The Complete HR Guide to Employee Data Protection

All employers need to gather data about their workers. Employee data such as a Social Security number or date of birth is needed to stay compliant with tax agencies and regulations. You also need banking and personal information to pay your team.

As a result, companies are entrusted with a lot of personal data that could be dangerous in the wrong hands. Protecting this information can help shield your workers from fraud and extortion. It also reduces your legal exposure and helps build trust between you and your team.

At the same time, serious data breaches occur on a daily basis. Many of these contain sensitive employee data. This is especially true of business with deskless and field workers, whose data is primarily stored electronically.

Read on to learn more about employee data protection, including the laws and regulations you need to know and how to stay compliant. 

What Is Employee Data Protection?

Employee data protection is what you do to keep your workers’ personal information safe at your organization. It includes any data protection policies you have and any tools and platforms you use to keep data secure.

Employee data protection covers a wide range of data over the entire employee lifecycle. For example, you might want to store the personal information of unsuccessful job candidates in case they’re suitable for a future role. You would need to ask the candidates permission to do this. 

If you keep data about previous workers for tax or compliance purposes, make sure these records are kept securely. Only keep what you need for compliance.

What data needs protecting?

Generally speaking, employee data protection refers to identifiable personal information. It covers the following.

• Name
• Address
• Date of birth
• Social Security number
• Resume—including educational information
• Medical history and records
• Phone numbers
• Marital status
• Gender and sex
• Disability status
• Marital status
• Information about race, national origin, or citizenship

Some of the processes and policies you use may be based on laws in your area or industry. Others might be best practices that go beyond legal requirements to keep information extra secure.

What Employee Personal Information Protection Laws Do You Need to Be Aware Of?

Your company has the right to request, collect, store, and use a wide range of employee data. This can include personally identifying information. It can also include information about a worker’s performance. There are laws your organization needs to follow when dealing with this information.

The Health Insurance Portability and Accountability Act (HIPAA) 

HIPAA requires employers to ask workers for permission before seeking their personal health information from health care providers or health plans. Personal health information is any personally identifiable healthcare data. This can include details about treatment, medical conditions, and health status.

The Americans with Disabilities Act (ADA)

Title I of the ADA states that employers may secure information about an employee’s medical status and condition. This can be done through worker self-disclosure, a medical examination after a job offer is made, or as part of the process of offering reasonable accommodation to the worker. 

If you have this information, you need to keep it as a “confidential medical record.” This means you must keep it separate from an employee’s personnel file or record. You can share this information with government officials and first responders. This information can also be shared with managers who need medical details as part of their job. 

The Fair Credit Reporting Act (FCRA)

The FCRA covers rules you must follow if you want to run a credit or background check on employees or job applicants. You must inform a job applicant or worker in writing that you’re seeking this information and get written permission from them. 

Once the background or credit check is done, you need to safely get rid of any information you gathered from the report—as well as the report itself. This may mean wiping an electronic file so it can’t be retrieved. Physical files would need to be completely shredded or destroyed.

The Fair and Accurate Credit Transactions Act (FACT Act)

The FACT Act requests that employers safely destroy employee information that’s no longer required. Under this act, you can be held liable if you don’t take care to avoid employee identity theft. 

In addition, if you provide employee information to consumer reporting agencies, you need to make sure the information is accurate. This includes data about a worker’s employment or role at an organization. Your company needs a policy to let employees dispute incorrect information. 

California’s Consumer Privacy Act (CCPA) 

CCPA applies to for-profit companies in California that share, collect, or sell data from California customers. If you’re an employer that’s “covered” by the act, you need to give employees a privacy agreement before collecting any personal information. 

Under this law, personal information can be anything that “identifies, relates to, describes, is reasonably associated with, or could reasonably be linked, directly or indirectly, with a particular consumer household.” This data can only be shared with other parties if it’s legally required, or if there is a genuine need to share the data. 

If you share workers’ personal information with third parties, you must enter into a Data Processing Agreement (DPA) with them. This is so you can ensure private data stays protected. Under the CCPA, workers have the right to access their personal information and ask that it be corrected or even deleted. 

Within these laws, there are gray areas that can be confusing. For example, under CCPA, it can be challenging to decide whether there’s a real “need” to share data. Your best option is to speak to an attorney if you need help understanding your specific obligations.

General data protection regulation (GDPR)

The General Data Protection Regulation (GDPR) applies to workers in the European Union (EU). Even if you’re located in the US—or somewhere else outside the EU—this law can still apply to you if you have workers in the EU. GDPR also applies if you’re using freelancers or contractors in the EU.

Under GDPR, companies can use the grounds of “legitimate interests” to process data. For example, gathering personal and banking information to pay a worker is a legitimate interest. Companies can also get employee data by asking workers for consent.

GDPR limits how long employers can keep employee information. With GDPR, employees have a right to make data subject rights (DSR) requests to access, correct, dispute, and remove data from their records. Employers must respond to these requests in a timely way.

The good news is that Connecteam is GDPR compliant, so if you ever hire team members in the EU, you’re ready to protect their data.

Protecting Employee Data: What You Can Do

Your priority is to make sure you’re following local and relevant international data laws. Beyond that, here are some best practices to protect your employees and safeguard your organization from legal risk.

Know what you’re collecting and why

American employers today are able to collect more data on their employees than ever before. However, in some jurisdictions, companies need to let workers know what data they’re gathering and how they’re using that information.

Certain pieces of employee data may be necessary to capture for administrative and HR purposes. For example, an employee’s family details might be important for your employee benefits scheme. Keeping employee discipline records might help you to monitor workplace behavior. 

When you start gathering data about team members, you should always ask yourself why you need the information. Avoid collecting data that doesn’t have a specific purpose. 

You might not need to know about a person’s decision to adopt or start a family if it doesn’t relate to their employment or benefits. Equally, you don’t need to know what your employee does on their personal devices when they’re not on the clock. 

Capturing employee data unnecessarily could lead to discrimination claims.

Choose the right software and systems

Most businesses now use digital tools to process and store data. Many, especially those with deskless teams, use cloud-based solutions, like Connecteam. This is wise, as paper records are vulnerable to destruction by fire or flood or can be physically removed from a safe space. 

Online document and data storage systems let you keep everything securely in the cloud. Secure cloud-based solutions enable you to restrict access to documents, encrypt data, set passwords, and even see who has accessed records.

To reduce the risk of a data breach, work with apps and software that have encryption and strong privacy policies, like Connecteam. Use strong passwords and update them regularly. Get to know your software and apps so you can enable security features that let you keep employees’ information private.

Be transparent with your employees

Depending on your company’s location, you may not be legally required to share what data you’re storing or why. Even so, being transparent can help you create a culture of trust.

When asking workers to provide personal data, explain why you need that information. This can help calm any worries and helps employees to understand how their data is being used. 

Create privacy and employee data protection policies

Two policies can help you keep worker data safe. First, is a privacy policy for your workplace. This can help outline how you handle customer and employee data. 

For example, you might state that you don’t share personal information unless it’s necessary. You can also explain what you need for payroll, benefits, and other important parts of doing business.

A privacy policy can also help employees understand their own obligations. For example, if your deskless workers use their own devices, tell them whether they can access personal email or social media at work.

Employee data protection policy 

An employee data protection policy is an internal document for your team. It tells people at your company what they can do to keep worker data safe. It’s different from a privacy policy as these are typically external and explain how you protect data. 

You can use an employee data protection policy to explain exactly which employee data is protected. You can also create company rules for keeping this sensitive information private. For example, you can request that any files with employee data be labeled as “private.” 

Update employee records regularly

Remove unnecessary and outdated information from your employee files and database. If your systems are hacked, having outdated information could boost any claims that you didn’t care for your employee records. Storing unneeded documentation also puts more of your workers at risk.

While you’re at it, conduct regular audits on your employee records and data storage systems. Make sure the data is still secure and that previous employees or other unauthorized people don’t have access to it. Ensuring that you have security systems—such as malware protection—in place is important. As is using the latest versions of software to avoid security vulnerabilities.

Consider who you do business with

Chances are, you need to share employee information as part of your business operations. 

For example, you may need to send payroll information to an accountant or share financial data with a benefits provider or tax agency.

Be sure to look over other organizations’ data protection policies before sharing your employee’s data with it. You can minimize risk by sharing only the minimum amount of data needed to operate. 

Evaluate how employee data is shared internally

Take another look at sharing employee information internally, too. Casually forwarding an email with an employee’s personal information could make you liable if that information is misused. As an example, if you decide to have a holiday card or gift exchange, you could be sharing employee addresses and contact information. That can be a problem.

A simple solution is to use a platform like Connecteam chat. It allows your team to stay in touch and even send holiday greetings in a secure chat platform, without needing to share contact information.

Train employees and managers on data protection

Employee data protection is only as strong as your team’s understanding of privacy and relevant laws. Managers who don’t understand the rules can easily put workers’ personal data at risk. Workers can also pass on information that another employee personally shared with them.

Train employees on how to recognize and handle personal data. You can create custom training with a platform like Connecteam. Teach your team about your privacy and data protection policies. Ensure you’re sharing best practices for keeping personal information safe.

Have a plan in place in case of a data breach

Even if you do everything right, the wrong people may gain access to employee information. Some fraudsters dedicate their lives to trying to hack personal information for profit.

In case sensitive employee information falls into the wrong hands or is compromised, you’ll want to have a clear plan in place for how you will handle the situation. Ensure you make your employees aware of the breach as soon as possible and inform authorities of the crime. 

Support your workers with credit monitoring services in case their identities are stolen. Keep affected team members updated about any information shared by authorities about the breach.

Protecting Your Employees’ Most Crucial Asset: Their Personal Data

Employee data breaches are not only dangerous for employees, they can also cause significant harm to your company’s reputation and disrupt operations. 

As an employer, you have an important part to play in ensuring your employees’ sensitive data is stored and processed safely. For deskless teams especially, data security is a top priority.

Fortunately, secure, cloud-based platforms like Connecteam allow you to safely store employee documents and data. Authorized HR managers and team members can only access employee files when they securely log in. Plus, all your data is backed up digitally, and you decide who can access and upload information.

Connecteam also lets you set expiration dates for different employee documents, alerting you when files need to be reviewed or updated, and has powerful tools for training your team on data safety.

Best of all, Connecteam is an all-in-one solution for HR, operations, and communications. In addition to keeping your employees’ data safe, Connecteam offers tools for time tracking, task management, scheduling, internal communications, secure training and onboarding, and more.