In order to handle the security issues with regards to maintaining privacy of the submitted confidential data, in an example embodiment, no single service is permitted to access both confidential data and member identity data. This design ensures that an attacker would have to compromise more than two services to be able to associate a member with their corresponding compensation data. Thus, member privacy would be preserved if there were any single point of breach. In an example embodiment, an approach is taken where it is still possible for a member to delete his or her confidential data information.