10 Ways to Protect Sensitive Employee Information
During the course of the employment relationship, you may need to gather sensitive employee information, such as date of birth, Social Security Number (SSN), and medical records. When you do, you have a responsibility to protect this type of data. Here are 10 best practices for protecting sensitive employee information:
#1: Develop formal policies and procedures.
Develop a formal data security policy that defines the type of sensitive employee information the company will protect and how. State that employee data will only be collected for legitimate business purposes and instruct employees to inform you as soon as they suspect someone has gained unauthorized access to protected information. Additionally, clearly state that unauthorized copying, transmitting, viewing, or use of sensitive employee information is subject to discipline, up to and including termination.
#2: Maintain records securely.
Implement administrative, technical, and physical controls to properly secure employee records. Paper records should be stored in a locked location, with access limited to one individual who is chiefly responsible for maintaining the files. Electronic records should be encrypted, password protected (which should be changed frequently), and maintained on a secure server. Evaluate electronic systems regularly to ensure that new technology and viruses do not compromise security.
#3: Follow recordkeeping laws.
Follow all federal, state, and local recordkeeping laws and only retain information for as long as it is necessary. In addition to dictating which records must be kept and for how long, these laws may address how records must be retained. For instance, the Americans with Disabilities Act (ADA), requires employers to keep employee medical information separate from employee personnel files, and access to these records must be restricted.
#4: Comply with state data privacy laws.
Some states have enacted data privacy laws that cover information that employers collect from applicants and employees. For instance, effective January 1, 2020, the California Consumer Privacy Act (CCPA) requires, among other things, any for-profit business covered by the CCPA that also has California resident employees, to disclose to individuals (job applicants to, employees of, contractors of, owners of, directors of, officers of, medical staff members of that business), at the time or before the personal information is collected, the categories of personal information collected and processed in the context of the employment relationship, and the purposes for which the categories of personal information shall be used.
CCPA Coverage:
Employers are covered by the CCPA's disclosure requirement if they are a for-profit business that collects or processes personal information related to California residents, and:
- Have annual gross revenues over $25,000,000; or
- Annually buy, receive, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more California consumers, households or devices; or
- Derive 50 percent or more of their annual revenues from selling consumers' personal information.
Businesses that meet one or more of the above criteria and collect or process personal information related to California residents outside the context of an employment relationship, such as from clients or prospective clients, are subject to additional requirements. If you would like assistance in determining whether you are covered by the CCPA, consult your legal counsel and/or tax advisor.
Note: ADP® has developed a sample employee notice that ADP clients can use to describe the categories of personal information collected by ADP as an HCM service provider. Regardless of where you are located, make sure you understand and comply with applicable data privacy laws.
#5: Avoid using SSNs when possible.
To protect against identity theft or other fraud, take appropriate steps to avoid transmitting, printing and using employees' SSNs whenever possible. For example, consider assigning an employee identification number to each employee, which can be used as a unique identifier on employee time cards and personnel files. Note: Some jurisdictions have specific rules restricting employers' use of SSNs. For instance, with limited exceptions, New York generally prohibits employers from requiring employees to use or print their SSNs or any number derived from their SSN (such as the last four digits).
#6: Restrict access.
Restrict access to those who have a need to know the information. For example, managers should only be given access to performance information, such as their employees' attendance records and performance reviews. They should not have access to other information, such as an employee's medical history or status as a member of a protected group.
#7: Keep an access log and monitor it.
Keep a log of who accesses employee records, the date of access, and why. If employee records are stored electronically, ensure that the software is able to control and log when records are accessed and by whom. Audit paper and electronic logging systems frequently to help ensure access is properly traced.
#8: Investigate incidents of unauthorized access.
If you learn that someone may have accessed employee records without proper authorization, whether intentionally or unintentionally, investigate the incident promptly. Following the investigation, determine whether improvements are needed to better protect employee records and/or whether disciplinary action is appropriate. Note: In the event of unauthorized access or release of personally identifiable information, employers may be required by state and/or federal law to notify state regulators and/or impacted individuals and to take certain other steps. Review applicable laws to ensure compliance.
#9: Dispose of records properly.
Generally at the end of the retention period, employers must dispose of all employee records so that they can't be read or reconstructed. Examples include, but are not limited to, burning, pulverizing, or shredding the records so that the information can't be read or reconstructed; ensuring the destruction or removal of electronic media containing the employee information; and contracting with a reputable third-party vendor to properly dispose of the records in compliance with federal regulations.
#10: Provide training.
Train employees and supervisors on your company's data security policies. In addition, employees who have access to sensitive information should be trained on the company's procedures for how to prevent unauthorized access to confidential information, how to respond to security breaches, and how to properly dispose of employee records. The training should also cover common tactics used by identity thieves and hackers to gain access to sensitive information, such as social engineering and phishing.
Conclusion:
To help protect sensitive employee information, develop effective data security controls, train employees and supervisors, use proper record disposal practices, and comply with applicable laws.