Protecting employee data

News: June 2011

Protecting employee data

Access to employee records should be restricted. Managers should only be given access to job-related information, such as attendance records and employee performance reviews.

Medical records or other sensitive information should only be accessible to the HR Manager.A log should be kept recording which details, when and who accessed the files. If the employee records are stored electronically, the relevant files and folders should be password protected.

Regular audits should be carried out in order to ensure that the paper and electronic logs are kept up to date. In instances where an individual accesses employee records without proper authorisation, whether intentionally or unintentionally, the incident should be reported and investigated promptly.

Following the investigation, a determination should be made as to whether improvements are needed to and whether disciplinary action is appropriate. Employees should be directed to inform the company as soon as possible if they suspect someone has gained unauthorised access to their information.

Security – Administrative, technical, and physical controls should be implemented to properly secure employee records. Records in electronic form should be encrypted, protected by passwords (which should be changed frequently), and maintained on a secure server.

Electronic systems should be evaluated regularly to ensure new technology and viruses do not compromise the security of employee records. Records in paper form should be stored in a locked central location, with access limited to one individual who is chiefly responsible for maintaining the files. Identity theft is becoming an issue in modern times and as such PPS / Social Security / National Insurance numbers should never be printed.

Provide proper training – Employees and supervisors should be trained on the company’s privacy and record protection policies. In addition, employees who have access to sensitive information should be trained on how to prevent unauthorised access to confidential information, how to respond to security breaches, and how to properly dispose of employee records.

Employers have an obligation to ensure all employee records are disposed of properly so that they cannot be read or reconstructed. A proper cross-cut shredder is a good way of ensuring that any such records are disposed of in a confidential manner.