Data Protection for the HR Department

Ron Arden


November 2, 2015

human resources data security

Human resources departments are faced with unique security challenges. While they are responsible for keeping confidential information about potential employees, internal staff and external clients, a big part of their job is circulating policies and inter-office communications that are meant to be seen by everyone. In addition, human resources departments are responsible for sharing employee’s private and personally identifiable information (PII) with external providers and agencies that include health plans, banks and the IRS. Managing who can see what is a daunting task and protecting against any possible threats requires a strategy flexible enough to destroy files automatically, if necessary, while also enabling secure sharing.

Data should be classified into categories before policy controls are defined to meet specific access and permission requirements. For human resources, data can typically be classified into two tiers. Tier one includes PII, intellectual property, executive compensation, board of director files, customer lists and financial data. This requires the highest level of protection, including automatic encryption and assignment to the strictest security protocols. Access to tier one must be limited to specific users and groups that have a distinct need to access this information.

Tier two information includes policy manuals, inter-office correspondence and pre-release public files. These have a more lenient access policy as they need to be circulated and viewed throughout the organization. This information can either be encrypted automatically and assigned security permissions that allow everyone inside the organization access or can be manually selected by human resources to be secured.

There are five main types of data that human resources handles. While not exhaustive, these examples, show just how granular security policies for HR have to be due to the broad use cases for each:

Employee information: Any document containing employees’ PII is highly sensitive and falls into tier one. Access should be limited to human resources only. Federal and state laws require that this information be retained for a certain amount of time depending on its nature, but after that period, an automatic destruction policy is strongly encouraged. Examples of these records range from employee drug test results to credit reports to medical and benefits information.

Client data: In addition to employee relations, human resources often handles client information, including external and internal financial information. Client contracts mandate confidentiality and can only be shared with authorized employees or, in some cases, third-party agencies, so this data receives tier one treatment. With advanced security settings, HR can safely share this information with the designated parties via email by specifying the number of devices and validity period for accessing protected attachments.

Intellectual property: A company’s business is dependent on the products or services it sells, which all trace back to the intelligence used to design them. Intellectual property is a company’s “crown jewels,” and therefore is tier one information. If this information is compromised, so is the business. The human resources department can be the first line of defense for this data since it may be the first to find out an employee is leaving. They need to have policies in place for resulting access changes.

Prospective talent: Resumes from qualified candidates are in tier one since they are considered part of a company’s intellectual property and often contain PII. Once received, resumes require  automatic encryption when files are saved to the server. The security policy should define access controls for human resources personnel and select executives and managers.

Policy manuals: Company rules and regulations for employees need to be accessible to the entire office. Thus, they fall into tier two. This class of information needs less protection, just requiring an employee discretionary policy and encryption.

In a role that requires protecting and sharing sensitive and valuable information, the human resources department has arguably one of the enterprise’s more challenging data-handling responsibilities. Technology can help streamline these tasks by establishing automatic security policies after the data is initially classified manually. Setting up a comprehensive policy will enable HR personnel to function normally, while also ensuring that the organization’s important data is secure.

Ron Arden is the vice president of data security software company Fasoo USA.