Posted by Trakstar • April 5, 2022 • 7 min read
When you store employee data of any kind, there is an employer responsibility to protect employee information. Human resources has a huge part in employee data protection. This department holds some of the most sensitive and important information one can collect: social security numbers, bank information, medical history, addresses, benefit information, and so much more.
Knowing how to protect employee data is difficult because there are so many people trying to get access to it to make money, ruin reputations, and even just for fun. Hackers aren’t the sinister villains of the past; they are real-time threats to the safety of your employees. So what can you do to protect employee data? Try to follow these eleven practical tips.
Keeping in mind that employee personal information protection laws have been put in place for a reason. It is up to human resources to ensure that all employee protection plans are carried out, updated, and followed. It can be hard to do that while doing everything else you need to do – but it is important.
Some of these are ongoing efforts that you will need to account for, and others are on a case-by-case basis.
Developed by the American Institute of CPAs (AICPA), “SOC 2” is a designation given to a business that meets the criteria for managing customer data based on its five trust service principles. Those principles are:
In order to get a SOC 2 designation, a company needs to undergo an audit on a yearly basis.
When your tools have a SOC 2 designation, you can trust that your employee information is safe. Chris McClave, Trakstar’s Chief Technology Officer, says “Trakstar prioritizes the security and confidentiality of customer data. Our security and data privacy controls undergo an annual SOC 2 audit by a licensed CPA firm, providing our customers a level of confidence that we have the right tools and training in place to protect their information.”
What HR can do: Never buy software that doesn’t have a SOC 2 designation. This opens your employees up to danger and goes against the employer responsibility to protect employee information. Before buying a tool or solution that will store any kind of employee information, be sure to check for this designation. The logo looks like this:
When you onboard new employees (and on a regular basis after that), you need to make them aware of a formalized policy around employe data. This can in include employee data protection, business data protection, and customer data protection. Be sure to strictly follow this policy and educate all of your employees, no matter what position they hold, on what best practices are – and what the impact will be if they don’t follow the policy.
What HR can do: Create onboarding materials surrounding the sensitive information that your company protects. Clearly state what employees should do if they find out someone has gone against these policies and what will happen if someone is caught doing so. Ensure compliance by tracking who completes these courses.
If your employees are using computers, accounts, and solutions that require passwords, be sure to encourage them to use best practices when they are making those passwords. Some reminders for how to generate a strong password include:
What HR can do: Encourage employees to create complex passwords and update them regularly.
A few decades ago, HR would lock up employee information in a filing cabinet and that would be enough, but those days are gone. Today, record and data safety requires technological intelligence. Limit access to those files and ensure that everyone who does access them is vetted, trained, and understands the importance of security. If that person leaves their position, one of the first things you should do is revoke access.
What HR can do: Use encryption, password protection, and authentication software whenever possible to access employee data. Continually evaluate who has access to this information.
As soon as someone leaves their position, whether it is through quitting, firing, or simply because they are moving to another position within the company, you should restrict their access. You can always give it back later. While that information may still be safe, if they don’t need to have access to it, they shouldn’t.
What HR can do: Have a system in place for what happens when someone changes their position or gets a new job. Be sure this plan includes restricting access to sensitive information.
Every state has its own set of laws regarding privacy, recordkeeping, and employee personal information protection laws. Countries, counties, and even towns can have their own laws as well. It is a lot to keep track of, but it is important that you do so.
What HR can do: HR needs to stay updated on laws, so make an effort to subscribe to HR newsletters to keep track of any changes.
If possible, HR and your IT team should be able to create a log of who accesses employee records and other sensitive information. This log should say the date of access, why, and for how long.
What HR can do: Once these systems have been implemented, be sure to run tests and audits on a regular basis to ensure that no one can slip through the cracks. Try to fool the system with incognito windows, private browsing, mobile access, and more.
If you find employees or even yourself slipping in your efforts to keep employee data safe and private, it may be time for a reminder. This could be as simple as an email to the entire workforce to remind them to update their passwords or check their access or it could be a weekly “tech tip” in a round-up email that talks about some internet safety tips.
What HR can do: Find a unique way to bring employee information safety to the forefront of every conversation.
If you are collecting information that you don’t really need, it is best to either stop collecting it or delete it once you no longer need it. There is a tendency to hang onto data in case we ever need it, but employees would rather give that data to you again than risk it getting out.
What HR can do: Audit all of the data you are collecting and see if it is really necessary. If it isn’t, cut it.
Often, when someone finds an issue with their employee data storage, they simply fix the problem and move on, hoping not to encounter it again. This isn’t good enough. If you learn that someone, somehow accessed employee data or records without authorization-even if it was a mistake-you need to investigate it.
What HR can do: Ensure that you understand what you need to do if your private employee data gets released. You may be required to take certain steps and if you don’t, it could lead to even greater damage.
Most importantly, HR needs to model good behavior when it comes to personal data and privacy. Ensure that your employees have someone to look to when it comes to personal data and the way you handle it. If they see you breaking the rules, then they are more likely to break them.
What HR can do: Make staying safe online and at the workplace your priority. Treat everyone’s information with care and respect.
You have to trust that your tools are going to help you with your employees, not hurt your relationship with them or your reputation. For help with all of the things HR does, from small to massive, the Trakstar Platform is the best-in-breed solution for your HR needs. Schedule a demo today to see just how it will help you make the connections, automate the busy-work, and cut through the noise to make a positive impact on your workforce.