Human resources departments are filled with data. About applicants, candidates, employees, and alumni. This data includes addresses, health information, and social security numbers. HR has assessment data and information from drug/criminal/credit background screening. They have data about vendors – past, current, and future. HR has business account data compared to jobs, salaries, benefits, etc. Some of this data is online, and some are good old-fashioned paper. Also, these Human resources departments are covered with different security challenges. While they are effective for managing confidential information about potential employees, internal staff, and external clients, a big part of their job is reporting policies and inter-office communications that are meant to be seen by everyone. In addition, human resources departments are responsible for sharing employee’s private and personally identifiable information with external providers and agencies that include health plans, banks, and the IRS. Managing who can see what is a daunting task and protecting against any potential warnings requires a strategy soft enough to destroy files automatically if needed, while also allowing secure sharing.
HR has always used data severely. But it’s time for us to take that to the next level. It’s time for HR departments to improve a marketing-like way to their own data. Here are a few things to have in mind. Confidentiality continues important. The words HR and confidentiality are regularly used in the same order. And there’s nothing incorrect with that. In fact, this is our chance to use our goal of keeping employee data classified as the basis for renewing our policies and plans. HR needs to evaluate data risk. Time for organizations to do an internal assessment of their risk where HR-related data is concerned. I’m sure there are plenty of companies that want to say, “That won’t happen to us.” But is that a risk the company wants to take?
Data should be classified into categories before policy controls are defined to meet specific access and permit conditions. For human resources, data can typically be divided into two layers. Row one includes PII, intellectual capital, executive compensation, the board of director files, customer lists, and financial data. This requires the highest level of protection, including automatic encryption and assignment to the strictest security protocols. Access to tier-one must be limited to specific users and groups that have a distinct need to access this information.
There should be a data breach policy. I know none of us to want to write this policy. Just like we don’t want to write the storm plans, or what to do if an executive does something unethical procedures. But we have to. And once the system is in place, we can breathe a sigh of relief that we have something. Hopefully, we never have to use it. Tier two information includes policy manuals, inter-office communication, and pre-release public files. These have a more lenient access policy as they need to be circulated and viewed throughout the company. This information can either be encrypted automatically, and detailed security permissions that allow everyone inside the company access or can be manually selected by human resources to be secured.