HR: Safely handling data during record requests

Human resources (HR) representatives handle a large amount of sensitive information, from employees’ Social Security numbers to financial documents. Mishandling documents or sending information to the wrong recipient can_cost millions_ (https://www.channelfutures.com/security/sensitive-data-leaks-cost-average-organizations-1-9-million-report) of dollars in legal and recovery fees.

Knowing how to handle sensitive information during processes like employee verification, especially when working with people outside of your organization, is essential to properly doing your job as an HR representative.

3 Common Types of Record Requests

HR acts as the gatekeepers for a lot of employee and company data. When a third party requests that you share it, the request should be taken seriously and handled with care. Below are the most common types of employee-related information requests that HR departments receive.

Employment Verification*

Lending companies, government agencies, or employers often contact HR departments to verify a current or former employee’s work history.

Precautions to take: When answering an employment verification request (https://www.truework.com/verifications/knowledge/employment-verification/how-do-companies-do-employment-verification/), be sure to verify the identity of the party contacting you. If they’re calling you, search their number online and see if it comes up as fraudulent. If it’s an email request, confirm that the mailing server and the sender’s address match the company the sender claims to represent.

What to provide: Typically, you’ll need to provide the employee’s start and end dates; salary information, if relevant; or simply a confirmation of current employment.

Employee Record Request

Employees or former employees may wish to obtain a copy of their personnel files for any number of reasons.

Precautions to take: Some states give employees more power than others, allowing them to request their files under certain circumstances. Even in these states, employers are never required to give employees their entire files, meaning material can be redacted. Reference the state-specific laws (https://www.thehrspecialist.com/14541/access-to-personnel-files-50-state-laws) to see what may or may not be required of your company.

What to provide: If you choose to give employees their files, provide only the information that you’re comfortable handing over. If anything is potentially damaging to the company or is too sensitive to share, either redact it or bring in a legal expert if necessary.

Law Enforcement Request

In rare cases, the police, the FBI, or other law agencies may request employee files for an investigation.

Precautions to take: Make sure the officer or agent is legitimate by calling their office and verifying their badge number, which they should provide to you when prompted. If you have a lawyer or other legal expert at your company, consider involving them in the process.

What to provide: Police officers will typically ask for updated contact information if they’re looking for someone who is employed by your company.

Safely Sending an Employment Verification

There are a number of situations in which you’ll need to handle potentially sensitive information. Whether law enforcement is requesting employee records or someone is seeking employment verification, safely handling information is always important.

The following best practices can help you safely handle information during an employment verification request and bolster your security in general.

Use an Employment Verification Service

Employment verification requests (https://www.truework.com/verifications/knowledge/employment-verification/6-types-of-employment-and-income-verification-document/) are a common type of request and can come from a number of sources: lenders, insurance companies, government agencies regarding welfare services, and more.

Typically, HR either has to give the employee a signed employment verification letter or contact the third party needing the info directly and provide verification.

With an employment verification service like Truework, employment verification requests can be handled with little interaction from HR. If a verification service is in place, a third party — like a lender or a local government agency — can contact the verification service directly. The service can then contact the employee and inform them of the request. If the employee approves, the request will then be securely processed and sent to the requesting party.

Encrypt Company Emails

There are nearly 4 billion email users (https://www.radicati.com/wp/wp-content/uploads/2018/12/Email-Statistics-Report-2019-2023-Executive-Summary.pdf) in 2019. With 62% of small businesses (https://www.cybintsolutions.com/cyber-security-facts-stats/) experiencing phishing, which is primarily done via email, email security can’t be downplayed. By properly encrypting email, you can help prevent your company from losing records.

Encryption is a type of security that prevents emails from being accessible to those using hacking or snooping software. When an email is encrypted, the contents are scrambled until the email is received by the receiving party, at which point the email is deciphered.

Many providers, like Gmail, will encrypt emails by default. But that email still relies on the other party using encryption as well. That means Gmail to another provider may not guarantee total encryption. For internal emails, make sure all company email accounts have encryption enabled. If your company’s email provider doesn’t support encryption, either consider switching to a provider that does, or use a third-party encryption service. This will at least ensure internal communications are secure. For external accounts, you’re better off securing the contents of the email.

Password-Protect or Encrypt Files

Email encryption isn’t always possible. Even when it is, encrypting or password-protecting files is a great way to bolster your security.

There are a few common file types that can be easily encrypted or protected with at least one layer of security:

• Zip files: A zip file is a compressed folder that can contain multiple files. Zip files can typically be encrypted in two ways: ZipCrypto and AES-256, the latter of which is considered more secure (https://www.pcworld.com/article/2954590/how-to-encrypt-and-password-protect-zip-files-the-right-way.html); it allows files to be encrypted and accessible only via password.
• PDF files: A portable document format (PDF) file is commonly used for digital paperwork, such as the I-9 or other verification documents (https://www.truework.com/verifications/knowledge/human-resources/employment-i9/). A PDF can be secured in two ways, each involving a custom password. You can either restrict all access to the document with a password or only allow permissions to be altered via password. In either case, a strong password can keep the information in the PDF secure if it’s lost or stolen.
• Word or Pages documents: Both Microsoft Word and Apple Pages documents can be assigned a password. Create a strong password, and send it in a separate communication to those who need it. This will prevent hackers from obtaining both the file and the password in the same email.

All of the above options can protect your documents, but only if the passwords used are strong. Be sure to use different passwords for each document and to send the password in a separate message. It’s also a good idea to change this password once the other party has gotten what they need from the document.

HR Best Practices for Handling Data

Beyond encrypting data and locking down documents, there are best practices that should be followed in HR and enforced across the company to ensure that data is handled in a safe and secure manner.

• Pick a format and stick with it. Make the decision to go all digital or all paper. Don’t use a combination, as this can lead to duplicate records or out-of-date information and can make it harder to secure all of your documents. If you decide to go digital, get rid of your paper documents using a third-party shredding company to ensure that they’re disposed of properly.
• Hold annual employee training sessions on handling data. When it comes to data breaches, employee negligence is cited as the primary cause (https://www.shredit.com/en-us/about/press-room/press-releases/sacking-employees-for-data-breach-negligence). Regular training sessions could help eliminate negligent behavior. If you adopt new software, hold a training session immediately to keep employees from making costly mistakes.
• Destroy data only when a retention period has passed. The U.S. federal government has_regulations for employee record-keeping_ (https://www.eeoc.gov/employers/recordkeeping.cfm) that must be followed. Create a schedule to track retention periods for documents. If you’re using a digital platform, look for a feature that allows documents to be flagged for deletion after their retention period has passed.

The mishandling of data can’t ever be fully prevented, but with the right steps, it can be deterred. Be sure to actively enforce any policies that are implemented; the loss of data can be costly and should be taken seriously.

Keeping HR Communications Safe

Record requests are inevitable when working in HR. These situations are an opportunity for costly mistakes, but they don’t have to be. When the proper precautions are taken, an employment verification or law enforcement request can be handled quickly and safely.