Employees give companies their personal information. These are in the form of a resume, background check, payroll documents etc. As a custodian of this information, employers need to ensure that it is protected.
Employers should treat employee data with the same diligence as money or intellectual property. HR generally takes the lead as they are the ones who use and have access to the data.
HR should outline the process steps for collection, storage, sharing, access, and disposal of data.
Collection & Storage
The HR department should review the personal information they collect from employees. Are all those required? Collecting any information that is not required or the same information on many documents can be risky. When it comes to data, the less you collect, the less you need to worry about. For example, it is not advisable to ask all job applicants for the Social Insurance Number. This information is only needed at the stage where you have selected the candidate. And you are doing a background check or entering employee information in the payroll system.
It is also important to check if you are asking for the Date of Birth and SIN on many forms. The candidate provides these on the Tax and Benefit forms. Do you still need it on other forms?
Once you collect sensitive information, track what you have and where you have stored it. By keeping track you will have an easier time ensuring that the data are secure and that, when the time comes, you can dispose of it.
The HR department should seek guidance from IT to safeguard electronic data. This includes the applications, databases, and servers that house and process HR data.
You should lock up sensitive paper files. Also, consider locks on the doors and windows and storage within the HR department.
After employment termination, HR needs to keep the files for several years before they can destroy those. While waiting to destroy the file. HR should ensure the safekeeping of the files with limited access. Many places use third-party vendors to shred papers. A confidentiality agreement should be signed with such parties to ensure adequate steps for security.
Access & Sharing
It is important to define criteria for access to employee data. A manager might need access to an employee’s resume, performance review reports, and compensation data. But do they need to have access to the full employee file with SIN, Date of Birth? Defining who requires what access is important. Since HR collects and shares the data, HR can determine the access level within the organization. The less we share the better when it comes to personal information.
HR employees should sign the confidentiality agreement as a custodian of the data. If physical files are maintained in a location, the HR department should have a list of HR employees who has access to the filing cabinets. For electronic data, HR should go through training on how to handle and keep the data secure. For example, HR should remember not to send an email or attachment which contains personal information. Such documents or data should be shared only if HR is using a secure email system or encrypted the files before sending.
Also, it is important for HR employees to remember to lock their computer screen at all times when they are not in front of it. If they commute with work laptops, it is important to make sure they carry them in a secured manner.
Often, HR gets a call from a third party asking for employee’s information to verify employment. Such requests should be received in writing and with consent signed by the employee to release such information.
The HR department has the responsibility to maintain employee data in a secure way at all times. The expectation from the role is that you will securely maintain employee data as if it is your own.
If you need help with your policies and processes, please contact us for a free consultation.