Magazine article Risk Management

Data Protection for the HR Department

Magazine article Risk Management

Data Protection for the HR Department

Article excerpt

Human resources departments are faced with unique security challenges. While they are responsible for keeping confidential information about potential employees, internal staff and external clients, a big part of their job is circulating policies and inter-office communications that are meant to be seen by everyone. In addition, human resources departments are responsible for sharing employee's private and personally identifiable information (PII) with external providers and agencies that include health plans, banks and the IRS. Managing who can see what is a daunting task and protecting against any possible threats requires a strategy flexible enough to destroy files automatically, if necessary, while also enabling secure sharing.

Data should be classified into categories before policy controls are defined to meet specific access and permission requirements. For human resources, data can typically be classified into two tiers. Tier one includes PII, intellectual property, executive compensation, board of director files, customer lists and financial data. This requires the highest level of protection, including automatic encryption and assignment to the strictest security protocols. Access to tier one must be limited to specific users and groups that have a distinct need to access this information.

Tier two information includes policy manuals, inter-office correspondence and pre-release public files. These have a more lenient access policy as they need to be circulated and viewed throughout the organization. This information can either be encrypted automatically and assigned security permissions that allow everyone inside the organization access or can be manually selected by human resources to be secured.


There are five main types of data that human resources handles. While not exhaustive, these examples, show just how granular security policies for HR have to be due to the broad use cases for each:

Employee information: Any document containing employees' PII is highly sensitive and falls into tier one. Access should be limited to human resources only. Federal and state laws require that this information be retained tor a certain amount of time depending on its nature, but after that period, an automatic destruction policy is strongly encouraged. Examples of these records range from employee drug test results to credit reports to medical and benefits information. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.