While employees necessarily forfeit a good deal of privacy when using company-owned equipment and facilities for their personal interests and benefits, employers today must be concerned about maintaining privacy and confidentiality for customers and employees alike with respect to those individuals’ legally protected personal information such as social security and driver’s license numbers.
Before the days of the Internet and electronic data, most Americans took it for granted that their personal information would be treated with consideration and care. However, in this digital age there is no turning back; and employers must proactively plan ahead and execute safeguards for protecting personal and sensitive information, especially with regard to the various federal and state laws at play regarding the same.
In preparing for this Insight, I read an enlightening article published by the Society for Human Resource Management (SHRM) in its August 2008 issue of HR Magazine titled, "Out of the Breach: Reduce the Risk of Litigation and Build Confidence in Data Handling by Becoming a Privacy Champion." In this cover story, senior writer Rita Zeidner presents a case for building a "culture of privacy" in the workplace. According to Zeidner, privacy experts recommend training, along with taking other precautionary steps, as the best defense for avoiding breaches of privacy.
In addition to taking steps that help companies avoid potential liability, it is the responsible thing to do to take great care and consideration in employees’ and customers’ protected personal data. And, it is the required thing to do in order to comply with the numerous federal and state laws that may be applicable, which both define protected employee/customer data and identify related restrictions with respect to the access, use, storage and dissemination of the same. If you want to build a culture of privacy in your workplace with respect to the protection of personal data, the following summary of Zeidner’s steps might serve as a useful reference:
- Check references and conduct background checks when hiring employees who will handle sensitive information.
- Ask new hires to sign an agreement that when handling sensitive information, they will abide by confidentiality and security standards established by the company and that any failure to do so will result in corresponding discipline and will affect their performance rating. In fact, all employees who handle sensitive information should abide by the above.
- Regularly remind employees of the organization’s policies and that they are legally bound to keep employee and customer information secure and confidential.
- Limit, identify and track specifically who in the company has access to personally identifiable information and pay close attention to data such as Social Security numbers (and derivates of the same), checking account numbers, driver’s license numbers, etc.
- Limit access to personnel records to only those employees who need to know this information for business purposes.
- Develop procedures ensuring that workers who leave the organization, or who change responsibilities, no longer have access to personal or sensitive information formerly required in their prior position.
- Terminate passwords and collect keys and identification badges as part of the process in ending a person’s employment with the company.
- Implement rigorous training schedules. Keep employees up-to-date regarding security risks and vulnerabilities as they are identified. Make sure all employees are trained regarding data security and protection efforts, company policies and applicable laws, including those located in either satellite or remote locations. You will also want to train temporary and seasonal employees in related security measures.
Finally employers should train employees so they know how to recognize threats to the security of protected data and report suspicious activities. If employees cannot attend and participate in this training, their access to such information should be blocked until they attend the training. Once employees are trained, and as a way to encourage and reinforce these behaviors, employers should publicly acknowledge and reward employees who alert the company of potential problems.
A closing thought.
Since you want to make sure that rank-and-file employees are well trained, you will initially want to provide complementary, mandatory training and development opportunities for the managers to whom these employees report. In doing so, you can develop a benchmarking program, which can be used as a tool for checking on and evaluating managerial goals. For instance, managers can be held responsible for signing off on benchmarks such as follows:.
-
- Completing a privacy-data inventory that identifies where information is stored.
- Establishing and communicating a privacy policy statement program.
- Verifying policies and practices for security measures.
- Setting aside off-network computers that employees can use during break times or off-hours that will not compromise your network files; and
- Taking steps to ensure that contractor-software providers take regard for ensuring protection, the same as you do.
The electronic age has put many employers in the fast lane of keeping up with security and privacy vulnerabilities. To keep up, build a culture of data security and related privacy interests in your workplace. By training and rewarding employees, and constantly reminding them of their obligations and your expectations, you stand a much better chance of avoiding "blow-outs" on the digital information highway.