This week, data and privacy dominated our conversations at both the Upper Midwest Employment Law Institute and the Midwest Mobile Summit. While the audiences were very different – HR pros and lawyers at the Institute and software developers and designers at the Summit - our message was essentially the same: technology is being used to collect and store lots of personally identifiable information (PII), and PII needs protection. Failure to properly protect PII can have legal consequences. Here are our suggestions for employers:
- Know your data. HR professionals know that the data they have and use includes names, addresses, phone numbers, family member information, and Social Security Numbers. Does the tech you’re using also have GPS information, or collect information on an employee’s or applicant’s friends or connections? Does your data include health or medical information? Some of the latest HR tech can and does collect this information, and you might be responsible for it. Even non-HR tech is gathering sensitive information, so an organization-wide survey will help identify where PII can be found. Before you can protect anything, you need to know what you’ve got.
- Collect and display only what you need. The fact that you’re able to gather and display information easily doesn’t necessarily mean you should. For example, there’s no doubt that HR needs a Social Security Number to establish identity, verify authorization to work, and process payroll. Employers need an emergency contact for each employee, and may need information on family members for specific purposes related to benefit programs. But before you ask for spouse’s or children’s names, ages, or contact information, be sure you have a clear business need to know those things.
- Give data only to the people who need it. Once you know what you’ve got and are asking only for what you need, the next step is to limit access to the information to those who really need it. A recruiter never needs to see a SSN before a job offer, and doesn’t need it after an employee’s start date. Managers and supervisors never need to see a SSN, and generally don’t need to have access to family information, home addresses, or health information. The more people who have access to PII, the more vulnerable the PII will be to inadvertent disclosure or unlawful use. If multiple people in your organization have access to information they are not required to use, ask why and be prepared to make PII less vulnerable by restricting access.
Careful handling of PII should be on every employer's to-do list. Related litigation is heating up. Best to prepare now.