Employers may need to gather sensitive employee information during the course of the employment relationship, such as background checks, date of birth, Social Security number (SSN), and even medical records. Employers have a responsibility to protect this type of information. Here are nine recommendations for protecting sensitive employee data.
#1: Develop formal policies and procedures.
Develop a formal data security policy that defines the type of sensitive information the company will protect, and how the company will protect such information. State that employee data will only be collected for legitimate business purposes and instruct employees to inform you as soon as they suspect someone has gained unauthorized access to protected information.
Give examples of the type of incidents that require reporting, such as an employee emailing a co-worker’s background check or Form W-2 to employees who aren’t authorized to access such information. Additionally, clearly state that unauthorized copying, transmitting, viewing or use of sensitive employee information is subject to discipline, up to and including termination.
#2: Maintain records securely.
Implement administrative, technical and physical controls to properly secure employee records. Paper records should be stored in a locked location, with access limited to one individual who is mainly responsible for maintaining the files. Electronic records should be encrypted, password protected (which should be changed frequently), and maintained on a secure server. Evaluate electronic systems regularly to ensure that new technology and viruses do not compromise security.
#3: Comply with recordkeeping and privacy laws.
Follow federal, state and local recordkeeping and privacy laws and only retain information for as long as it is necessary. In addition to dictating which records must be kept and for how long, these laws may address how records must be retained. For instance, the Americans with Disabilities Act (ADA), requires employers to keep employee medical information separate from employee personnel files, and access to these records must be restricted.
Keep in mind that in recent years, states and local jurisdictions have been expanding their privacy laws. For example, the California Privacy Rights Act (CPRA) was adopted via referendum and aims to protect individuals' data privacy rights, including those of employees. The CPRA applies to companies that made more than $25 million in revenue globally in the previous calendar year. Among other things, the law gives consumers and employees certain rights regarding the information that businesses collect on them, such as the right to correct or delete personal information held by employers, opt out of the sale or sharing of their personal information, restrict the sharing of their sensitive personal information and not be retaliated against by employers for making such a request. Check your state and local laws for details.
#4: Restrict access.
Restrict access to those who have a need to know the information. For example, managers should only be given access to performance information, such as their employees' attendance records and performance reviews.
#5: Keep an access log and monitor it.
Keep a log of who accesses employee records, the date of access, and why. If employee records are stored electronically, ensure that the software is able to control and log when records are accessed and by whom. Audit paper and electronic logging systems frequently to help ensure access is properly traced.
#6: Investigate incidents of unauthorized access.
If you learn that someone may have accessed employee records without proper authorization, whether intentionally or unintentionally, investigate the incident promptly. Following the investigation, determine whether improvements are needed to better protect employee records and/or whether disciplinary action is appropriate.
Note: In the event of unauthorized access or release of personally identifiable information, employers may be required by state and/or federal law to notify state regulators and/or impacted individuals and to take certain other steps. Review applicable laws to ensure compliance. |
#7: Avoid using Social Security numbers when possible.
To protect against identity theft or other fraud, take appropriate steps to avoid transmitting, printing and using employees' SSNs whenever possible. For example, consider assigning an employee identification number to each employee, which can be used as an unique identifier on employee time cards and personnel files.
Note: Many jurisdictions have specific rules restricting employers' use of SSNs. For instance, with limited exceptions, New York generally prohibits employers from:
|
#8: Dispose of records properly.
Generally, or at the end of the retention period, employers must dispose of all employee records so they can't be read or reconstructed. Examples include, but are not limited to, burning, pulverizing, or shredding the records so the information can't be read or reconstructed; ensuring the destruction or removal of electronic media containing the employee information; and contracting with a reputable third-party vendor to properly dispose of the records in compliance with federal regulations.
#9: Provide training.
Train employees and supervisors on your company's data security policies. In addition, employees who have access to sensitive information should be trained on the company's procedures for how to prevent unauthorized access to confidential information, how to respond to security breaches, and how to properly dispose of employee records. The training should also cover common tactics used by identity thieves and hackers to gain access to sensitive information, such as social engineering and phishing.
Conclusion
To help protect sensitive employee information, develop effective data security controls, train employees and supervisors, and use proper record disposal practices.