Today we’re going to talk about The Do’s and Don’ts of Record Keeping: how to keep it confidential, clean out the clutter and hopefully simplify what can be a very difficult process. We’ll go over what you need to keep and where you need to keep it.
Watch The Exclusive Video Presented by Paula Agee
or Read the Blog Below
Do Data Breaches Really Happen?
There’s a lot in the papers, in the news and the HR resource world that you see about documentation and record keeping and everything that you need to do. There is a lot to do and it is very, very important that you do it. But we’re going to break it down for you today so that you can stay compliant.
The Facts on Data Breaches
Data security, records privacy, and identity theft should be on every HR professional’s radar. The Privacy Rights Clearinghouse reports that half a billion records containing personal identifying information have been exposed since 2005. (PRC is nonprofit consumer education and advocacy project whose purpose is to advocate for consumers’ privacy rights in public policy proceedings.)
Almost every week you read in the papers or on the Internet about someone’s information being breached. It could be a database somewhere with your personal information that was exposed to some hacker giving them your social security number or banking information. You certainly don’t want this to happen to you or your employees.
So how can you safeguard your information and the information of your employees? Data breaches are the result of incidents such as computer drives being stolen or lost, emails and regular mail sent mistakenly that contained personal information, and sophisticated and not-so-sophisticated computer hacker attacks. These events exposed Social Security numbers, credit card numbers, bank account information, drivers’ license numbers, and other personal information that could be used to steal a person’s identity.
The Effects of a Data Breach on an Organization
What happens when there is a data breach in your organization?
Well even if your organization isn’t large enough that a data breach is going to affect you globally, and only affects your employees, it can be detrimental. When employees find out the information they gave you has gone beyond the HR office it can damage employee productivity, morale and good will.
In addition, you may face a negligence lawsuit. If your employees find out that their information has gone beyond HR and they feel that any employment decision may have been made based on that, there are lawsuits that can be brought up based on civil suits, the Civil Rights Act, or the Genetic Information Non-Discrimination Act.
So you certainly want to make sure that this information remains confidentially and does not go beyond the limits of where it needs to go. In some state laws, you can be found legally responsible if you did not properly secure and dispose of the information. Therefore, as the custodian of personal identifying information about your employees, you must guard against its unauthorized access and misuse in order both to protect workers from identity theft and your organization from liability.
So How Do You Keep It All Confidential?
You can take several steps to safeguard paper and computer records to protect sensitive information in workplace files from improper access and use. These steps should include:
- Limiting access to employee files. Only those who absolutely need to have access to that information need to have access that information. So HR and upper level management are the only people who need to have access. When it comes to management, they only need access to what they need access to. They do not need access to any benefits information or confidential information. Only HR and those responsible for benefits should have access to that confidential employee information. This is why we highly recommend that you separate your files out so that benefits are kept entirely separate. Managers only need information in regards to the employee’s management history.
- Physically locking up files. Having them in a lock file cabinet is great, but if that file cabinet is left open and accessible to anyone who comes by, then it doesn’t matter if it is in a cabinet or not. You need to make sure those cabinets remained locked.
- Installing and updating firewalls on computers. Email and information sent via email is easily accessed if you do not have current and accurate firewall systems.
- Limiting use of social security numbers to identify employees. Once upon a time we used social security numbers to identify employees on everything. But not anymore. You should only put social security numbers on forms in which they are required by the government and the forms used once for payroll. If you use an employee identification number, you need to make sure it is completely different than their social security number.
- Properly destroying employment files once they are not needed. In a few minutes, we’ll talk about the record retention policies you need to develop. Once employment files are no longer necessary, you do not need to keep them around.
- Performing background checks for all employees who will have access to sensitive personal information and then training them about their data security obligations. Background checks are necessary to show that you’re hiring the right personnel who will be responsible for all of this information. Once you have this personnel in place, you need to make sure they fully understand all of their responsibilities when it comes to this data. They should know what they need to do and what they should not do regarding this information.
A Lesson In Employee Record Destruction
Do you know exactly what records you need to keep and for how long?
When you’re setting up personnel files and your employee record retention information, you need to know what you need to keep and for how long.
Employee record destruction can be tricky. It can be hard to remember exactly how long to keep payroll records (3 years) or Affirmative Action plans (2 years). What about if the employee is terminated? Do you know how long to keep those records? And what about COBRA documents? Do you keep those things forever? If you aren’t exactly clear on the topic of record retention and destruction, maybe it is time for a refresher course.
The Human Resources Department must retain and destroy personnel records in accordance with corporate polices on Business Records Retention as well as federal and state laws governing records retention.
Remember: Personnel records include electronic as well as paper copies.
Tips To Cleaning Out The Clutter
As we wrap up 2013, now is a perfect time to get rid of some of that employee records clutter you’ve let piled up. But before you pull out the shredder, you should be clear on exactly what records you need to keep and for exactly how long.
You can print this out and hang it up in your office so that you can reference it any time you need a refresher on this topic. You will also want to go through and look at your own policies to see at what point do you destroy records and how do you separate records.
If you have any additional questions, we encourage you to contact us.