Sophie
Id observe there is a general security challenge here to consider relating
to how much reliance is placed on the employee number as part of
authentication when employees are seeking data from or providing data to
your HR systems. When the employee numbers are known beyond the controlling
department or the individual employees themselves such authentication
processes are weakened.
Consider for example the process of how bank detail changes are notified to
your HR at present and will the wider availability of the employee number
weaken the authentication steps currently in use.
If the two depts are part of the same data controller enitity there should
be no real barriers to the data sharing which appears to be for improvements
in data integrity. Just check through the principles to see if compliance
angles covered. Decide what the purpose(s) you are to argue for the employee
number processing ie are you comfortable to defend this as part of staff
administration or is it something else?
Hope this assists.
Seasonal Greetings
David Wyatt
----- Original Message ----- .
From: "Sophie Pilkington" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Wednesday, December 21, 2005 5:04 PM
Subject: [data-protection] Employee Numbers
> Hi, I'd appreciate some feedback from members of the list on this issue.
>
> Like a number of companies all our employees are issued with a unique
> reference number on starting employment. This employee number is used to
> identify the employee in our payroll, expenses and HR systems. The
> employee number is also the employee's username for logon to our Intranet
> based expenses manager system.
>
> We are looking for a way link the payroll system and the group active
> directory system (manages computer login accounts and email access) to
> ensure that when an employee leaves the company their active directory
> system accounts are closed. We want to do this by storing a unique value,
> i.e. the employee number, on the group active directory. In order to
> store the employee number on the group active directory this would mean
> that it would be visable to all IT staff and will also appear against the
> individual's email profile details which any employee can view.
>
> I have been asked to make the decision from a data protection perspective
> as to whether this is possible or not. At the moment I am leaning towards
> the decision that if the employee number could only be viewed by IT staff
> and not all employees then this solution may be viable, but I would
> appreciate any comment from the list.
>
> Many thanks
>
> Sophie Pilkington
> Group Data Protection Manager
> Johnston Press plc
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to the list
> owner
> [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|