HR Privacy Touch Points
Human Resource information is probably the most sensitive and most abused data. Despite touch measures and laws to keep it safe- you should be aware of the issues surrounding the use and care of personal information. Examine your own HR policies with our check list whether you are managing personal identifiable information or working for an organization.
Advice:
This
is a list of basic privacy questions and considerations that can be used
as buildings blocks to a comprehensive privacy strategy, as follows:
Privacy Check list:
1.- What forms of data protection are or need to be put in place?
2.- What types of privacy legislation impacts our organization- locally,
nationally and internationally?
3.- Do our hiring procedures comply with legislation?
4.- How do we handle & protect our employment records?
5.- Do we need to protect work product and professional information?
6.- Can we and do we have policies and procedures in place when it
involves personal searches of employees?
7.- How do we handle phone & e-mail records, monitoring and surveillance?
8.- Where and what medical information is collected and for what purposes?
9.- Do we have a policy on drug or alcohol testing that complies with
the laws & what information can be disclosed?
10.- When do we need to disclosure employee information by law and
under what other circumstances?
11.- Do we have a privacy policy in place and are people trained,
complying and up to date on the issues?
As privacy legislation evolves,
being a leader is a smart approach. Most people consider privacy as
a personal right. Building a foundation based on mutual trust and respect
has paid dividends for many organizations in both their internal and
external dealings. For an example, see Microsoft's Privacy
Policy and Hewlett-Packard's Privacy
Statement.
Use of a high quality privacy protection software
with encryption goes a long way to proving you are serious about shielding
sensitive information. Interestingly enough,
payroll software is usually very well protected though specific letters
and insurance claim printouts can be found lying around on many office
desks.
Human Resource info should be encrypted,
such as demographics, succession info, performance records, etc. A
privacy screen can be installed on monitors and/or set all your computers
can be set to stand
by. Yes- Windows Vista™ does provide
for more user control over their data which can be a plus or minus.
On the plus side- Vista makes it more difficult to other users to access
private information. On the negative side- it makes data easier to
hide. As a general rule, do not assume that any data is not accessible
unless encrypted. Searching capabilities have improved dramatically
allowing users to locate keywords inside documents- even outside their
user profile.
Surveillance? Recent studies have shown over 35% of all companies conduct some form of workplace surveillance. Moreover- the percentage is even higher for electronic monitoring- reviewing telephone calls/ voice mail, emails- in and outbound, computer files and correspondence. There is very little statutory guidance on workplace privacy violations resulting in decisions of privacy violation being decided on a case by case basis. For example, there are specific surveillance software packages to address these application needs.
There
needs to be a balance the employee's interest in protecting their privacy
and the employer's interest in operating their business. Work is not
the place to engage in personal pass times using the employer's equipment
and resources. The ease of removing sensitive data from a place of
business via email, USB drives or CD's is much greater than physically
removing it. Willful damage to equipment and data can have wide ranging
consequences from loss of productivity to breach of client confidentiality.
A responsible employer should inform their Staff about what types of
surveillance software is in place and consistent penalties for violations
to the rules. Disclosure can act as a deterrent if the policy is signed
by the employee. All Staff should receive proper training in procedures
for handling company data, use of email, software licenses, etc. We are
already seeing some organizations using the Parental controls and reporting
in Vista to control internet use and track usage. Something it was never
designed to do- or was it?
