THE ETHICAL DILEMMA OF DATA

 

Data is power in today's digital HR ecosystem, but it can also be a moral minefield. HR professionals must manage personal data responsibly while still achieving business goals as they depend more and more on workforce data to inform decisions. Employees are people, not just data points, as a truly ethical HR strategy acknowledges. Leaders have a moral responsibility to build data ethics into HR strategies, not just as a legal requirement. The fundamental question at the heart of the data center's ethical challenge is: exactly how much employee data is sufficient?

Large volumes of operational, customer, and employee data are being gathered as a result of the adoption of digital technologies in Sri Lankan industries, including banking, apparel, healthcare, telecommunications, and even education. Data-driven decision-making can boost productivity and competitiveness, but it also presents significant ethical issues, particularly in light of the rapidly changing laws and public awareness surrounding data protection.

🌴Handling Employee Data Responsibly 

“HR leaders must act as data stewards, not just data users.”

 CIPD (2025), Ethics at Work: HRM in a Time of Technological Change 

A wide variety of data is gathered by modern HR systems, including engagement levels, health records, performance metrics, recruitment histories, and, in certain sectors, biometric information. The improper handling of this data can result in discrimination, mistrust, or legal consequences, even though it can also lead to better decisions and increased productivity.

A specific problem is more important than ever as Sri Lankan workplaces require digital transformation: how companies manage employee data. Businesses gather a great deal of employee data, from the big banks in Colombo to the clothing factories in the Free Trade Zones. However, are they handling this data in a secure, open, and moral manner?

🌴Consent, Transparency & Right to Privacy 

Edmondson (2019) emphasizes that organizations must “build psychological safety” by respecting employees' dignity and privacy. 

Employees frequently are unaware of what information is gathered, how it's used, or if they have the option of choosing out. Demands of ethical HRM:

• Employees must understand and consent to the use of their data.

• Transparency: Explaining in detail what is gathered and why.

• Right to privacy: Workers must continue to have control over private information.

Data minimisation, or gathering only the information required for the particular purpose, is one of the fundamentals of ethical data handling. For example, a Biyagama clothing manufacturer only gathers NIC numbers, emergency contacts, and bank account information for payroll processing; they do not request unrelated information like family income or religion. However, some businesses, especially those in low-wage industries, ask employees for more personal information than is necessary, which raises concerns about fairness and privacy.

Informed consent is another crucial idea. Workers need to know exactly what information is being gathered, why, and by whom. Leading Sri Lankan companies, such as Dialogue Axiata, have embraced best practices by incorporating a digital consent procedure into the onboarding process. Workers receive information about the use and security of their attendance, location data, and performance metrics. On the other hand, businesses still occasionally send unsolicited marketing messages to employees using their phone numbers or emails without getting their consent.

Another important duty is protecting employee data. Only authorised personnel should have access to personal and professional data, which should be kept in secure systems, ideally encrypted. Sensitive information, such as medical leave or disciplinary action, is only accessible to HR officers and the heads of the relevant departments in certain private hospitals in Colombo that use encrypted Human Resource Management Systems (HRMS). Smaller businesses, on the other hand, continue to exhibit poor data practices, sharing documents like salary slips and performance reviews via unprotected email systems or storing them in open folders.

Employers must also only use employee data for the purposes for which it was intended. It is unethical and possibly a breach of trust to reuse data for unrelated purposes without consent. An IT company in Malabe that uses employee attendance data only for project scheduling and payroll—not for ranking or public comparison—is a great example of responsible behaviour. However, it is against emerging data protection laws and ethical standards to use health records from COVID-19 screenings to determine whether a staff member is qualified for promotion without further consent.

Workers are also entitled to see and update their personal information. This is a crucial component of equity and openness. Employees in Sri Lanka can now update their address, phone number, and banking information by logging into secure HR portals provided by government agencies and certain financial institutions. In addition to increasing data accuracy, granting such access promotes trust between employers and employees.

In this regard, Sri Lanka's legal system is also changing. A big step forward has been made with the introduction of the Personal Data Protection Act No. 9 of 2022. When fully enacted, this law will mandate that companies designate Data Protection Officers, permit employees to access or request the deletion of their data, and require consent before collecting or processing personal data. Additionally, the law will require that any data breaches be reported within a certain amount of time. Organisations should start integrating the Act's fundamental principles into their HR procedures, even though full enforcement is still being implemented in stages.

It is now imperative to handle employee data responsibly as Sri Lanka's digital transformation picks up speed. It is about creating work environments where privacy, dignity, and openness are genuinely valued and honouring the faith that workers have in their employers. As Professor A. Wickramasinghe of the University of Colombo correctly notes, "Respecting employee data is a reflection of your workplace ethics—it's not just a matter of compliance."

🌴GDPR and Global Data Ethics Compliance 

“Data ethics is no longer optional—it’s a global compliance imperative.”

— Wright & Schultz (2023), Journal of Business Ethics 

With the General Data Protection Regulation (GDPR) as the standard, businesses everywhere must:

• Reduce the amount of data that is collected (data minimization principle)

• Safely store data.

• Employees should be granted access and deletion rights.

• Report violations as soon as possible.

When working in multiple jurisdictions, HR teams must adhere to local laws and international ethical standards in addition to GDPR.

The ethical handling of personal data has become a critical issue for Sri Lankan businesses, particularly those doing business with foreign clients, in an increasingly digital economy. Because more and more local businesses in the IT, BPO, tourism, education, and apparel sectors handle data belonging to EU citizens, the General Data Protection Regulation (GDPR), despite being a law of the European Union, is highly relevant to Sri Lanka. Businesses must reconsider how they gather, store, and use personal data in light of the principles that the GDPR emphasises, including transparency, consent, purpose limitation, and data minimisation. In 2022, Sri Lanka established its own Personal Data Protection Act in recognition of this global change, bringing the nation's legal system into compliance with international norms. 

Nevertheless, despite these advancements, many Sri Lankan workplaces—especially public institutions and SMEs—lack the infrastructure and awareness necessary to adopt ethical data practices. The use of sensitive employee data for unforeseen purposes, inadequate digital security, lack of informed consent, and excessive data collection during the hiring process are common problems. For instance, some private employers run the risk of violating employees' privacy by storing biometric attendance data or employee family information without proper safeguards. 

However, progressive companies in Colombo's IT parks and significant financial institutions have begun hiring Data Protection Officers and educating employees about ethics and privacy. In the future, Sri Lankan companies must integrate data ethics into their corporate culture not only to comply with the law but also to foster employee trust, protect stakeholder relationships, and stay competitive in the globally interconnected digital economy.

References

1. CIPD (2025) Ethics at work: HRM in a time of technological change. https://www.cipd.org

2. Edmondson, A. (2019) The fearless organization: Creating psychological safety in the workplace. Hoboken, NJ: Wiley.

3. European Commission (2018) General Data Protection Regulation (GDPR). https://gdpr.eu

4. Harvard Business Review (2024) The future role of HR: From compliance to culture catalyst. https://hbr.org

5. Government of Sri Lanka (2022) Personal Data Protection Act, No. 9 of 2022. Available at: https://www.parliament.lk/uploads/acts/gbills/english/6225.pdf

6. European Commission (2024) General Data Protection Regulation (GDPR). Available at: https://gdpr.eu/

7. CIPM Sri Lanka (2024) HRM and data ethics in the digital era – HR Insight Journal.

8.Jayawardena, S. (2023) ‘Cross-border data compliance in South Asian SMEs’, Journal of Business Ethics in Asia.