Periodically, a story appears in the press about a company experiencing a serious data leak, either due to a technical snafu or a “hack attack”. Whenever we read a story like this, we shake our head and breathe a huge sigh of relief that our company and/or our identities weren’t affected.
In these increasingly “techno-centric” times, this type of thing is happening more frequently. According to the Bureau of Justice Statistics, in 2012 more than 16 million Americans were victims of identity theft. And in the two years since, there have been several high-profile data breaches (i.e. Sony and Target) that have caused people from Denver to Denmark to pay more attention to how their personal information is gathered, handled and stored.
In the HR world, an applicant’s personal information (CV, application, etc.) is classified as highly sensitive information. Therefore, once the applicant has trusted the company with his/her personal information, HR personnel must consider how to best store this information, how to best use it, and how/when it should be discarded.
We wish we could say things are hunky-dory on this end, but alas, they’re not.
For one, many companies are still receiving sensitive information via email, which is not the most secure way to receive data. Email accounts can be easily compromised by any enterprising hacker with a grudge or too much time on his hands. Furthermore, where is the information kept? Too often it’s spread across several individual laptops that leave the workplace, creating the possibility of the laptop being lost or stolen, and the information along with it.
Moreover, if the data isn’t time-stamped and logged immediately upon receipt, then nobody knows exactly when the application was received – and consequently, how long it should be kept or when it should be deleted. In lieu of time-stamping, the only way to verify time/date is to wade through the application pile – never a fun job.
Governments are taking an increased interest in the subject of privacy, and it’s a subject that’s strictly regulated in most countries – i.e. data originating in the U.S. is not allowed to leave the U.S., and data originating in the EU is not allowed to leave the EU. Also, in the U.S. data can be kept for at least two years, while in the EU data must be deleted after six months (unless special permission has been granted).
So how do you ensure that you’re in compliance with local laws if your company has divisions in both the U.S. and the EU? Ideally, each office will create its own protocols, so that the HR department in each country is in compliance with local laws. From there, the ideal approach to data protection is the same no matter where you’re office is located.
To begin with, you should use SSL https so that all communication between company and applicant occurs in a safe environment. Also, every document and file should be scanned for viruses before uploading and before opening. Make sure you store every application in the same place, preferably a secure location that only select employees can access. If you’re one of those people who likes to store everything on your laptop, our apologies, but that will have to change Anyways, we mentioned time-stamping earlier – and we’ll mention it again since it’s an integral part of the process. When everyone knows exactly when an application is received, then everyone knows how long to keep it/when to delete it. Moreover, the deletion process can be programmed to happen automatically. And last but certainly not least, back-up your data on a regular basis. This too can be automated, and to say that it’s a lifesaver would be understating its importance.
Will anyone ever be able to offer 100% assurance that a person’s data is protected online? Probably not. For every smart person who designs a security system or a firewall, there’s a smart person who figures out a way around it. But you can minimize your exposure to risk by taking the steps we’ve covered here. There are plenty of great software programs and technological safeguards out there to take advantage of. Tap into them and give yourself and your employees some peace of mind!
What are your thoughts on eRecruitment and Sensitive Data Storage?