Maintaining the security and privacy of sensitive HR data is crucial. While this idea seems obvious, the availability of new technologies and the increasing number of cybersecurity risks threaten employee data in new ways, meaning HR professionals have to continually educate themselves about these risks. Whether starting from scratch in converting HR records to electronic files or revamping a current electronic system, HR professionals need to be involved in their organization's data security process.
Dan Nelson, Esq., was a speaker at BLR's recent HR Comply 2019 conference in Nashville. He's a partner at Armstrong Teasdale LLP in Denver and co-founder and chief operating officer of Digital Silence Ltd., a Denver‐based cybersecurity company. Nelson said HR should begin the process of establishing an electronic data system with data mapping: defining the what, who, where, how and why of the company's data. "Data is like cockroaches," he said. "There is data hiding everywhere in your organization."
What Is Data Mapping?
Data mapping can be a time-consuming exercise, but it can help an employer select the best platform for electronic records and increase potential security, facilitate compliance, identify unnecessary information and help define needed policy improvements. Nelson provided the following steps for the data-mapping process:
Step 1. What
Create a data inventory of every type of employee record, including the record type (e.g., applications, background checks) and the data fields within those record types (e.g., names, Social Security numbers, birth dates).
Step 2. Who
Link the identified data records to the responsible parties within the company. For example, the HR manager receives the benefit enrollment forms and scans the documents into the system. Ideally, this step includes a narrative and documentation of the process, including any rationale.
Step 3. Where
Document how each type of record is processed:
- How does the record get into the system?
- Where is the record stored, and where is the server housed?
- Where is the record viewed or used?
- How does the record get from place to place (LAN, WAN, Internet)?
- Is there any external party access?
- With what applications does the record interact? Does any other software query this data?
- How does record disposal occur?
Step 4. How
Document how the data field or record type is regulated:
- Are there any special security requirements?
- Are there special access requirements?
- What are the retention requirements?
Step 5. Why
Explore why you are keeping and collecting the records and who has the authority to access them:
- Do you collect and process only the data you need?
- Do only those with a need to know have access?
Nelson recommends that access to data records be defined by job description and restricted as needed. An individual might need access to the name and hire date of an employee, for example, but not to the employee's Social Security number.
Phyllis Shaurette, HR manager at Paragon Vision Science, a medical device manufacturer in Gilbert, Ariz., is in the process of converting HR files to electronic records for 130 employees, and she plans to set levels of access to records based on a legitimate need to know. "The hiring manager does not need to see the self-identification record of [an employee's] disability," she said.
Keeping Records Secure
Once the employer has mapped all its HR records and data, an electronic records solution can be established. Options for housing electronic records include an on-premises server that the company owns and manages; an offsite cloud service that is housed in a private, employer-owned cloud; or a public cloud owned and maintained by an external party. To ensure an efficient solution, HR should be involved in negotiating contracts and service-level agreements with vendors, including participating in vendor demonstrations and testing.
When selecting an electronic records solution, Nelson recommends the following:
- Confidentiality. Keep it private. What is the solution doing to protect the confidentiality of the data?
- Integrity. Keep it real. What is the solution doing to prevent unauthorized modification, and how does it check for mistakes and abuse?
- Availability. Keep it accessible. How is the solution allowing quick access to the data when needed, and in the event of a ransomware attack, how quickly is backup data available?
Nelson further explained that "good security" has four types of controls:
- Preventive, to keep out unauthorized users with passwords and multi-factor authentication.
- Detective, to find unauthorized users once they get in with intrusion detection systems and logging and review practices.
- Containment, to keep the problem small through network segmentation that limits travel through other areas of the server if an intrusion does occur.
- Remedial, to stop the damage by having a strong incident response plan and efficient backup procedures.
Shaurette says understanding her responsibility in implementing and managing an electronic record system is important, and she plans to inquire about her company's incident response plan in the event of a security breach.
"This isn't something I'm familiar with," she said, "and I plan to involve myself more in the security of our record-keeping practices."