was assumedly the ultimate goal of the thieves in this case, CHS, which operate more than 200 health care facilitates in the U.S. is directly responsible for the end users' data, and is already facing civil and legal lawsuits, which will likely be much more costly than a similar size security breach involving credit card information (Forbes goes into more detail for the curious).

The data that was stolen from CHS falls under the auspices of the Health Insurance Portability and Accountability Act (HIPAA), an acronym all too familiar to anyone who works in HR (or has been to a health care provider in the past 10 years). It is, to date, the largest HR-related data disaster in the U.S., and possibly the world--one that, sadly, seemed inevitable.

In i4cp's newest report on human capital information, Data Governance: The Foundation of Data-driven Decision Making (non-members, download a preview of the full report), I wrote that "Data governance is about both protection and optimization; organizations that are concerned about customer data should be just as concerned about employee data." Although the compromised records in the CHS case were patient records, not employee, the argument still stands: companies are woefully unprepared for the data revolution when it comes to securing and managing people data.

Consider the following statistic, compiled from the research that informs the newest i4cp study: when asked the question, "What methods does your organization use for data governance?" over half of the nearly 200 respondents indicated they had no method of data governance at all. That's not an interesting factoid--it's a clarion call to address an impending epidemic.

Some HR leaders are urging their organizations to take people data matters into their own hands. In an interview i4cp conducted with Sam Nadda, former VP of HR at W.W. Grainger, he sounded downright prescient:

We should not need an IT department to monitor employee data. First of all, there are a lot of privacy issues and sensitive data, so employee data should be governed by HR and include input from other departments relative to compliance and privacy risk, but the owner of the personal employee data should be the employee themselves. HR should own the other employee data related to the individual employee.

The study findings back up this assertion that it is HR that should control the human capital data at an organization. When the same survey group was asked who had responsibility for the administration of human capital data, high-performing organizations were statistically more likely (than low-performing organizations) to task the Human Resources Information Systems (HRIS) group with policing the flow of people data. Conversely, low-performers were more likely than high-performers to give their human capital data to IT.

This is no knock on IT, whose dedicated professionals make the modern workforce possible, and whose knowledge of data transfer and security outshines most any other department. However, when it comes to people data, the way it is stored and used is immensely different than static and secured information such as credit card numbers. To be of any use to an organization, people data must be accessible and fairly comprehensive. As such, there is greater need for understanding who needs to have access to what data, and why. That duty must rest with HR--as it already is at most high-performing companies.

The real victims in this latest data theft story aren't Community Health Systems, or health care reform--it's the millions of people whose identity and security are now at risk. For HR professionals, the alarm bells are ringing. It's time to take charge of employee data and avoid this sort of situation from happening at your company next.