Blueprint for Balance: IBM’s Guide to Managing and Protecting People Data

People analytics aims to provide actionable talent insights that have a clear impact on business outcomes. To achieve this, it's important to integrate data from various HR areas with information from other business functions, like Finance. This can be done by manually combining spreadsheet files, reviewing curated reports and dashboards, or by using AI solutions that facilitate large-scale predictive analytics. Generative AI further expands these possibilities by making people data and insights accessible to a wider audience, including those outside HR, who can use natural language to derive insights.

Regardless of the method used, it's crucial to remember that people analytics involves handling personal and sensitive personal information (PI/SPI), which is subject to stringent usage restrictions that can vary by country and specific use-case.

In the past couple of years, IBM transformed its internal people data platform.  Workforce360, IBM internal people data platform, aggregates data from over 35 sources, delivering integrated talent insights in just two days—23 days faster than previous methods. It simplifies access by consolidating over 400 reports into fewer interfaces and enhances solution development with its API integrated into over 50 applications, including our AskHR Chatbot supporting 2M interactions a year. Finally, the platform also supports key AI applications for career movement, skills, and compensation. More information on our transformation is available in other articles on my newsletter.

Throughout the years, we have achieved considerable advancements in people data access control. Although there remains substantial work to be accomplished, we can confidently summarize our lessons learned in the realm of data authorization into three core principles:

A. Always secure data, not systems, reports, or (Gen)AI solutions

The need to quickly deploy a people analytics solution in production often tempts developers to protect each report or AI solution independently. This method appears straightforward as it provides clear control over who accesses each item. However, this approach is not scalable, especially as the number of reports increases or when compliance regulations demand stricter scrutiny of data access. Consider the challenges involved in reviewing and further restricting access to specific SPIs (e.g., performance data for European employees). If the authorization process is implemented differently across multiple reports or AI solutions, it becomes extremely difficult to understand who has access to what and to make decisions about removing access to all related data. While initially appealing, this method ultimately complicates data management, reduces flexibility, and must be avoided.

B. Effectively balance the need for security and trust.

Setting up a complex, multi-step authorization process can slow operations and deter users from seeking access, thus restricting data democratization. On the other hand, broadly granting access and relying on users to act responsibly carries significant risks. Even actions taken with good intentions can result in costly errors for the enterprise, especially when dealing with PI/SPI.

C. Each data has ONE owner. Make sure you know who is responsible for each decision.

A crucial yet often overlooked aspect of authorization is clarity about who truly "owns" the data. Each piece of people data must have an accountable owner responsible for setting organizational policies that could go beyond legal requirements. The data owner is distinct from the system's custodian, where the data is hosted. They are not the creator of a report or the ChatBot. Nor are they part of the privacy and legal teams, which set compliance policies and offer guidance on business rules. Typically, the data owner should be identified either within the function generating the data (e.g., Compensation, Diversity, Talent Acquisition) or within the Business Unit associated with the data creation (e.g., sales organization for seller quota attainment).

Our Experience with Workforce360

Initially, our people data was scattered across multiple systems, each with varying and sometimes manual access processes. This required navigating multiple lengthy procedures, often resulting in inconsistent access across different systems.

With Workforce360, we phased out these outdated processes in favor of a uniform access system for all people data. This change streamlined the approval process from weeks to just days and increased our ability to adapt to policy changes.

Our security framework is built around "Security Objects," "Fast- and Standard- access," and a "one-size-fits-all approach to data consumption."

Security objects

All data ingested into WF360 is categorized into Security Objects. A Security Object represents the smallest unit of data to which a user can request access. For example, First Name, Last Name, and employee email are grouped under the Security Object named 'Basic Data.' A user can request access to 'Basic Data' and, if approved, gain access to all data within this group. It is not possible for a user to request access to just the First Name without the Last Name.

Our system includes Security Objects tailored for specific areas such as compensation, talent acquisition, and diversity, to name a few. The number of data objects varies by company, but it is crucial to keep this number as small as possible. At IBM, we maintain less than two dozen Security Objects for all the data in WF360.

When users request data access, they specify the data objects they need along with the relevant business unit and geographic location. To meet strict compliance requirements, access can also be requested for individual countries.

Fast and custom-based access

At IBM, anyone can request access to all PI/SPI data within Workforce360, though not all requests are granted. Ownership of each security object is well-understood, with designated approvers specified by the owner. For instance, the compensation leader may require each Geo compensation director to review global requests for benefits data, while the HR owner of diversity data might limit access strictly to specific individuals within HR or Legal departments.

 Clarifying data ownership is crucial for both accountability and consistent decision-making, and it also facilitates fast-track approvals for specific job roles.

In WF360, we identify job-role owners, such as executives overseeing an HRP organization, who are responsible for groups of employees that require specific data to fulfill their roles. Each job-role is defined by objective criteria that determine which employees fall under it, and job-role owners are held accountable for the behavior of this population when it comes to people data usage.

The Workforce360 team coordinates between security object and job-role owners to facilitate fast-path approvals for specific roles. For example, a Comp director may waive additional evaluations for HR partners within a Geo. This streamlined process has significantly reduced approval times from weeks to within 48 hours.

A one-size-fits-all approach to data consumption

When users gain access to data, they can utilize it across all platforms, including Reports, SQL, AI, or our AskHR chatbot. Centralizing access is crucial, as it enhances compliance and speeds up processes. For example, AskHR, IBM's chatbot, delivers people data to HRPs but doesn’t manage access directly. Instead, it uses the same permissions granted for Reports.

Access control management for people data is an ongoing process. Currently, we're focusing on two main areas: (a) securing data consistently across all enterprise systems, not merely within the people data platform, and (b) expanding our security model to include not only structured data but also semi-structured and unstructured data used in tuning GenAI models. There is significant potential in these areas, and I would love to hear from you on thoughts and lessons learned.

Thank you for taking the time to read this article. If you're interested in these topics and IBM’s internal people data transformation, I would be delighted if you joined my People Data Platform monthly newsletter.