Data Trusts: How They Can Help Protect Employee Data

With the proliferation of social media and the Internet of Things, there’s been a lot of attention about protecting personal information. This has been a serious concern of consumers for some time now, whether it’s tracking cookies when visiting a website, a data breach at Equifax or having your personal information collected and sold by data brokers.

But the United States lacks a comprehensive data privacy law. Many states have data privacy laws, but they vary in who and what that they protect.

Much of the attention has focused on data privacy in the commercial or consumer context, yet there are also concerns about protecting employee data. One possible solution is using a data trust.

What Is a Data Trust?

A data trust is a relatively new term with no universally-accepted definition. One of the simplest definitions defines a data trust as an independent organization that has a fiduciary duty to manage data for the benefit of another person or group. But to better explain this, let’s look at what a trust is.

In the legal world, a trust is a special legal relationship where someone has a fiduciary duty to manage or use property to benefit someone else. A trust has four main components:

• Settlor: This is the entity that provides the property for the trust.
• Corpus:  Also called trust property, this is the property the settlor places in the trust.
• Trustee:  This is the person (or persons, as trusts often have multiple trustees) that manages the property for the beneficiary.
• Beneficiary: This is the person (there can also be multiple beneficiaries) that receives the benefit of the trust property.

The key to the trust is that the trustee has a fiduciary duty to the beneficiaries. This is the highest standard of care in law and means the trustee must have near-absolute loyalty to the beneficiary and always act in the beneficiary’s best interests.

A data trust in the employment context would likely consist of the following elements:

• The settlors would be the employers or employees sending employee data to the trust.
• The corpus consists of employee data.
• The trustee would be the independent third party with the fiduciary duty to the employees tasked with managing the personal information of the employees.
• The beneficiaries would be the employees.

The final part of a data trust is the charter or terms of the trust. This would dictate things such as:

• The purpose of the trust.
• The precise fiduciary duties the trustees must follow.
• The rights of the beneficiaries and settlors.
• How the trustees must manage the data.

Why Might Employees Need a Data Trust to Protect Their Data?

Currently, there aren’t many laws that govern how employers must manage employee data. There’s the Americans with Disabilities Act of 1990 (ADA) and the Genetic Information Nondiscrimination Act of 2008 (GINA), which generally require employers to keep certain medical information obtained from employees confidential. This means keeping the medical information separate from the employee’s personnel file and limiting the access to that information only to those who need to know it.

But one potential caveat to this requirement is that depending on what state you’re in (such as West Virginia, Virginia, Maryland, South Carolina and North Carolina), medical information will receive confidential protections only if it’s obtained through an employer’s medical inquiry.

As for the Health Insurance Portability and Accountability Act (HIPAA), its Privacy Rule that requires the confidentiality of patient medical information doesn’t apply to most employers.

How Data Trusts Could Protect Employees

The precise way in which data trusts could apply to employees will depend on the circumstances, such as the type of data, how it’s gathered and why it’s needed. Let’s look at potential scenarios and how a data trust could apply to them.

Employer Invades an Employee’s Privacy

An employer might obtain personal information about an employee for appropriate reasons. For instance, an employer might want to confirm that its employees are not using their social media accounts to disclose the employer’s confidential information.

To get the reassurance it wants, the employer may ask for social media login information from one of its employees. Even though the employee knows it did nothing wrong, it may not feel comfortable having a boss see personal social media postings. So instead of giving the login information to the employer, the employee gives it to the data trust.

The trustee then reviews the employee’s social media account only to identify any relevant employer policy violations. Then the trustee can report the findings to the employer.

The employer gets the reassurance it needs while the employee doesn’t have to worry about a boss invading the employee’s private life. And because the trustee has a legally enforceable fiduciary duty to the employee, the employee doesn’t need to worry about the trustee divulging or misusing information about the employee.

Unauthorized Access to Information

An employee may have no problem giving personal information to an individual at work, such as a human resource manager. But despite assurances that no one else will have access to the information, the employee might still worry. Perhaps someone accidentally leaves the employee’s file sitting in the break room. Or maybe the information is on a laptop that gets lost.

If properly set up, a data trust could reduce the chances of any of that happening. Or if it does, be able to identify who is at fault. The data trust could allow only certain individuals to have access to the information. And to help keep it secure and track who’s accessed it, the information will be kept in electronic form and at a central location, such as an offsite server.

To gain access to the employee data, an authorized individual will use a virtual desktop login. This remote access system would not only reduce the chances of a data breach should a human resource manager lose a work laptop or smartphone, but if there’s any improper use or access to the information, there would be an electronic paper trail to track down who’s responsible.

The implementation of new computer technology could make it even harder for unauthorized access to information to occur, especially when information has to go through several people. A modified form of distributed ledger technology makes it possible to create a chain of custody record with electronic data.

Homomorphic encryption has potential here because it allows the use of encrypted information without decrypting it. This can be used by an employer to search for information without having to actually see the information.

Imagine an employer wanting to gather statistical data about its employees’ sexual harassment complaints. Homomorphic encryption can allow it to search for the complaints and create a tally, without having to learn who filed the complaints or who they were against.

Potential Challenges to Using a Data Trust in the Employment Realm

All of this sounds great, but how practical is it? Well, there will be challenges. Most of these can probably be overcome, although there’s the question of cost, whether economic or in terms of goodwill.

One of the biggest challenges will be learning to trust the data trust. An employer might think the trustee is basically an advocate for the employee, so the data trust won’t be of any use to the employer. Employees might think that allowing the data trust to have their personal information won’t stop privacy violations or data breaches from occurring, but instead just change who is responsible. But over time, people usually get used to new technology and, assuming it actually works, learn to accept and trust it.

A second potential challenge is figuring out the terms of the data trust. Employers and employees will likely have disagreements over how the data trust should work. For example, employees might only want the Chief Human Resource Officer to have unlimited access to information held by the data trust, but the employer also wants its CEO, CFO and vice presidents to have access, too.

Third, how would the data trust support itself? It takes money and effort from individuals to operate a data trust. Who’s going to pay for these salaries and bills for electricity and server maintenance?

If the employer pays, there’s a potential conflict of interest. Remember, the trustee must have full loyalty to the employees. This may not be easy to do when the data trust’s bills get paid by the employer, not the employee.

Will the employees pay? It’s possible, but that’s asking employees to take what amounts to a pay cut for ensuring their employers are using information properly.

In a typical trust, the trustee would get paid from the property in the trust. The equivalent here would be allowing the data trust to get paid by profiting from the data it’s tasked with protecting. But isn’t the whole point of a data trust is to prevent data exploitation?

Perhaps, although it may be possible to allow the employee data to be de-personalized with all identifying portions removed so it can still have economic value in the aggregate. This would allow the data trust to support itself, yet still protect the interests of its beneficiaries (employees).

A fourth challenge would be establishing the legal framework where the data trust operates. Given how many employers operate in multiple states, there would be a need for a uniform law that could apply to protect the rights of employees.

The data trust itself could have provisions that outline the rights of its beneficiaries. But employees may have multiple data trusts to deal with, such as one for medical information, one for workplace surveillance and one for social media accounts. Asking employees to learn the “terms of service” for each of their data trusts is unrealistic. It also helps to have a statutory “backstop” in case there’s a violation of the data rust’s terms.

Ideally, the United States would have something similar to the European Union’s General Data Protection Regulation (GDPR). This is a comprehensive data protection and privacy law that requires covered entities, such as employers, to abide by a host of rules when it comes to the collection and processing of employee personal information.

Many states have enacted some data privacy laws, but many of them focus on protecting consumer information. But some apply to the employment context, although in a limited manner. One of the most notable is the California Consumer Privacy Act (CCPA).

The CCPA is one of the most expansive data privacy laws in the United States and places vast data compliance requirements on businesses that use, process and collect personal data. The problem with the CCPA is that it will largely apply to employers that have more than $25 million in gross annual revenue or are specifically in the business of collecting, selling or distributing personal information. In other words, it won’t cover many employers.

There’s also New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act. This law places specific mandates on employers concerning the handling of employee data. Some of these requirements include implementing reasonable data protection safeguards and notifying any affected New York state resident of a data breach.

More recently, Virginia enacted the Virginia Consumer Data Protection Act (VCDPA). This law is similar to the CCPA in that it’s intended to protect consumer information.

As written the statute may not apply its protections to employees. And even if it did, many employers wouldn’t be covered by this law as it focuses on entities in the business of collecting, selling or managing the personal information of consumers. It also specifically excludes from coverage a large number of potential employers, such as:

• Non-profit organizations
• Institutions of higher learning
• Any Virginia government entity or a local government entity within the Commonwealth of Virginia

The VCDPA also does not apply to protected health information under HIPAA or certain health records and patient identifying information. When it comes to enforcement, the VCDPA doesn’t provide a private cause of action for consumers; only the Virginia Attorney General may enforce the VCDPA.

Other states have laws or judicial decisions that may offer some protections to employee personal information. Some of these states include:

• Illinois
• Pennsylvania
• Connecticut
• Washington State

Even with these state laws, there are significant limitations to protecting employee data in the possession of employers.

So Now What?

Data trusts probably won’t be making their way to the workplace any time soon. In the meantime, employees will have to rely on the existing legal framework that’s largely based on federal employment laws. In some cases, this will require a consultation with an attorney or employees doing some research on their own to learn their rights and demand they be honored by their employers.

But one thing employees should keep in mind is that, “there’s the law, and there’s what people do.” So even if a specific statute prohibits an employer from collecting or sharing employee information, that may not always stop an employer from mishandling private employee data.

The result is an employee disclosing as little personal information as possible. This might lead to choosing to work for a different employer. Or it might mean foregoing a legal right, such as a reasonable accommodation for a disability. Luckily, most employers try to do the right thing when it comes to collecting and using their employees’ personal information.