5 Best Practices for Employee Information Privacy

As a member of your Human Resources department, you already have a clear idea of the importance of the privacy of employee information. If scam artists can wreak havoc with a single voided check or credit card number. It’s not hard to imagine the a bad actor can do with the motherlode of sensitive information that every HR department is responsible for. Every time a new employee joins your organization, you gain access to their SSN number, banking information, and medical history. Not to mention their full name, home address, emergency contact, and any other private details in their resume and background check.

Wen you put this information together, you have everything a hacker would need for identity theft and financial fraud. Even a few pieces of data stored on a single employee could be used to to commit fraud. You have as much responsibility, if not more, of a bank manager protecting a vault full of money. Hence the importance of HR data privacy and protection practices. As a responsible member of the HR team, you can significantly improve your methods for protecting employee information through these five simple best practices.

1) Know the Sensitive Data You Have

The first step in effectively protecting the information you hold is knowing what data you have. It’s all too easy for HR data to become scattered and disorganized. You may have resumes stored in one location, background checks in another, and paycheck records in yet another location.

Not only do you need a comprehensive knowledge of where sensitive data is stored, but you also need to know exactly what data you have on each individual, current and former, employee. In addition to reorganizing your files in a more unified manner, you can also use data identification software to scan your files for anywhere sensitive data is stored that you have forgotten to tag appropriately or misfiled. The best way to accomplish this is with a data discovery assessment or tool to automate the process.

2) Broadly Apply Granular Encryption

When it comes to securing sensitive data from potential hacker security breaches, encryption can stop attacks when all other controls have failed. It is always safe to assume that a hacker or their malware virus may eventually break in and begin trying to steal data. Encryption ensures that no matter how ‘deep’ a hacker makes it into your network, they won’t be able to read the files they find, effectively securing data even though it has been accessed.

It’s easy to want to encrypt only the individual lines or values that are sensitive, such as a tax ID field in an application form. That approach doesn’t scale as files and other forms of data get created or updated on the fly. A proven way to effectively apply encryption is to use file-level encryption applied (or managed) as part of the business process. It’s far easier to manage encryption over time if it’s applied to a process or workflow to handle sensitive employee data.

3) Make Data Available on a “Need to Know” Basis

Unless authorized, other employees do not need to know or access the information HR may have on another employee. Even something as innocuous as a coworker’s age. As the keeper of sensitive information, it’s your duty to keep everything in your care confidential by default. Not even HR needs to access certain employee files unless there is a specific business reason to do so.

On the rare occasion when it is appropriate to access your active employee files for more than payroll and vacation day management, consider each piece of data classified on a need-to-know basis. Consider yourself the curator of knowledge, and carefully provide only as much as the circumstance calls for. For example, if a manager needs an employee’s home phone number for a legitimate reason. Rather than sending them a copy of the employee’s entire contact form, ‘need to know’ protocol suggest only sending over the requested number so that the employee’s home address, private email, and so on are not unnecessarily revealed.

4) Train Employees to Maintain Their Own Security

Besides handling onboarding, offboarding, payroll, vacations, and employee rights concerns, HR is also responsible for most of the training that employees go through during their employment. This not only gives you the opportunity to improve performance through well-structured professional development courses, you can also build a training course for all employees to teach them cybersecurity best practices.

The key elements of an employee security training course should include password security, social engineering hacks, and general file security practices. When employees know how to maintain their own security, this puts them in a better position to keep company data safe, help the network remain secure, and protect their own sensitive data. Unfortunately, humans will always be the weak link when it comes to security so consider employee security training as “necessary but not sufficient.”

5) Practice, Practice, Practice

Finally, practice makes perfect. Make sure that your HR team is involved in (at least) annual data breach response exercises. Include a data privacy risk assessment at the beginning of each new project. Review existing projects on a recurring interval to make sure that they haven’t changed their risk level. As your business evolves, tasks that once didn’t impose any risk may now need to be secured while other tasks may become less risky over time and not need as many controls. Ask your security team to do penetration tests on the HRIS systems and try social engineering attacks on the HR team. These activities will keep you and the HR team aligned with best practices.

Employee information security is a very important aspect of modern HR management and not to be taken lightly. When you protect the sensitive data in your care with every reasonable method available, both your employees and the entire company will be safer as a result. Visit our products and solutions pages for more information about how to identify and protect all the sensitive data your HR team manages.