Payroll
9 Ways to Protect Sensitive Employee Data
From date of birth to Social Security Number (SSN) to medical records, you may need to gather sensitive employee information during the course of the employment relationship. As an employer, you have a responsibility to protect this type of information.
Aug. 24, 2017
From date of birth to Social Security Number (SSN) to medical records, you may need to gather sensitive employee information during the course of the employment relationship. As an employer, you have a responsibility to protect this type of information. Here are nine recommendations for protecting sensitive employee data:
#1: Develop formal policies and procedures.
Develop a formal data security policy that defines the type of sensitive information the company will protect, and how the company will protect such information. State that employee data will only be collected for legitimate business purposes and instruct employees to inform you as soon as they suspect someone has gained unauthorized access to protected information. Additionally, clearly state that unauthorized copying, transmitting, viewing, or use of sensitive employee information is subject to discipline, up to and including termination.
#2: Maintain records securely.
Implement administrative, technical, and physical controls to properly secure employee records. Paper records should be stored in a locked location, with access limited to one individual who is chiefly responsible for maintaining the files. Electronic records should be encrypted, password protected (which should be changed frequently), and maintained on a secure server. Evaluate electronic systems regularly to ensure that new technology and viruses do not compromise security.
#3: Comply with recordkeeping laws.
Keep federal, state, and local recordkeeping and privacy laws in mind and only retain information for as long as it is necessary. In addition to dictating which records must be kept and for how long, these laws may address how records must be retained. For instance, the Americans with Disabilities Act (ADA), requires employers to keep employee medical information separate from employee personnel files, and access to these records must be restricted.
#4: Restrict access.
Restrict access to those who have a need to know the information. For example, managers should only be given access to performance information, such as their employees’ attendance records and performance reviews.