5 Best Practices for Employee Data Privacy

As a member of your Human Resources department, no doubt you already have a clear idea of the importance of the privacy of employees’ personal information. If scam artists can wreak havoc with a single voided check or credit card number, it’s not hard to imagine the harm they can do with the motherlode of sensitive personal information that every HR department is responsible for. Every time a new employee joins your ranks, you gain access to their social security number, banking information, and medical history, not to mention their full name, home address, emergency contact, all the private details combined in their resume and background check.

Together, you have everything a hacker would need for identity theft and financial fraud and even a few pieces of your data stored on a single employee could be used to ruin someone’s life. In other words, you have as much responsibility or more than a bank manager protecting a vault full of money. Hence the importance of HR data security practices. As a responsible member of the HR team, you can significantly improve your methods for protecting sensitive employee information through these five simple best practices.

1) Know the Sensitive Personal Data You Have

The first step in effectively protecting the information you hold is to know what you have. Over decades of being in business, it’s all too easy for HR data to become scattered and disorganized or to be storing too much of it. You may have resumes stored in one location, background checks in another, paycheck records in yet another location.
Not only do you need a comprehensive knowledge of where sensitive data is stored, but you also need to know exactly what data you have on each individual current and former employee. In addition to reorganizing your files in a more unified manner, you can also use data identification software to scan your system for anywhere sensitive data is stored that you have forgotten, lost, or where it may have been misplaced. The best way to accomplish this is with a data discovery assessment.

2) Broadly Apply Granular Encryption

When it comes to securing sensitive data from potential hacker security breaches, encryption can stop attacks when all other controls have failed.. Assume that a hacker or their malware virus will eventually break in and begin trying to steal data. Encryption ensures that no matter how ‘deep’ a hacker makes it into your network, they won’t be able to read the files they find, effectively securing data even though it has been accessed.

It’s easy to want to encrypt only the individual lines or values that are sensitive, such as a tax ID field in an application form. That approach doesn’t scale as files and other forms of data get created or updated on the fly. A proven way to effectively apply encryption is to use file-level encryption applied (or managed) at the business process or repository level. It’s far easier to manage encryption over time if it’s applied to a process or workflow that a data discovery assessment has proven to handle sensitive employee data.

3) Make Personal Data Available on a “Need to Know” Basis

One employee does not need to know any information HR may have on another employee. He or she don’t even need to know coworkers’ ages. As the keeper of sensitive personal information, it’s your duty to keep everything in your care confidential by default. Not even HR needs to access certain employee files unless there is a specific business reason to do so.

On the rare occasion when it is appropriate to access your active employee files for more than payroll and vacation day management, consider each piece of data classified on a need-to-know basis. Consider yourself the curator of knowledge, and carefully provide only as much as the circumstance calls for. Let’s say a manager needs an employee’s home phone number for a legitimate reason. Rather than sending them a copy of the employee’s entire contact form, ‘need to know’ protocol suggest only sending over the requested number so that the employee’s home address, private email, and so on are not unnecessarily revealed.

4) Train Employees to Maintain Their Own Security

Besides handling onboarding, offboarding, payroll, vacations, and employee rights concerns, HR is also responsible for most of the training that employees go through during their employment. This not only gives you the opportunity to improve performance through well-structured professional development courses, you can also build a superb training course for all employees to teach them cybersecurity best practices.

The key elements of an employee security training course should include password security, social engineering hacks, and general file security practices. When employees know how to maintain their own security, this puts them in a better position to keep company data safe, help the network remain secure, and protect their own sensitive personal data. Unfortunately, human will always be the weak link when it comes to security so consider employee security training as “necessary but not sufficient.”

5) Practice, Practice, Practice

Finally, practice makes habit. Make sure that your HR team is involved in (at least) annual data breach response exercises. Include a data privacy risk assessment at the beginning of each new project. Review existing projects on a recurring interval to make sure that they haven’t changed their risk level. As your business evolves, tasks that once didn’t impose any risk may now need to be secured while other tasks may become less risky over time and not need as many controls. Ask your security team to do penetration tests on the HRIS systems and try social engineering attacks on the HR team. These activities will keep you and the HR team aligned with best practices.

Data security is a very important aspect of modern HR management and not to be taken lightly. When you protect the sensitive data in your care with every reasonable method available, both your employees and the entire company will be safer as a result. Visit our products and solutions pages for more information about how to identify and protect all the sensitive data your HR team manages.