From date of birth to Social Security Number (SSN) to medical records, you may need to gather sensitive employee information during the course of the employment relationship. As an employer, you have a responsibility to protect this type of information. Here are nine recommendations for protecting sensitive employee data:
#1: Develop formal policies and procedures.
Develop a formal data security policy that defines the type of sensitive information the company will protect, and how the company will protect such information. State that employee data will only be collected for legitimate business purposes and instruct employees to inform you as soon as they suspect someone has gained unauthorized access to protected information. Additionally, clearly state that unauthorized copying, transmitting, viewing, or use of sensitive employee information is subject to discipline, up to and including termination.
#2: Maintain records securely.
Implement administrative, technical, and physical controls to properly secure employee records. Paper records should be stored in a locked location, with access limited to one individual who is chiefly responsible for maintaining the files. Electronic records should be encrypted, password protected (which should be changed frequently), and maintained on a secure server. Evaluate electronic systems regularly to ensure that new technology and viruses do not compromise security.
#3: Comply with recordkeeping laws.
Keep federal, state, and local recordkeeping and privacy laws in mind and only retain information for as long as it is necessary. In addition to dictating which records must be kept and for how long, these laws may address how records must be retained. For instance, the Americans with Disabilities Act (ADA), requires employers to keep employee medical information separate from employee personnel files, and access to these records must be restricted.
#4: Restrict access.
Restrict access to those who have a need to know the information. For example, managers should only be given access to performance information, such as their employees' attendance records and performance reviews.
#5: Keep an access log and monitor it.
Keep a log of who accesses employee records, the date of access, and why. If employee records are stored electronically, ensure that the software is able to control and log when records are accessed and by whom. Audit paper and electronic logging systems frequently to help ensure access is properly traced.
#6: Investigate incidents of unauthorized access.
If you learn that someone may have accessed employee records without proper authorization, whether intentionally or unintentionally, investigate the incident promptly. Following the investigation, determine whether improvements are needed to better protect employee records and/or whether disciplinary action is appropriate. Note: In the event of unauthorized access or release of personally identifiable information, employers may be required by state and/or federal law to notify state regulators and/or impacted individuals and to take certain other steps. Review applicable laws to ensure compliance.
#7: Avoid using SSNs when possible.
To protect against identity theft or other fraud, take appropriate steps to avoid transmitting, printing and using employees' SSNs whenever possible. For example, consider assigning an employee identification number to each employee, which can be used as unique identifiers on employee time cards and personnel files. Note: Many jurisdictions have specific rules restricting employers' use of SSNs. For instance, with limited exceptions, New York generally prohibits employers from requiring employees to use or print their SSNs or any number derived from their SSN (such as the last four digits).
#8: Dispose of records properly.
Generally, or at the end of the retention period, employers must dispose of all employee records so that they can't be read or reconstructed. Examples include, but are not limited to, burning, pulverizing, or shredding the records so that the information can't be read or reconstructed; ensuring the destruction or removal of electronic media containing the employee information; and contracting with a reputable third party vendor to properly dispose of the records in compliance with federal regulations.
#9: Provide training.
Train employees and supervisors on your company's data security policies. In addition, employees who have access to sensitive information should be trained on the company's procedures for how to prevent unauthorized access to confidential information, how to respond to security breaches, and how to properly dispose of employee records. The training should also cover common tactics used by identity thieves and hackers to gain access to sensitive information, such as social engineering and phishing.
To help protect sensitive employee information, develop effective data security controls, train employees and supervisors, and use proper record disposal practices.