Human resources departments are filled with data. About applicants, candidates, employees, and alumni. This data includes addresses, health information, and social security numbers. HR has assessment data and information from drug/criminal/credit background screening. They have data about vendors – past, current, and future. HR has business intelligence data related to jobs, salaries, benefits, etc. Some of this data is online and some is good old-fashioned paper.
Over the past few years, organizations have put measures in place to deal with customer data, specifically in terms of how to secure data and what actions should happen if (perish the thought) the data is compromised.
I believe HR has always taken data seriously. But it’s time for us to take that to the next level. It’s time for HR departments to develop a marketing-like approach toward their own data. Here are a few things to keep in mind.
Confidentiality remains important. The words HR and confidentiality are constantly used in the same sentence. And there’s nothing wrong with that. In fact, this is our opportunity to use our goal of keeping employee data confidential as the basis for updating our policies and procedures.
HR needs to assess data risk. Time for organizations to do an internal assessment of their risk where HR-related data is concerned. I’m sure there are plenty of companies that want to say, “That won’t happen to us.” But is that a risk the company wants to take?
There should be a data breach policy. I know none of us want to write this policy. Just like we don’t want to write the hurricane procedures, or the what to do if an executive does something unethical procedures. But we have to. And once the procedure is in place, we can breathe a sigh of relief that we have something. Hopefully, we never have to use it.
Ask vendors to create and share their policies. This conversation doesn’t just apply to in-house human resource departments. Companies that provide HR products and services also need to think about data security and protocols. It’s time to address these conversations on the front-end. Make it a part of the initial pitch, “We respect your employee’s data. And this is what we’re doing to keep it secure.”
Put a plan in place for missing files. At minimum, organizations should have a procedure in place for missing employee files. I’ll be honest, in my past corporate roles, I don’t remember having a policy in place. But I also didn’t work someplace where we moved around a lot. Today, workplaces are more mobile, which means files are more mobile. This could make the chances of a file – or a piece of data – going missing a bit more likely.
It’s about more than employee files. Transparency is more than a catchy buzz-phrase. Candidates understand that transparency can help them get the job. Freelancers understand that being transparent can set them apart from the crowd. And vendors understand that transparency can get them the contract. HR departments need to be sensitive to employee data, but also to non-employee data.
Proactively communicate your policy. Finally, once the company has a plan in place, let people know. From a marketing perspective, the company tells customers how their data is being protected. Talk with your legal counsel about proactively sharing how applicant and employee data is being protected. Is there something the company should tell employees as part of the offboarding process?
It’s possible that HR can take some of their cues from the marketing and accounting departments when it comes to data policies and security. That’s a good thing. The important part is recognizing that HR data is sensitive and deserves the same type of security provisions that the rest of the company’s data receives.17