Although we think it should go without saying, we are going to say it anyway:
Do not use your shredded confidential records as confetti at your next company party!
Why exactly do we feel the need to share this seemingly obvious piece of advice? Well, someone at the Nassau County Police Department didn’t get the message.
Here’s what happened:
Spectators at the Macy’s Thanksgiving Day parade got a little more than they bargained for when they looked up into the confetti-filled sky. Along with the standard multi-colored confetti, shredded Long Island police records rained down on them.
It turns out a Nassau County Police Department employee tossed the confidential confetti during the parade.
Unfortunately, the records were not shredded completely, leaving confidential information still visible. There were phone numbers, addresses, Social Security numbers, license plate numbers, incident reports and personal information revealing undercover officers. Also among the easily identifiable records from the Police Department were what appeared to be details of Mitt Romney’s motorcade route to and from the final presidential debate at Hofstra University.
The confetti collected by spectators near 65th Street and Central Park West was given back to police for investigation.
Inspector Kenneth Lack said the Nassau County Police Department is very concerned about the situation and they will be conducting an investigation into this matter as well as reviewing their procedures for the disposing of sensitive documents.
It’s hard to believe that something like that would actual happen!
After hearing this story, we thought it would be a good time to review Employee Record Retention and Destruction Procedures.
A Lesson in Employee Record Retention: Keeping It Confidential
Data security, records privacy, and identity theft should be on every HR professional’s radar. The Privacy Rights Clearinghouse reports that half a billion records containing personal identifying information have been exposed since 2005. (PRC is nonprofit consumer education and advocacy project whose purpose is to advocate for consumers’ privacy rights in public policy proceedings.)
The data breaches were the result of incidents such as computer drives being stolen or lost, emails and regular mail sent mistakenly that contained personal information, and sophisticated and not-so-sophisticated computer hacker attacks (not to mention confidential parade confetti!). These events exposed Social Security numbers, credit card numbers, bank account information, drivers’ license numbers, and other personal information that could be used to steal a person’s identity.
When data breaches or identity theft occur as a result of unauthorized access to employment records, it hurts employee productivity, morale, and good will. In addition, you may face a negligence lawsuit. In some state laws, you can be found legally responsible if you did not properly secure and dispose of the information.
Therefore, as the custodian of personal identifying information about your employees, you must guard against its unauthorized access and misuse in order both to protect workers from identity theft and your organization from liability.
So what can you do?
You can take several steps to safeguard paper and computer records to protect sensitive information in workplace files from improper access and use. These steps should include: limiting access to employee files, physically locking up files, installing and updating firewalls on computers, limiting use of social security numbers to identify employees, and properly destroying employment files once they are not needed.
In addition, you should perform background checks for all employees who will have access to sensitive personal information and then train them about their data security obligations.
Hopefully, you know not to use your company’s shredded confidential records as confetti. But do you know exactly what records you need to keep and for how long?
Employee record destruction can be tricky. It can be hard to remember exactly how long to keep payroll records (3 years) or Affirmative Action plans (2 years). What about if the employee is terminated? Do you know how long to keep those records? And what about COBRA documents? Do you keep those things forever?
If you aren’t exactly clear on the topic of record retention and destruction, maybe it is time for a refresher course.
The Human Resources Department must retain and destroy personnel records in accordance with corporate polices on Business Records Retention as well as federal and state laws governing records retention.
Remember: Personnel records include electronic as well as paper copies.
As we wrap up 2012, now is a perfect time to get rid of some of that employee records clutter you’ve let piled up. But before you pull out the shredder, you should be clear on exactly what records you need to keep and for exactly how long.
Download our Complimentary Summary of Record Retention Requirements Whitepaper and Handout here.
You can print this out and hang it up in your office so that you can reference it any time you need a refresher on this topic. But we do ask one thing—don’t use it to make confetti!