Would you mind if I troubled you for some help? I’m working on an NDA’ed project and we’ve been asked to try and address a problem which is currently causing some pain.

Imagine there was a merger between two blue-chip communications/media companies, and Company A was offering discounted deals to the employees of Company B. The staff members of company B would need to apply for these benefits and complete an application form with applicant details, including employment status details and some sensitive info e.g. Bank Acc details. The form would then be passed to a vetting team in company B to confirm the claimed employment status before authorising and passing the application form to company A to process. The challenge we have is that we don’t want the vetting team in company B to see the sensitive data contained in the application forms (for obvious reasons). The application form it’s self is hosted on Company B’s intranet.

What I’d like some advice on is how feasible or complicated this ask might be from a DBA/Development perspective (notwithstanding I haven’t given you tons to go on).

My initial thinking is that we could potentially get the details of the populated form passed into a database, and then only the non-sensitive details passed to the vetting team to action. Could this be something that we could potentially address with an RPA process?

I'm open to suggestions :-)

Many thanks in advance.

Recommended Answers

My view is this is classic overthinking. It's just a discount and not the end of the world if someone got a discount that shouldn't have. So the simplest solution is the usual transfer of just the information required. Names along should suffice. How cares if Andrew Johnson who isn't …

Jump to Post

Hi Andrew,

Welcome to DaniWeb!! I guess my confusion is why this blue chip communications/media company does not already have the methods in place to collect sensitive data from its own employees without all sensitive information being visible? That sounds a bit like a security nightmare, to be honest.

All …

Jump to Post

All 6 Replies

My view is this is classic overthinking. It's just a discount and not the end of the world if someone got a discount that shouldn't have. So the simplest solution is the usual transfer of just the information required. Names along should suffice. How cares if Andrew Johnson who isn't an employee gets a discount? It's a sale.

commented: Totally unhelpful. +0

I thought that might happen. I've been in such discussion in real life and the principles and their goals were hidden. That meant you couldn't give a solution because not all was told.

Here it seems simple enough UNLESS there's a player that is overthinking this.

Hi Andrew,

Welcome to DaniWeb!! I guess my confusion is why this blue chip communications/media company does not already have the methods in place to collect sensitive data from its own employees without all sensitive information being visible? That sounds a bit like a security nightmare, to be honest.

All that being said, yes, it's thoroughly possible to create a simple web-based form, hosted on Company B's intranet, provided that Company B's intranet has an SSL certificate installed. The contents of the form can be populated via a server-side script into a database. Let's make it simple, and make it a simple MySQL database. The connection can be encrypted. From there, a script can be written such that only the non-sensitive fields can be accessed by the vetting employees. The vetting employees can flag the records as valid as they process through them.

In terms of completely automating the process, that would come down to what system is currently in place that has a list of all company employees. Although I'm not well versed in enterprise systems, I'm fairly confident there would be a way to write a script to cross reference the information employees are filling out in the form with the company's employee database, such that no humans need to be involved in the vetting process at all.

From a technical perspective, my personal experince is limited to PHP/MySQL. If I were tasked with doing this project, it would be a simple HTML form, a simple one-table MySQL database, a backend PHP script that injects the form submissions into the database, and a backend PHP script for vetting employees to review limited columns from the database and update the records of the ones who are entitled to the benefits.

I want to mention that I do see that you've tagged this question Microsoft Access. My personal skills are limited to PHP/MySQL, which is why I suggested that. However, this can definitely be done with VBA in that you're using Visual Basic and MS Access. It's outside my wheelhouse, as I have limited experince with Microsoft SQL Server, etc.

However, this most certainly is not the best way to do it. The best way to do it is to tap into whatever HR system is already in place that has a master list of all employees, generate a secure form for employees to fill out, and cross reference what they've submtited with the existing master list.

Good luck!!

rproffitt,

I think you must be misunderstanding Andrew's question? He's saying that a company wants to give special benefits/discounts to its own employees (or rather, employees of a sister company after a merger). Why would the solution be to not do any vetting to ensure who gets the discount? What's stopping me from walking into the Apple Store right now and getting a 25% employee discount on anything I want?

I didn't mean to abandon all vetting.

But first my background includes some surveilience systems and how we validate that you are you. One of the rabbit holes we must avoid is over verification. Example:

Let's say that a person says they are John Doe. They present their company id number and while this isn't that bulletproof the chances it's our Joe is very high. Now add in some PIN code and the we are in the 90+ percent range or close to 100%.

Now back to some clients I've had in the past. Once in a while they want it to be bulletproof so we can do that but you pay for the initial work and then over and over in maintenence.

It was my understanding from the OP’s question that only the basic name and employer ID were required for the vetting process. The additional sensitive information requested in the form was a requirement of the benefits themselves. That’s why they are saying that they don’t want this sensitive information to be accessible to the vetters.

I boiled it down to "discounted deals" which from my experience would never require bank account information. Maybe there was untold story here but as I've worked on the "is it Andrew Johnson" problem more than a few times.

Over verification does happen out there.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.21 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.