Changes in some state regulations may require employers to include sensitive employee data on W-2 forms. ADP’s Jason Albert, Dan Lewis and Mollie Mantia discuss ways organizations can protect their employees and their data.
For more information, visit ADP.com/EyeOnWashington
Transcript:
Jason Albert
Employee data is valuable business data. Businesses care about it. So we want to protect it. And we care about employees as human beings, right? To protect them against things like identity theft.
Meg Ferrero
Hello from the workforce newsroom. I'm Meg Ferrero. Today we're talking about protecting your data in this evolving world of work. With me are ADP global chief privacy officer Jason Albert, vice president, compliance programs and government affairs. Dan Lewis. And joining us from Alpharetta, senior director of Compliance and Security Mollie Mantia. Thank you all for being here.
Jason, I'm going to start with you. What trends are you seeing right now with employee privacy?
Jason Albert
Well, we're seeing increased regulation, right? Most notably in California with the California Privacy Rights Act, which covers employees. But we're also seeing regulation around use of surveillance tools in the workplace. And this isn't surprising, right. Employee data is valuable business data. Businesses care about it. So we want to protect it. And we care about employees as human beings, right?
To protect them against things like identity theft. And so we're seeing with these regulations and with company practices, an increased trend towards data minimization, towards using the least amount of data needed to be able to process employee data, to be able to evaluate them, to be able to do all those types of things. And so that's really the trend that we're seeing,
Meg
I think as employees, we can all appreciate that. So, Dan, are you seeing any examples in connection with what Jason was saying around Data minimization?
Dan Lewis
ADP, in our processes and controls, makes every effort to minimize the use of client employees, Social Security numbers and the documents that we issue and deliver. And we've seen challenges at a state level where states are insisting on, employers providing, w-2s and 1099s with full Social Security numbers for their client employees.
think that this could create risks of, data protection and data privacy, as well as, going against the standards of data minimization that Jason had just pointed out to us. It’s also confusing and complex for our clients when there are different rules and regulations at a federal and state levels varying state to state. We think that, the best approach would be a consistent regulatory approach where data minimization is respected.
Meg
Agreed. So why did ADP make the decision to start truncating Social Security numbers on forms W-2?
Dan Lewis
in 2020 the IRS issued regulations under the under the 2015 PATH Act, for protecting against tax hikes Act. And in that act, the IRS permitted different truncation of, Social Security numbers on W-2s and 1099s. Following that IRS guidance. ADP started truncating, Social Security numbers for client employees on W-2s.
We do still issue, employer reported w-2s that are issued to state and federal agencies, with full Social Security numbers. So the states do have access to the information that they need to carry out audits and, to collect taxes properly. So we don't think that they need this additional information.
Meg
As we look around Mollie, we're seeing that, you know, there are a lot of examples beyond even employers where organizations are taking the opportunity to truncate sensitive data, things like airlines truncating frequent flier numbers or credit card companies truncating credit card numbers on receipts. So to that end, from a business perspective, what are you seeing employers do to protect business confidentiality?
Mollie Mantia
You know, thanks so much for the question, Meg. I think we all would agree that business confidentiality is critically important as stewards of our client data. If you collect data, you have to make sure that you're treating it as you would treat your own. What we've seen is a major shift. I think we all remember in the 90s, early 2000 where companies would collect anything and everything.
They're like, oh, I may need this down the road. Let me get that now. And what we're really seeing is a shift to make sure we're minimizing risk by only collecting the data that we need to complete the transaction, or to complete the process. Well, I always say there's four questions we should be asking ourselves. At the end of the day, when we talk about data and how we collect it and how we make sure we minimize what we get.
The first do I have the data? I need to have a successful transaction, right? And successful can be really put into the bucket. Is the data when I need it? Can I get it done? And is it private already making sure that we're keeping that in mind. The second question would be can any of this be minimized or redacted, which is what you mentioned earlier, that we see from the airlines
The third who has access to the data? Who on your teams is actually looking at it? There are different circumstances where someone may need to see some data that others may not in order to get the job or the task at hand done. The fourth is do I have the right training in place? So that way my team know how to interact with the data and what they should be doing with the data to make sure we are keeping it private and secure.
Meg
That's great. I think those are four key questions to ask for any employer thinking about what they're going to do with their data. I guess really are any business. So Jason, if you think about it, then what are the risks of not getting this right?
Jason
Well, you know, as I was saying, right. It's important to protect this data. It's valuable company data. It's valuable to the employees.
But again, like, we see these types of issues where this type of data gets out. And so one of the advantages of truncating Social Security numbers, for example, and otherwise engaging a data minimization, is that it makes it harder for people to get the information they need to, you know, impersonate or commit identity theft against someone else.
And so that is important for, you know, employee security, you know, for protecting their financial assets. And so getting this right is really, really important, to make sure that as we, you know, process data for legitimate needs, the bad actors really can't, get a hand on it.
Meg
And, Mollie, what do you think? What are the risks of not getting it right from a business perspective?
Mollie
You know, I think the first major risk is going to be the trust rate. So, there's the old adage, treat others how you want to be treated. Treat others data as how you want your data to be treated. It goes hand in hand. When employees hand over that information, they explicitly assume that they will take care of it.
So if anything should happen, it's breaking that trust that everyone has worked so hard to maintain.
Employees trust us to make sure their data secure.
Meg
See something, say something. So how much how often have we heard that. So, Dan, there's so much going on. How is ADP staying on top of all of these changes. Whether they're they're statutory regulatory what are what are we doing to stay on top of it.
Dan Lewis
Yeah there definitely is a lot going on. So you're certainly right there. I would start by saying I
think it's important that our clients are aligned with trusted partners,
and anybody in the business community is aligned with trusted partners that are able to support them in these challenging times in terms of fast, and complex regulatory developments.
ADP, as one of those trusted partners, is, has a very robust and comprehensive, infrastructure in place where we're able to track and understand complex regulations at a federal and state level, understand how they work together and understand where there are issues that need to be addressed. With my favorite example of Social Security truncation and the importance of that, ADP recognizes the disconnect between, the federal, guidance and the call for the truncation of Social Security numbers and what's happening at, state level in many states.
And so we're able to connect the dots in terms of those challenges and make sure we're engaging the right stakeholders.
Jason
That's great. And I would chime in and say, you know, we have the example around Social Security number truncation, which is important, but it's also about communicating with state agencies and others who want to make sure they're secure means of communication that we aren't using email, you know, to make sure that that information is protected, that it can't be intercepted, that it goes to the right, person, that the right information ends up with the right, agency.
And, having a partnership and enabling that type of secure communication also is really, really important.
Meg
Yeah. So I'm hearing communication is key as usual. I think that's true in pretty much every part of life. So let's talk future trends. So what do you all foresee? I'm going to kind of hand it over to all three of you. We'll start with Jason. But what do you foresee impacting workplace data protections as the future of work evolves?
Jason
Well, I think at the state level, we're going to see continued increased regulation. Right? And then I think you're going to see increased adoption of privacy enhancing technologies to achieve that data minimization. You know, even with the dawning of artificial intelligence, while at the same time protecting that employee privacy to make sure that the minimum amount of data is needed to, you know, obtain those insights, and to prevent, you know, problematic outcomes.
Meg
Dan.
Dan Lewis
Yeah, well said. Look, I think it's well reported in terms of the priorities for deregulation at a federal level. So we're seeing that in a lot of instances. I don't see that as a focus area for privacy and security. I think that the importance of that will be status quo,
I think we are going to see the states taking a lead role in making determinations on best practices for data privacy, data minimization, etc.. And so that could lead to a varied landscape at a state level. We'll have to stay on top of that and make sure that ADP and our clients are compliant across all 50 states.
Meg
Complexity. Mollie, what do you think? What do you see as trends?
Mollie
Yeah. You know, my colleagues really summed it up great. So the one thing that I would just echo on and want to add to that, it's really the voice of the employee. It's so easy now for people to express or wishes to express their concerns and really reach out to the different companies who have their data with the way that AI is changing the world today.
Ultimately, I think that the biggest trend is going to be what the employee wants, what their expectations are, and how that more severe time.
Meg
I think that's you summed it up perfectly, keeping their interest and as well as the company's interests, front of mind, and making sure that we're minimizing what we can and doing right by everyone.
And thank you, Jason. Thank you Dan. Thank you Mollie. Really great for you to be here. Appreciate it. And thank you for joining us. For more insights head to ADP.com/EyeOnWashington.
