Best Practices for Protecting Employee Data
Is our personal data safe? This question is on our minds more than ever in the face of more frequent, more sophisticated, and more egregious security breaches. For business owners and payroll and HR professionals, the issue is especially critical. Are you doing enough internally to protect employee data? Do you have proper safeguards in place to protect against security breaches?
What we do know is that businesses are susceptible to data breaches. This is not hypothetical. So what should you do? As you review and update your security policies and procedures, here are a few things to keep in mind.
Best Practices for Protecting Employee Data:
- Map internal data flow. When looking at your internal processes, it’s important to review the flow of information and documents, including where they are stored and who has access. Where does your business interact with sensitive employee data? Make a map of these touchpoints and how data flows through your business.
- Review internal forms and requests for personal data. When looking at requests for sensitive personal information, evaluate if it’s absolutely necessary to get that information for a process to work.
- Store sensitive documents separately. Keep any records that contain sensitive information in confidential, locked files separate from other personnel files. This might include I-9 forms, employment applications, wage garnishment documents, direct deposit forms, credit card information, mortgage application inquiries, drug screen and background test results. If you have employee medical records, keep those separate as well.
- Limit access to sensitive information. Again, make sure the staff with access to private employee data absolutely need it in order to perform their jobs.
- Don’t use employee social security numbers as employee ID numbers.
- Clearly define document retention and destruction policies. Implement processes for how long sensitive documents are stored and how you dispose of them, such as through a paper shredding program.
- Evaluate your vendors’ data security strength. For small businesses, security depends upon your vendors having robust security measures. Check with your payroll and health insurance vendors, and also ask about their vendors.
- Prepare a response. It is absolutely necessary to create an emergency response plan to follow if there is a security breach.
- Communicate. Share your security policies and procedures with all your employees, and be transparent about security risks and your response plan in the event of a security breach.
If your business does not have the resources or knowledge to review and create data privacy policies, you would benefit from working with a technology and HR partner who can guide you through this. At Anthros, we work exclusively with vendors that have achieved SOC 2 certification, which is awarded only to organizations that have the highest security protocols in place. SOC 2 certification demonstrates a system is designed to keep sensitive data secure. When reaching out to technology and HR vendors, find out if their systems are SOC compliant.
What’s important to keep in mind is that data security is no longer a problem to be handled in isolation by your IT team. Your HR team must be involved in reviewing policies and putting a response plan in place. Contact us to discuss security as it relates to your business needs and your current HR practices.
About the Author
Helen Usher is the Director of Benefits at Anthros.