With Europe ramping up data protection compliance under GDPR and Facebook coming under scrutiny for its failure to keep user data safe, employers should also be aware of the responsibility of collecting employee data. Employees have a right to privacy under federal and state laws. Their personal identifying information is to be kept confidential, stored securely and disposed of properly.
Here are HR best practices for keeping employee data safe.
Types of Employee Records in HR
When a person applies for a job at an organization, the employer begins collecting pieces of data about that individual. Over time, the employer builds quite a database of records that could include:
- Hiring records such as
- Drivers license, passport, or other identifying information
- Form I-9 or E-Verify records
- Benefits information
- Offer letter
- Employment records such as
- Payroll and timesheet records
- W-4's or Tax records
- Performance reviews
- Emergency contact information
- Background check information such as
- Credit reports
- Driving records
- Criminal records
- Health information including
- Drug test results
- Emergency contact information
Employers need to know:
- Which records should be kept?
- How long should they be kept?
- Which ones should be destroyed?
- What is the proper way to destroy the data?
Some records do need to be kept for a while, for instance, in the case of an employer taken to court by applicants for failing to follow the rules of the FCRA. Employers are also expected to comply with federal and state regulations on storage and disposal of employee records.
Storage and Retention of Employee Records
Different statutes dictate which records should be kept, the retention period and destruction methods. Depending on the type of record, the storage and disposal could be different. The Department of Labor, for instance, has a Fact Sheet that summarizes the record keeping requirements under the Fair Labor Standards Act (FLSA). It doesn't specify if the records should be kept as paper or electronic, however, it does offer that employers must maintain these and other identifying employee data:
- Employee's full name and social security number
- Full address
- Birthdate, if younger than age 19
- And more
The Fact Sheet also specifies which records are to be maintained, for how long, and how they should be stored. The EEOC also instructs employers of record keeping obligations.
Best Practices for Maintaining Employee Records
As a best practice, employers should keep all employee records for a minimum of 3 years. HR managers should also check their own state requirements for employee record retention or record keeping as they may require more stringent time periods.
Other best practices include creating a consistent policy as suggested by the Society of Human Resource Management. Consider these standards:
- Electronic or paper - Decide on a consistent form of maintaining records for all employees and, if multiple copies exist, determine how they are protected from unauthorized access.
- Store some forms separately - Employee records may need to be categorized in case some records need to be accessed or stored differently than others.
- Categorize - Some categories to consider are - pre-employment, work history, immigration, payroll, benefits and medical.
- Destroy as specified - Records shouldn't be destroyed unless no litigation is pending. Employers should also check retention periods before shredding or incinerating employee files.