What Information Should Stay Private
While all of your records should be kept secure and private, certain forms contain highly sensitive employee information that should be treated differently to ensure strict confidentiality.
Only a few federal requirements dictate how private employers handle employees’ personal information – aside from any medical history, which involves two relevant laws. The Americans with Disabilities Act (ADA) requires covered employers to protect the privacy and confidentiality of medical information on any employees who have handicaps, disabilities or impairments covered by the ADA. For companies offering health care benefits, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that employers protect the privacy and confidentiality of their workers’ personal health and medical information.
As for other sensitive information – like Social Security numbers, home addresses or bank account information from payroll records – some states have laws protecting your employees’ privacy, so, as always, make sure you’re following your state’s guidelines. Even if your state isn’t covered by laws, however, you should try to protect employee privacy by restricting access to this information and using secure folders.
Keep Employee Data Secure
As an employer, there are a few steps you can take to ensure your employees’ information stays private.
First, include a written policy in your employee handbook that outlines how your business protects employee information, both in paper and electronic formats. This way, employees are aware of the measures you’re taking to protect their data.
You can keep paper files secure by using confidential folders and storing this information in locked rooms or cabinets. By limiting access, you’ll know who comes in contact with files and when. Whenever you allow employees or other individuals access to these records, keep a log of who viewed the information, when it was seen, and the reason for sharing it.
Securing Electronic Records
Your business should work to create an electronic data security policy. This policy should include:
- Where the information is located: Where will your electronic data be stored, on hard drives or in the cloud? While cloud storage solutions are popular and reliable, ultra-sensitive information should be physically protected onsite on a secure server.
- How this information is protected: Data encryption should be standard practice. If employee records are stored in the cloud, look for a service that offers end-to-end encryption.
- Who has access to it: Chain of custody policy should state not only who has access to employee records but also how and when the records are accessed. At a minimum, a password challenge system should be implemented along with an electronic access log.
Work with your company's legal department or appointed counsel when discussing policy creation, amendment or implementation.
Destroying Sensitive Information
Once it’s time to dispose of employee information, it’s not as simple as tossing the paperwork in the trash or hitting the Delete button. Since this information is confidential, you need to ensure that it’s safely destroyed.
There are numerous ways to securely destroy paper files. You can use locked recycling bins and hire secure shredding services. If you would prefer to shred the documents yourself, you should only use cross-cut shredders or micro-cut shredders, which break up paper into tinier pieces than a normal strip-cut shredder. It may sound odd, but burning paperwork is another effective way to safely destroy information.
Digital files are harder to get rid of, unless you’re wiping an entire computer or hard drive, which can be stripped and overwritten, then destroyed using hammers or drills. To delete just a file or two, you should use overwriting software.
If you’re storing your files online in cloud-based software or storage sites, permanently deleting files is typically much easier: Once they’re deleted from the service, they’re gone forever.