By now, as consumers, we should be aware that our data is being shared pretty much all the time. Digital privacy is scarce. Whether you see vacation packages for Aruba and Bermuda popping up on your Facebook feed after you searched for “Best Island to Visit this Summer,” or you receive mail advertising paid radio service for the new car you just bought, every day our personal data is being sold, bought, exchanged, examined and exploited.

While most of us don’t care too much if the whole world knows what kind of vacation we want to take, what about data breaches that expose credit card information and social security numbers? It seems like every year there are several large companies and a slew of small ones that get hacked for sensitive information.

We are all targets as consumers, but also as employees who divulge our sensitive personal information to employers in good faith that they will take every precaution to keep that information safe. In today’s digital age, with all of us at risk, what is the role of HR in protecting employee data?

Sensitive Employee Data is in High-Demand

Your employees’ sensitive data is a valuable commodity to hackers. When your employees come to work for your organization, they have no choice about whether to hand over their social security number, full name, phone numbers and other sensitive data. With the estimated number of identity theft victims for 2019 at over ten million, it can be an HR department’s secure handling of data privacy that stands between employees and the thieves who want to steal their identities.

An Overview of Global Awareness of Data Privacy

If your organization has locations and employees in countries that must adhere to the European Union’s General Data Protection Regulation (GDPR), it is essential to understand and follow this regulation. Following in step, California has passed the California Consumer Privacy Act (CCPA), which took effect starting January 1, 2020 and grants employees more rights regarding access to their employee records and information about how it gets used.

The GDPR is responsible for penalties way into the millions being levied of on some of the largest companies in the world: Google, Marriott International and British Airways were all fined in 2019 for exposing their customers to risk for reasons ranging from failing to disclose data collection methods to users, to exposing personal customer information. One more mine to dodge for international organizations who must follow GDPR rules is that exporting data to countries outside those bound by GDPR regulation is prohibited unless those countries have data protection laws equal to those proscribed by the GDPR.

For a list of countries affected by the GDPR, visit this article at Defensorum.com. For more information about how US companies with European employees or locations, visit this Jackson Lewis article or this Dickinson Wright page. For more information about the CCPA, visit this Jackson Lewis article.

Developing Data Privacy Legislation is a Growing Trend

In the United States, the U.S. Federal Trade Commission (FTC) has the power to enforce data protection regulations and data privacy. There is, as yet, no federal data privacy law that can ensure compliance. Most legislation is at the state level, which is why several states have jumped on the bandwagon with California in creating their own regulations. Maryland, Nevada, Massachusetts, Rhode Island, New York, and Minnesota, are among others that either have or are working on developing data privacy legislation. With new challenges cropping up as the digital age progresses, it will be necessary for states to update their regulations as they become antiquated.

Be Aware of Hidden Sensitive Information

We all know that SSNs and bank account numbers are to be protected, but what about personal health information collected during wellness screenings the HR department set up to benefit employees? If your employees are routinely given drug screenings, that information should be protected. Background check information can also be considered sensitive, even if the information gleaned did not disqualify an individual from employment with your company. Any type of financial information, such as level of compensation, pay history, employer-sponsored retirement accounts or amount of personal or disability leave taken could be considered potentially hazardous for an employee if not kept secure. Areas of digital privacy such as email communication and internet searches and research can be of concern as well.

HR data privacy and security are made more complicated by the fact that some federal and state laws such as the Fair Labor Standards Act (FLSA) and the Family and Medical Leave Act (FMLA) require that information be retained by employers for specific amounts of time. These are precisely the types of changing regulations that inspire some organizations to outsource their payroll and record-keeping to companies that have the knowledge, experience and bandwidth to keep current on the rules and also the best methods of securely handling, storing and destroying sensitive data.

As an HR Manager, You Can Limit the Risk of Security Breaches                                        

As HR professionals, there are tried-and-true ways you can mitigate the risks of security breaches as much as possible to ensure your employees’ private information is protected:

• Collect only the information necessary from applicants and employees. Remove SSN and driver’s license information fields from job applications and only collect that sensitive data after an employee has accepted a job offer and it’s time to conduct a background check and complete tax forms.
• Choose a system of identifying employees by numbers other than SSNs.
• Keep documents with personal information locked up, and files that contain sensitive personal data should be stored according to the most up-to-date requirement for security and encryption.
• Keep up on regulations like the FLSA and FMLA that require certain documents be retained for specific amounts of time.
• Once it is time to destroy old records, be aware that you must follow approved methods for both physical and electronic data.
• Encourage and provide the means for employees to keep their personal identification, credit cards and other sensitive items in lockers or drawers that lock.
• Include a clear policy on HR data privacy, reducing the risk of identity theft and the procedure for how to report it in your employee handbook.

Ensure the Security of your Employee Data

From the moment an employee first applies for a job to the first paycheck they receive, their data passes through the hands of multiple people, software systems, benefits vendors and finally to the payroll system. Any chink in the armor of this data flow can expose the employee’s sensitive data. This type of risk to clients is why Wise Consulting offers Payroll Process Reviews as well as a full Managed Payroll solution. The Payroll Process Review not only streamlines your workflow but will identify weak points with data security and identifies risk due to inappropriate data sharing and lack of segregation of duties. If you have questions about data security, Payroll Process Reviews or the risk reduction of outsourcing your payroll function, contact a Wise consultant today.