Several recent high-profile data breaches, involving companies such as Optus and Medibank, have put a spotlight on the importance of keeping sensitive employee data safe and protected.
Your legal obligations
Employers have a legal obligation to collect and store employment records. For example, information about pay, leave, hours of work, reimbursement of work-related expenses, workers compensation insurance and superannuation contributions. These requirements are prescribed under laws such as the Fair Work Act and the Fair Work Regulations. There are also other laws that require you to keep your tax and superannuation calculations, and how you met your choice of super fund obligations for five years.
Depending on your organisation, there may also be other reasons why you need to collect employee data, which might include working with children checks or certain licenses that the employee is required to have in order to perform their normal work.
It’s also good HR practice for employer’s to keep other records relating to hiring, managing and exiting workers, to provide a full employment history and assist in undertaking day to day HR functions or defending the organisation from any claims by employees or unsuccessful candidates.
Risks of not retaining employee data properly!
One of the biggest risks is reputational damage. As well as losing the trust of your employees. There could also be potential fines and other enforcement action that could be taken under the Fair Work Act depending on the circumstances.
Fines for serious data breaches!
For serious data breaches under the Privacy Act, the penalty is currently $2.2 million. And they’re looking at increasing that by the end of the year to the greater of $10 million; three times the value of any benefit obtained (directly or indirectly) from the contravention; or, if the value of the benefit cannot be ascertained, 10 per cent of the annual turnover of the organisation.
At this stage, only organisations are liable under the Privacy Act. However, there are exemptions for small businesses with revenue under $3 million in certain circumstances.
Sometimes individuals might be liable under other laws for related actions, such as cybercrime offenses, including hacking. An action for breach of confidence has also been successfully pursued where an individual published intimate photos of another individual (their former partner) online in what would also be considered a breach of that individual’s privacy by another individual.
These are examples of other avenues that could make individuals liable, but they are not often pursued. Some of the law reforms in this area are looking at more direct forms of recourse including, potentially, extending the Privacy Act to apply to individuals.
Is your HR technology secure?
In many organisations, HR technology often stores the most sensitive types of data the organisation holds. So its important to ensure your HR technology is up to the task.
Start by asking security related questions such as:
- Does the HR software provide encryption for sensitive and personally identifying data?
- What security controls are in place to control, authorize, and audit access to data?
- If the system requires access outside of the firewall, how is access controlled?
- Aside from approved client users, does the vendor have access to the data and how is this managed?
- For cloud solutions, who is considered the owner of any client data stored in the vendor’s data centres?
- What is the geographical location of the software vendor’s data centre?
- For on premise solutions, how does the vendor access your system to provide support?
- When data is transmitted, is it encrypted?
- Is data at rest encrypted?
- Is your data shared with other 3rd parties?
- What applicable standards or certifications does the vendor comply with and/or hold?
- What is the patch frequency and software update release procedures?
- What are the vendor’s disaster recovery and business continuity practices?
- What happens with customer data when the contract is terminated? How is data decommissioned?
- What is the incident response process and client notification procedures for security breaches?
People are often the weakest link in the security chain
While external cyber-attacks get a lot of publicity, it is also important to ask security questions relating to any of your employees who have access to systems and data. Such as:
- Do employees report lost or stolen devices if they pose a security risk?
- Is security access cut-off when employees leave the organisation?
- Are employees sharing passwords (whether intentional or not)?
Is BetterHR HR technology secure?
BetterHR management software runs on one of the most secure data centres in Australia and the world. Trusted by the Australian Federal Government and many Fortune 500 companies.
Learn more about BetterHR technology: https://betterhr.com.au/better-hr-technology/