As individuals, we are vigilant about protecting our data daily. However, when you are dealing with a new employer or employee, that caution often times goes out the window. Employees and HR departments need to be vigilant with the data they are sharing and receiving.
After the Edward Snowden leaks, the Pew Research Center conducted an in-depth exploration of people’s views and behaviours related to privacy. Here are the highlights from this research into the state of privacy in America for 2016:
- 65% said that it was “very important” to them to be able to control what information is collected about them.
- 47% feel confused and impatient when trying to make decisions about sharing their personal info with companies.
- 68% of internet users believe current laws are not good enough in protecting people’s privacy online.
- 80% of Americans now say they are using social media daily, 96% do not have a lot of trust social networks will protect their privacy.
Despite the complexity of the situation there are steps that, if taken, will contribute greatly to the protection of this invaluable data. Here are best practices for both employees and employers to ensure they have strong data security.
Employee
Coming into a new organization, you share many pieces of personal information with your employer if you want to get hired and receive a pay check. Then what? Do any of us ever ask what our employers are doing with this wealth of valuable data? What steps are they taking to ensure all this data is secure? Or when they contract an outside company – for example for learning and development – what measures are taken to safeguard sensitive employee data? Here are best practices you should follow when sharing confidential information with an employer.
- Email Protected Files: Don’t put confidential information in an email or as an attachment. If you can’t deliver the information to the employer in person or they don’t provide a secure site for submitting your confidential information and your only option is email, password protect the file then contact the employer separately with the password.
- Use Confidential Networks: If you have to share any confidential information electronically, either do it via a VPN (Virtual Private Network) or from a private secure network. Never share confidential information on an unsecured public network like your local coffee shop. Public locations are were data thieves hunt.
- Secure Sites: Make sure if you are connecting to a site to upload or input confidential information that the site is secure. Look for the “s” in https:// to ensure it’s safe.
Employer
How do employers protect their employee data? What does the law say? If our relationship status wasn’t complicated before, now image something actually happening to your employees’ data and you have to start to assess everything from the legal alphabet soup perspective. There’s the Health Insurance Portability and Accountability Act (HIPAA), the Electronic Communications Privacy Act (ECPA) and The Safe Harbour Privacy Principles to name a few. There could also be applicable state laws and sector laws to further complicate things, ultimately it becomes very complex depending on the breach and how it occurred. Your organization must be clear on what this risk may look like to the business and its reputation.
Some of these recommendations are commonplace for security experts, but here are some key important tips for HR stakeholders as they look to best protect their employees’ data.
- Security Policies: Work with your security team to build and understand your company’s incident response for each area impacted by privacy concerns including internet usage, social media, confidentiality, information security, and document retention/destruction to name a few. These policies should include that employee communications and files may be monitored for company data security purposes. This will ensure that when a company is breached, there are steps in place for swift action to be taken. “If” no longer exists – it’s a fact that enterprises are most susceptible. Making sure enterprises are successfully prepared is crucial when sensitive HR information is at stake. As an HR professional, you can quickly and accurately communicate changes to employees.
- Encrypt Data: When there is confidential information being shared, make sure sensitive employee or customer information is encrypted. Employees should also be provided with a secure site (https) in which to provide and maintain sensitive confidential information. Proactively work with your security team to understand correct protocol.
- Limit Access to the Information: Within the HR department, sensitive data should be restricted to only those individuals with a true need to know. Sensitive information should be regularly evaluated on the impact to the company, its employees, or customers and how the risks could be reduced. You should regularly create a procedure to discontinue use/storage of old, outdated sensitive information.
Data privacy, like so many of our relationships is complicated and not always in our control. As an employee, the important factor to consider is what and how you share your confidential information. You must be as vigilant with your employer as you are when providing any confidential information online.
As an employer, be proactive in establishing effective and clear data protection policies and procedures and understand the laws and regulations that are relevant to your business. As Stephen R. Covey said “Always treat your employees exactly as you want them to treat your best customers.” Creating peace of mind with your employees that their sensitive data is just as safe as your customers’ data is a step in developing a less complicated relationship.