Is There a Sure Fire Way to Restrict Access to Employee PII?

Data protection in Human ResourcesI recently wrote an article about protecting confidential data that flows through the HR department.  This is an area that many people forget when thinking about the most sensitive information in an organization.

Everyone thinks about the obvious, like maintaining information about current employees.  But there are many other pieces of sensitive data flowing through HR.

Resumes and personal information about potential employees come into the HR department as managers post job requisitions.  In today’s world, candidates require criminal background checks and drug tests that need to be kept confidential.  As a company hires people, references, existing health information, 401K data and salary details are maintained by Human Resources personnel and inside information systems they access.

The information on potential employees is just as sensitive as information on existing and former employees.  My company keeps my social security number so it can pay me.  It has my name, address, telephone number and bank account information.  It may have pension and retirement plan information.  It knows about my healthcare coverage and my health status.  It also has this information on those people that have left the company through retirement, layoffs or changing jobs.

That’s a lot of personally identifiable information (PII).  If my company was hacked or someone on the inside decided to steal some of that information, I and my colleagues could be the victims of privacy violations and fraud.  Given the sensitivity of this information, how can an organization restrict access to only those people that need to have it?

HR must categorize or classify the data by its sensitivity.  PII is of the highest value and should be limited to HR management and those in HR who need to use it for their jobs.  Once classified, that information should be encrypted and assigned a security policy that limits its access to those people, regardless of where the information exists.  If this information accidentally or deliberately got into the wrong hands, it would be inaccessible and useless.

Federal and state laws require that PII be retained for a certain amount of time once an employee leaves the company.  After that, the information should be destroyed automatically.  If it’s stored in an information repository, retention rules can delete it.  If it’s stored in files on file shares or locally, access can be revoked after an expiration date is hit,

In a role that requires protecting and sharing sensitive and valuable information, the human resources department has arguably one of the more challenging data-handling responsibilities. Encryption and permission control policies can help streamline these tasks after the data is classified.  This is the best way to restrict access to employee PII and ensure that the organization’s important data is secure.

Leave a Reply