Securing sensitive employee data – recommended HR policies and procedures
In the United States, there are three common documents that are prevalent throughout the hiring process, each containing sensitive information including name, physical address, email addresses and phone numbers:
- offer letters
HR documentation – best practice
Resumes should be submitted using an ATS (Applicant Tracking System) or a system that securely transmits the resume from the prospective employee to the employer. It is not recommended that the resume be downloaded or saved. If the resume is downloaded or saved, the personal information such as phone number, email address and physical address should be removed. If a resume is requested from a candidate to an individual corporate email address, the resume should be encrypted with a password and that password should be communicated by voice or text, not a follow up email. The collection of unsolicited resumes or a ‘catch-all’ email address is not recommended. It is important to remember that some states consider a resume to contain personal information and that the United States is a patchwork of privacy laws that make up regulations that differ by state.
Offer letters generally contain compensation information that may be considered confidential to the organization hiring and to the individual being hired. It is the decision of each data owner, in this case the HR facility, to determine if compensation information is considered confidential. If it is deemed confidential, the storage and transmission of offer letters should be handled with the utmost care by explicitly encrypting the document with a password and communicating that password via text message or voice call. Under no circumstances should a document’s password be communicated by email. Alternatively, the document may be sent via US mail or an overnight or courier service.
Passports (and other identifying documents)
Passports, as well as state IDs and drivers’ licenses, are frequently used as identifying documents in the United States. The United States I-9 Employment Eligibility Verification form states explicitly that “You must physically examine” the documents that are listed as “Acceptable Documents”. It does not state, nor is it recommended, that you keep the documents on file (this does not apply to firms participating in E Verify). If you choose to keep the document on file for a valid reason the document must be encrypted explicitly using a unique password for each document and the passwords should be stored securely. Both PDF (Adobe, Foxit, etc.) and Microsoft Word can natively encrypt documents. It is not sufficient to state that, “only HR has access to the data”, as this is a false statement. The data is accessible by many systems and individuals that have administrative credentials, and the data is further replicated to backup, email, and e-discovery systems. Far too many breaches involve the exposure of individual passports due to the release of HR data. Keeping passports on file because of a historical way of working is failing to store your employee’s data securely or confidentially. If your firm makes the decision not to store passports or other employee documents, it is sensible to communicate any changes to your employees in writing and destroy the data. If you choose not to store employees’ personal documents going forward, the rule must be applied across the board and you should not make exceptions for senior executives.
Finally, if you decide to keep a hard copy of the documents, please be aware that most photo-copy machines store a digital record on the hard drive and please ensure you always lock your filing cabinets.
If you would like to discuss this topic further, please reach out to one of our dedicated cyber security and data protection specialists.