placeholder
Stuart Gentle Publisher at Onrec

HR Cloud/Saas Services: Considerations for HR Managers

HR in the Cloud: What's it all about?

HR in the Cloud: What's it all about?

Increasingly HR Managers are using Cloud-based HR systems (such as WorkDay or Oracle’s HCM Fusion) or ‘Software as a Service’ (“SaaS”) solutions as a cost-effective and efficient way of managing staff and HR data across the world.  But what do we mean by the Cloud, why is it so popular and what questions should HR Managers be asking when considering such a system?

THE CLOUD

Cloud computing is the delivery of IT services over the internet (rather than on an organisation’s local IT infrastructure).  The trend towards the use of Cloud computing is being driven by:

  • significant reductions in cost compared to traditional software hosted on an organisation’s local IT infrastructure,
  • fewer implementation risks,
  • improved internet capabilities,
  • increased prevalence of technology and devices in the workplace; and
  • the desire to access data in real time, any time of day and anywhere.


Cloud solutions are cost-effective because they are standardised and scalable.  They are supplied on a “metered” basis, a little like electricity.  So rather than paying money for the capability to be available all the time, an organisation can scale-up or scale-down its requirements as needed and just pay for what it uses.  This means a much cheaper solution.

SOFTWARE AS A SERVICE (“SaaS”)

SaaS is software run and maintained on a supplier’s server which is accessed by the customer remotely over the internet (the supplier’s servers are often in the Cloud).  SaaS products eliminate or reduce the need to install software on the client’s machines. SaaS can support a wider range of devices than traditional software, including smart phones and iPads, meaning easy access anywhere in the world.

For example, if a company wants to use Employee Relationship Management (“ERM”) software to keep track of its employee data, it could use a Cloud provider, offering ERM software, accessed through a web browser.  Each manager within the company would be given a username and password to access the software, to be able to enter new data or to access existing data.  The software can be accessed by Managers whilst working away from the office and through a range of devices. 

STANDARDISATION

One of the issues with a typical “public” Cloud is that it is a “one-to-many”, uniform solution.  In other words, a single instance of software serves multiple client organisations simultaneously.  This often means that the customer has very little chance to customise its requirements.  The services are provided on standard terms. 

The supplier decides where to store the customer’s data and can move it around different data centres across the world.  This is part of the reason why it is so cheap, as the suppliers can maximise cost savings by transferring the data to cheaper “off-peak” locations at peak times.  This may also mean that there are multiple copies of the customer’s data held in different locations. 

When considering a Cloud-based HR Solution, HR Managers should bear in mind that all of the HR data stored on the system must be transferred over the internet. Initially it will be transferred from the customer’s systems up into the Cloud and then it may also be transferred around the internet by the supplier to maximise cost savings, as described above. This raises a number of data protection issues as explained below.

Data security is another important consideration and encryption of data is essential.  Given the standardised nature of Cloud solutions, the supplier is unlikely to agree to comply with the customer’s security policies. 

For these reasons you may want to consider alternatives to the typical ‘public’ Cloud, such as a private, EU-only Cloud, which would allow greater customisation and would ensure that the data was only held on servers within the EU. 

Many of these decisions will be made in conjunction with your IT and procurement departments when buying a solution, but it is helpful to have an understanding of them so you can ask the right questions.

DATA PROTECTION CONSIDERATIONS

As an HR Manager, the transfer of HR data over the internet is bound to be a key concern, as much of the information transferred will be personal data and will therefore be subject to the Data Protection Act 1998. 

The UK Information Commissioner’s Office (which oversees the implementation of the Data Protection Act in the UK) (“ICO”) has provided a number of different guidance documents which are relevant in these circumstances, including the Employment Practices Code, Personal Information Online Code of Practice and Guidance on the use of Cloud computing.

The ICO guidance states that “processing” (for the purposes of the Data Protection Act) is likely to capture most of the operations undertaken by the supplier in the Cloud, including simply the storage of data.   

As the employer, you are the ‘data controller’ and therefore you are responsible for determining the purposes for which and the manner in which any personal data are being processed by the supplier.  The ICO recognises that it is difficult to exercise any meaningful control over the processing of personal data in a public Cloud scenario because of the nature of the Cloud and the standardisation of terms, as stated above. 

However, this does not mean that the customer can relinquish responsibility.  The organisation will continue to be the data controller and will be required to meet its obligations under the Data Protection Act.  This may cause difficulties given that it is not always possible to determine the precise physical location of the data. 

  • Again this may be lead you to consider about whether a typical ‘public’ Cloud is the most appropriate type of solution available.
  • Remember that you will need an employee’s consent if processing their sensitive personal data, such as medical records.
  • In any event you should inform employees of the way in which their personal data will be gathered and processed.

Data Transfer Rules

UK data controllers must not transfer personal data to an entity in a country outside the EEA (including a Cloud supplier outside the EEA) unless that country ensures an “adequate level of protection” in relation to the processing of personal data.

Personal data may be transferred to countries outside the EEA in the following situations:

(i) the data subject has consented to the transfer; or

(ii) the transfer is made on terms that are of a kind approved by the Information Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects; or

(iii) the transfer has been authorised by the Information Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.

The European Commission has made findings of adequacy about certain countries, including Switzerland, Australia, Canada and New Zealand (but not the US) so you can freely transfer data to these countries.  Where the European Commission has not made such a finding the data controller must put in place adequate safeguards to guarantee the protection of personal data.

The European Commission has agreed a framework with the US government under which data can be transferred to certain approved companies in the US provided that they have signed up to what is known as the ‘safe harbor’ arrangement.

If the business does not participate in the safe harbor framework, the data controller must impose certain contractual requirements on the US business known as ‘binding corporate rules’, which have been approved by the ICO. However, given the comments above regarding standardisation in Cloud contracts, this may be difficult. 

Failure to comply with the data rules could lead to a fine by the ICO of up to £500,000.

Think about where your data is being transferred and what steps are required to protect that data to enable a lawful transfer.

Impact of the USA PATRIOT Act 2001

In recent months there has been increasing concern regarding the impact of the USA PATRIOT Act 2001 on data held in the Cloud.  The “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism” Act (USA PATRIOT Act 2001) was introduced after 9/11 and enables the US Government to intercept communications and access records and other items in the event of a threat to national security (this includes data stored in the Cloud by US companies). 

The majority of technology networks from which Cloud services are provided are US-based.  As a UK employer, you are obliged to comply with Data Protection Act.  However, the USA PATRIOT Act could well override any protections you put in place in order to comply with the Data Protection Act.  For example, Microsoft UK has stated that even if data is collected and stored within the EEA by Microsoft UK and is transferred to the US under the Safe Harbor rules, the data may still fall under the jurisdiction of the USA PATRIOT Act and could be accessed by the US government (in breach of the UK Data Protection laws), as Microsoft UK is a wholly owned subsidiary of a US parent which is subject to the Act.

Notwithstanding the disquiet arising from the Act, the impact may be somewhat exaggerated.  The USA PATRIOT Act isn’t really any different from the UK’s Regulation of Investigatory Powers Act 2000 (“RIPA”) under which emails and other data can be intercepted by certain UK Government Agencies where various criteria are met, including in the interests of national security.  At least with the USA PATRIOT Act the US entity will receive a request before its data is accessed possibly enabling them to apply for an injunction (if appropriate) to try to prevent such interception.  Whereas in the UK under the RIPA, you may not know that data has been accessed at all.

SECURITY OF DATA, AVAILABILITY OF DATA & ACCESS TO DATA in the cloud

Analysts of the Cloud often use the analogy of a hotel room to describe how the Cloud works: you hire a hotel room but the supplier decides how the room is done up and your ability to access it.  The storage of the data is really seen as a secondary aspect to the services themselves.  and this is why there are several issues regarding the storage of data in the Cloud and the customer’s ability to access that data. 

Security

As a Data Controller under the Data Protection Act you are required to ensure that appropriate and technical organisational measures are put in place against the unauthorised or unlawful processing personal data and against accidental loss, destruction of or damage to personal data.  Normally this would involve a review of guarantees of availability, confidentiality and integrity provided by the supplier.  In a typical outsourcing the customer might well do a site visit in order to audit this but where data is held in the Cloud, site visits will not be practical. 

In addition, as stated above, because of standardisation a supplier is unlikely to agree to meet the requirements of the customer’s security policy

You may need to undertake due diligence to ensure that the supplier’s security matches your own. In turn, you may need special arrangements in place, for example if your own employees and contractors are required to have CRB checks before accessing data and you wish to impose this requirement on your Cloud supplier.

Availability and Access

The customer takes the risk of internet availability and internet outages so, for example, if there is an internet outage the day before you are due to run payroll, you may not be able to access the data required to run the payroll and you will have no recourse against the supplier. 

For this reason it may be best to retain a copy of the data on your own servers as back-up.

Standardisation also creates difficulties of access for disclosure purposes, for example in employment tribunal litigation or for the purposes of a data subject access request.  Standardisation means it is harder for the customer to negotiate rights of access for these purposes. 

Likewise, on termination, access may be limited.  Typical termination provisions state that the supplier is only required to give you back your data within 30 days. 

Again, for business continuity/ seamless service reasons on a change of provider you may wish to consider retaining a copy of the data on your own systems, using the Cloud solution as a service provider rather than as a data storer.

CHECK-LIST

When considering implementing a Cloud-based HR solution, HR Managers may want to consider the following:

  • Select a suitable format/service (private Cloud, public Cloud).
  • Select a provider who can give assurances about location of data, e.g., EEA only, to avoid some of the issues highlighted regarding the transfer of data outside the EEA.
  • Select which data to move into the Cloud (consider whether it is necessary to transfer sensitive personal data which will need employee consent).
  • Ensure you have a written contract with the supplier requiring them:

- only to act on instructions from the customer; and
- to comply with security obligations equivalent to those imposed on the data controller itself.

  • Undertake a risk assessment for the system.
  • Review the supplier’s guarantees of availability, confidentiality and integrity.
  • Inform employees (seek their consent if it involves sensitive personal data, e.g., sickness records).
  • Monitor the supplier’s performance.
  • Secure access to the Cloud based system for end users and for disclosure purposes.
  • Retain copies of data where necessary for business continuity.
  • Provide staff training.


Kathryn Dooks, Employment Partner at Kemp Little