How Does Blockchain Secure Personal Data?
In this, the second of a series of blogs introducing the application of blockchain in HR and payroll processes we explore possibilities for safeguarding Personal Identifiable Information (PII) and other employee data.
The first blog, Blockchain and HR & Payroll Tech: What Does the Future Hold?, introduced the basics of Distributed Ledger Technology (DLT), widely known as ‘blockchain’, and discussed use cases in the payroll domain.
The European General Data Protection Regulation (GDPR) goes into effect on May 25th and companies are scrambling to ensure they meet all requirements.
PII, especially the ownership of PII, sits at the center of this legislation: The objective of the GDPR is to give us, the PII owners, better protection; ensuring that our data is respected, secure and not vulnerable to abuse.
My NGA HR colleague, Sascha Schneider goes deeper into this in a recent recorded webinar, and in a series of blogs, both of which can be found here.
This is all about giving control over PII back to the owner, who must consent to third party usage.
From a data owner perspective, the problem of protecting personal data is threefold:
Lack of ownership: once entered, a third party owns their personal data
Lack of transparency: users can’t audit what happens with their PII
Security breaches: the database that holds personal data is a single point of failure
PII is valuable
Companies store enormous amounts of PII on customers and employees. PII is valuable, so phishing schemes and hacks are often directed towards HR to gain access to employee data.
There are also occasions when this data can be used in a way that’s not always transparent to the users, for example, for analytics, profit, research, etc. This is not always intentional, but this does not negate the fact the data has been used.
Covering your social footprint
Many of us use online (social) media: we store career data on LinkedIn, share photos with friends on Facebook and other social media and leave credit card numbers with a banking or shopping service.
These sites collect our data and store it on their servers. This creates a single point of failure: once a site gets hacked, the server goes down or the company ceases to exist, the database holding those records is vulnerable.
Recent events have shown that companies are not always on top of securing personal data well enough, and once a database is compromised or copied, information ends up in the hands of others, as happened to Equifax or Facebook, putting millions of users at risk.
So how can blockchain help to keep your personal data safe?
A DLT puts the control of personal data back into the hands of you, the owner. When you create your identity online and store it using blockchain, you use a distributed ledger rather than a central database. Encrypted information is stored in blocks and added to a chain that is distributed over many nodes. Think of it as creating a “wallet” to hold PII, just as you can create a wallet to hold and transact digital currencies.
When someone or a site needs access to your data, you don’t need to enter it (and thus replicate it), instead you give a third-party access to your wallet for a specific use during a specific period.
Regaining control of your personal data
DLT contains an audit trail and so you can follow what a third-party does with your data. You can also revoke access. This shifts the power of (and profit from) data back to individual users.
The DLT records each transaction and maintains a permanent and unalterable historical record of transactions in the ledger, virtually eliminating the potential for fraud.
Consider an employee’s career: if they had several employers spanning many years, these employers have all stored personal data for this employee: ID, work permits, performance reviews, training completed, certifications, job changes, pay increases etc.
When an employee changes jobs, the new employer stores most of that information all over and then adds to it. The employer is responsible for keeping that data safe, to not use it for purposes outside of consent and to dispose of it within the legal timeframes. The employee keeps record of all that data too for personal career, tax and legal purposes. It’s their data and they must keep a copy, because it’s unlikely they will be employed for life.
But what if you make better use of the data that the employee stores herself, by giving the employer access to the verified records in her wallet that are necessary for job performance?
The data owner can respond to different requests: the employer can request data access from a permanent worker to a larger portion of data for a longer period than for a contingent worker.
For other data types, DLT allows the employer to verify (without data access) that the employee is who she says she is, to request proof of work history and qualifications (more on that topic in the next blog). This eliminates duplicate data storage, including potential points of failure (inaccuracies, security etc.).
In the case of foreign nationals, the DLT allows verification of a person’s eligibility to legally work for a company.
Reducing the instance of inaccurate data
An employee file on blockchain technology reduces the chance that the employee or third parties provide inaccurate employment information. This is because data in the blockchain is verified and encrypted and can’t be altered retro-actively.
While a fake certificate might look like an official one, it won't verify against the original blockchain record and the employer can immediately classify it as fake. An employer wouldn’t, therefore, need to verify school diploma’s or degrees externally, and the employee controls how much information to release: just the degree itself or the underlying classes and grades.
Adding permanence to data
Another advantage of DLT is that information is permanent: even though a company or school might cease to exist, once the record has been verified and created on the blockchain, it is forever part of the employee’s history. The data in a blockchain cannot be deleted or changed, only added to, and the distributed ledger ensures that all the nodes must verify a transaction before new information can be added.
Once the relationship between employer and employee ends, data access can be revoked (respective of legislation). And if data access needs to exist for a while longer, it can be audited so the employee knows what’s being done with it.
Education leads the way
The application of DLT to store and verify personal information is less futuristic than you think – and educational institutions are among the first organizations to introduce DLT in making student records available.
The Massachusetts Institute of Technology (MIT) released Blockcerts: an open standard for creating, issuing, viewing, and verifying blockchain-based certificates. Ngee Ann Polytechnic in Singapore and Leonardo da Vinci Engineering School in Paris have started issuing certifications on blockchain.
Estonia is on a path to create the first digital society. X-Road is the open-source DLT backbone on which the country’s entire digital infrastructure runs. It is accessed through secure, verified digital identities that are provided to every citizen and resident.
Game changer for service delivery
Mike Eralie, NGA HR’s SVP of Service Delivery explained: DLT has the ability to thoroughly change our HR service delivery.
As data processor, NGA HR handles large amounts of PII on behalf of employers and provides services like identity verification or checking of work permits.
DLT-based employee files allow NGA HR to interact directly with verifiable, secure records, giving employers a higher level of confidence that the employee is who she says she is, and has the qualifications and permits needed to legally deliver quality work.
NGA HR is focused on delivering innovative services and closely follows DLT developments to create solutions that our clients will benefit from. Having said that, while Distributed Ledger Technology has many advantages, application of this technology can be more complicated than people make it out to be and many questions remain to be answered.
We don’t view DLT or blockchain as a simple solution that will fix everything that is wrong with today’s handling of PII, but it does offer possibilities for improving the systems we have – and NGA HR is fully engaged to explore its benefits in service delivery.
Next: The final in this series of blogs introducing the application of blockchain in HR and payroll processes we will explore possibilities for recruitment.