Training Data Privacy

There is much talk within the simulation and training community of capturing and analysing training data to support a more quantitative approach to training management. However, how should such data be managed and protected? SCT’s Mario Pierobon investigates.

Training data privacy involves keeping an employee’s personal training data secure and controlling what happens if the data is shared with any third parties. Indeed, data security and data management are becoming increasingly prominent concerns as technology becomes more integral to the management of education records and education data systems, says the US Department of Education’s Privacy Technical Assistance Center (PTAC) [i].

Across the European Union (EU), the General Data Protection Regulation (GDPR) came into force on 25 May 2018. This regulation significantly increases employers’ obligations and responsibilities in relation to how they collect, use, and protect personal data, according to an online resource published by Ireland’s Citizens Information Board [ii].

In Australia, the Privacy Act 1988 sets out requirements for collecting, storing, using, and disclosing personal information. These are called the Australian Privacy Principles. “All businesses should aim to comply with the privacy principles as a matter of best practice. However, not all businesses are subject to Commonwealth privacy laws,” states the Australian Government’s Fair Work Ombudsman [iii] (FWO).

With regard to training data privacy, best practices for organisations include securing employees’ consent, having a data privacy policy, applying precautions when securing and transferring trainees’ personal data and when using electronic and social media, and delivering training and raising awareness on data privacy.

Consent

An important requirement to satisfy in relation to training data privacy has to do with consent. Organisations should secure the consent of their employees in relation to training data and should be aware of their responsibilities when requesting consent.

According to Ireland’s Citizens Information Board, the GDPR requires that consent be freely given, specific, informed, and unambiguous. “This means that the data subject must be aware that they are consenting to have their data processed and should not be forced into giving consent. Before an employee gives consent to have their data processed, the employer must show that they told employees why their personal data is being collected, and how it will be used and handled. Silence, pre-ticked boxes or inactivity cannot be taken as consent. A data subject can withdraw consent at any time, and it must be as easy to withdraw consent as it is to give it.”

Data Privacy Policy

Developing a data privacy policy can help apply privacy practices in the domain of training management. According to the FWO, having a clear policy helps an organisation ensure a consistent approach to privacy. It also lets the workforce know that the organisation takes protecting personal data seriously. The policy should state what personal data the organisation collects about the employees and why, the policy should also contain guidelines limiting the collection of personal data, so that information is only collected if necessary for the business functions or activities or required by law and tell employees about the processes for accessing and correcting personal information. The policy should detail how the organisation will respond to requests for personal information from third parties.

“Key considerations include: who is requesting the information, whether the information is being provided to meet a lawful request, whether the information is necessary to comply with the request,” states the FWO.

Another important point to include in the development of a policy, according to the FWO, is to state how the organisation will respond to requests for references, including who will handle reference requests, who can authorise references on the organisation’s behalf, and what information will be provided. In the domain of training, examples of data to be provided in case of references include job titles, key responsibilities, qualifications, records of recent experience, and training records.

Other key aspects to consider in data privacy policy development according to the FWO include guidelines for the use of electronic communications and social media, it should note any monitoring, data collection or surveillance technology used in the workplace, and it should detail how the information will be used and stored, as well as who can access it and tell employees about the possible consequences of the unauthorised disclosure of personal information.

The Australian Privacy Principles may require an organisation to have a clear and up-to-date privacy policy, detailing the kinds of personal information the organisation holds, how it collects and stores the information, and the purposes the organisation can use the information for, as well as about accessing stored information, whether information is likely to be sent overseas, and how to complain about breaches of privacy, says the FWO.

Securing and Transferring Trainees’ Personal Data

According to Ireland’s Citizens Information Board, personal data are data that relates to or can identify a living person, either by itself or together with other available information [iv]. As such particular care should be paid by organisation when handling the personal data of a trainee.

Names, addresses, phone numbers, email addresses, photos, bank account details, tax file numbers, super fund information, drivers licence details and academic records are a few examples. Personal information can be sensitive in nature and privacy laws set a higher standard for collecting and handling sensitive personal information.

In Australia, the Fair Work Act 2009 requires all employers to keep certain personal information about employees in their employee records. “Personal information held by an employer, relating to someone’s current or former employment, isn’t covered by the Australian Privacy Principles, but only when used by the employer directly in relation to their employment,” states the FWO.

In certain circumstances, it is necessary for organisations to disclose employees training records to third parties, for example third party organisations engaged to deliver training. In this regard, Ireland’s Citizens Information Board observes that organisations using third parties are responsible for ensuring the third party is GDPR compliant and they must have appropriate agreements in place. Organisations must also comply with GDPR obligations about transferring data outside of the EU.

Electronic and Social Media

The use of internet, email, social media, and employer-supplied devices (smart phones and tablets) affects many aspects of the working lives of employees, including privacy, observes the FWO. “Best practice employers have clear workplace policies to help employees understand the expectations that apply to social media, email, internet use and the use of surveillance or other data collection technologies in their workplace.”

With regard to data privacy in relation to electronic and social media, the key points the FWO believes should be communicated to employees include the fact that electronic communications and social media are not private and that the business can delete data and information employees have put into its systems at any time. Employers should also communicate what is and what is not acceptable use for email, social media and internet at work and that employees should not disclose personal information about customers or colleagues (including images of them) through social media, email, or other media.

Employees should be informed that the business monitors compliance with its privacy, social media and acceptable usage policies, and they should be informed of the possible consequences of breaching these policies. Employers should also communicate to the employees what information is recorded and kept by the business (such as content and patterns of employees’ emails and browsing activities, or location information) and who can access these records and what, if any, areas are under surveillance and who has access to the information.

Indeed, businesses are increasingly using technology - such as apps, monitoring software or tracking devices - to supervise their employees. The areas employers may monitor can include an employee’s work output, how employees are using business property and employee attendance at work, says the FWO.

Training and Awareness

Training and awareness on data privacy ensures that all employees receive appropriate training about an organisation’s data privacy programme, including what its goals are, what it requires people to do and what responsibilities they have. Training must be relevant, accurate, and up to date, says the Information Commissioner’s Office, the United Kingdom’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals [v].

While the terms ‘awareness’ and ‘training’ are sometimes used synonymously, they are actually distinct concepts that are both integral parts of a data privacy programme, according to PTAC. “Awareness is typically defined as the ability to perceive or be conscious of a condition or event—and raising awareness about threats to data security is an initial goal of a comprehensive security program. The audiences for such efforts to raise awareness are often passive recipients of information, rather than interactive participants in an instructional exchange.”

In contrast, training is more formal instruction on a given topic (like data privacy) and participants need to be actively engaged in exercises designed to help them apply the concepts covered in the training programme, according to PTAC. “In addition to improving awareness about data management and security, training has a goal of building the knowledge and real-world skills needed to help participants do their jobs in a way that will not compromise the organization’s IT and data security.”

Differing training goals, learning styles, participant skills, user roles, employee locations, and budgets might call for different training delivery options. Regardless of the delivery method, it is important to confirm that everyone participates, according to PTAC. “Even one employee who is unaware of the importance of data management and security and how his or her actions affect security weakens overall system security - after all, a chain is still only as strong as its weakest link.”

[i]

US Department of Education’s Privacy Technical Assistance Center (PTAC), Data Security and Management Training: Best Practice Considerations,

https://studentprivacy.ed.gov/sites/default/files/resource_document/file/Data%20Security%20and%20Management%20Training_1.pdf

[ii]

Ireland’s Citizens Information Board,

https://www.citizensinformation.ie/en/employment/employment_rights_and_conditions/data_protection_at_work/data_protection_in_the_workplace.html#

[iii]

Australian Government,

https://www.fairwork.gov.au/tools-and-resources/best-practice-guides/workplace-privacy

[iv]

Ireland’s Citizens Information Board

[v]

Information Commissioner’s Office,

https://ico.org.uk/for-organisations/accountability-framework/training-and-awareness/#Awareness-raising