From the moment an applicant applies for a position all the way through signing hiring documents and going through onboarding, the employ is collecting sensitive data that must be stored, secured, and if no longer relevant destroyed.  This includes driver’s license numbers, I-9 records, W-4’s, as well as information obtained during a pre-employment background check, including credit reports, and driver’s history.  This type of information is extremely sensitive and should not be emailed, nor should it be left out on a desk over a weekend.  All physical documents containing Social Security numbers, bank accounts, dates of birth, or banking information should be locked up in a secure area.  For digital records, only authorized personnel should be allowed to access files contain sensitive information.

Another critical area is access control.  There is no point in locking up the data, if everyone can go grab the key.  It is best to limit access to personnel who have a legitimate reason for reviewing such sensitive data.  Any employee granted access should be trained on data protection best practices and take precautions to secure sensitive data.  Supervisors may be granted access to performance-related records, but should not have access to employee medical information or other confidential data.

It is also critical to securely maintain the data until such a time it is deemed unnecessary and may be destroyed.  Our best practices recommendation is five years.  Be sure to look at your state’s record retention requirements.

When it is finally time to destroy sensitive data, be sure to follow best practices for destruction.  It is not wise to toss it in the dumpster behind the building.   Use an inexpensive paper shredder, or consider hiring a vendor.  If you do hire a vendor, make sure to get a certificate of destruction for your records.

Sensitive information could be used for fraud or identify, and there are laws that dictate how Social Security numbers and other sensitive data should be stored, maintained and destroyed.  If necessary, develop a data retention policy.

Safeguarding employee information is an unglamorous but critical component of any business.  Whether for compliance needs, or to simply avoid headaches and be respectful of employee privacy rights, your data retention policy can predict your likelihood of data breaches, identify theft, and bad publicity.

Employees trust their employers to manage sensitive data in a responsible way.  The next time you order a background check on the platform, make sure you are doing it in a responsible, ethical way.