The HR and Ediscovery Connection: Is Your Human Resources Department Protecting Your Business?
As a human resources professional, you’re partially responsible for everyone who works in your organization.
Managing people effectively also means managing their data effectively. Today, most of the paper in the HR department has been replaced by electronically stored information (ESI) which accounts for timesheets, payroll records, vacation requests, policy manuals, annual performance reviews, complaint forms and more.
When your organization is faced with litigation, it has to identify, preserve, collect, analyze, review, and produce potentially relevant information for discovery — which may include a lot of the ESI you produce in HR. In short, managing ediscovery requires managing people, which makes it your problem. From unlawful termination to wage disputes, from allegations of discrimination and harassment to compliance with FMLA and the ADA, understanding the data that relates to your people and helping the legal and IT teams to assemble that data in a useful form for discovery is a key part of your job.
However, HR faces a few problems with ediscovery data, ranging from the common to the unique.
Ediscovery Problems That HR Needs to Master
Diverse data types and locations. We’re facing an unprecedented volume and variety of data generation from an ever-increasing number of data sources. We don’t just create documents and spreadsheets that are stored locally on our own hard drives; everything from our building-access keycard to our smartphone creates data incessantly. And that data lives in multiple silos: in the cloud, on enterprise networks, on thumb drives, or on personal mobile devices used under BYOD (bring-your-own-device) policies.
Suppose an employee has accused a supervisor of sexual harassment and specified exactly when and where within the building certain incidents happened. If your keycard data can confirm or rebut those allegations, you need to be able to review that information. That means you need to know that it exists, where it is, and how to preserve and access it.
Metadata. Metadata is data about data. It shows who created a file and when, who has accessed or modified it since, where it’s gone, and even, in the case of recovered files, who deleted it. Metadata is fragile, especially if you don’t know it’s there. Just opening a file or moving it from one storage location to another can change its metadata, raising suspicions about why the file was accessed or modified.
Imagine that you have an employee claiming discrimination and citing her last performance review as proof of one of her claims. If her manager opens that review just to read over what it says, that action changes the file’s metadata, showing that the file was accessed after the complaint. Now the employee may be able to claim that the review was modified or that this key evidence was spoliated or changed. And that can result in costly court penalties — up to and including judgment for the complainant.
Employee turnover. As an HR professional, you have unique insight into your organization’s employee structure and status. The legal and IT departments might know your general organizational structure, but only an HR representative knows, from moment to moment, who’s assigned to what department, who’s quitting or retiring, and who’s on vacation or taking an extended leave of absence. This makes you a cornerstone for effective management of data custodians, the people responsible for generating and preserving discoverable data.
Consider what happens when Jeff in accounting is on a legal hold for litigation involving the company’s financial management. If no one tells you that Jeff is subject to a hold when he is quietly asked to leave for other reasons, you may send his laptop to be wiped and recycled to another employee — irreparably spoliating information that the company was obligated to keep.
Emerging technologies. Email is no longer the only important form of interoffice communication. Today, employees use a huge range of collaboration, project management, instant messaging, and even ephemeral messaging applications for internal communications. And then there’s social media — not only your organization’s official channels but also any personal or private profiles that your employees may use to discuss office happenings. The HR department is likely responsible for creating your organizational policies about application use and social media communication. That means you need to know who owns the data generated by these apps, who controls it, and whether it is accessible — for example, whether it has been saved somewhere or has been encrypted. Also consider whether these answers may differ for communications from a personal mobile device used according to a BYOD policy as opposed to a company laptop.
If an employee alleges that he’s been denied leave under FMLA and produces screenshots of Slack conversations denying his right to paternity time off, you need the ability to save and access those communications. These examples all point to a few common themes and solutions.
Best Practices to Solve HR’s Ediscovery Problems
All of the above problems could be solved with three key ingredients:
- Better information-sharing between HR, IT, and legal
- Up-to-date knowledge about data types and locations
- An organization-wide understanding of data policies and ediscovery obligations
Let’s look at a few best practices that produce these improvements.
Build a cross-department information governance team. Individuals in HR, IT, and legal all have unique insights into the people, data, and legal obligations that shape your company’s day-to-day operations. That means that all of you need to work together and share information consistently. This isn’t a one-way street, either. Yes, the legal department needs to teach HR about ediscovery obligations, but HR also needs to advise legal about personnel changes and data policies. Meanwhile, IT needs to help both departments to manage their data streams and stay up-to-date with new sources of potentially discoverable data.
Create and maintain a comprehensive data map. Every organization needs an up-to-date data map describing all of its data streams and locations. For your part, you can back this up with a data custodian map, designating which employees manage and have access to what information.
Develop and train staff on data retention and deletion policies. As the owner of all company policies, it’s also HR’s job to develop — with legal and IT — policies that govern the full lifecycle of ESI management and information governance and then to train staff on those policies. Staff need to know what they need to keep and when as well as what they can delete. Employing streamlined, straightforward rules with consistent enforcement is key to organization-wide adoption and compliance. In addition, you’ll want to work with legal to clearly define events that trigger a duty to preserve data, so that you can effectively train staff on those obligations.
HR representatives have a critical role to play in ediscovery — and not just for HR-related cases. By mastering management of data and information policies, the HR department has the power to protect your organization in a defensible and secure manner.