As an HR professional, one of your most important roles is to keep your employees’ personal identifiable information (PII) safe and secure. With today’s modern HR systems and increasing number of workplace applications, having a system in place to manage the movement of employee data is vital. That’s why Namely recently hosted an educational a webinar with our partners at OneLogin. Namely CPO, Nick Sanchez, and OneLogin VP of Product, David Meyer, shared best practices on how to establish a secure approach for employee data flow protects both the employee and the employer.
If you missed the webinar, we’re bringing you the key takeaways to ensure your HR practices around PII are effective and responsible. Specifically, we’ll show you employee PII considerations at each step of the talent lifecycle: onboarding, cross-boarding, and offboarding.
Here’s what HR professionals need to know:
Before we dive in, it’s important to note the scope of what PII includes. HR has access to a wide range of PII, and while PII may take the form of hard copy or electronic records, both forms need to be diligently protected. PII can include:
Onboarding New Employees
Much of an employee’s PII is gathered during the onboarding process. Here’s how to set up a new employee seamlessly:
- Create an onboarding checklist for HR and IT teams. Ensure that every member of your HR and IT teams knows which steps need to be taken, from signing company documents to computer setup.
- Add new employee information into the system of record. Having a singular source of truth for employee data makes it that much easier to protect. Onboarding is the time to make sure that new employee information is accurate and up-to-date on your HRIS.
- Complete necessary government forms. Gather the appropriate paperwork, update your records, and store these forms securely. Consider creating e-copies of the documents and upload them to a cloud-based tool to keep your records evergreen.
- Enroll employee into benefits, payroll, & other systems. Using an HRIS can streamline this process, since all enrollment information and processes can be triggered from one source of data.
- Train employees that have access to PII information. There’s no better time to set the standard for how your organization treats PII for anyone that comes in contact with this information. Keep your training, practices and policies up to date.
- Distribute a handbook with policy, privacy and practice information. Codify your organization’s practices and share it with new hires so it is always easy to reference.
In a growing organization, employees will assume new roles over time—either in the form of promotions or moving laterally to a new team. When these job transitions happen, it’s important to update access to both PII information and tools. These are the steps to take:
- Create a cross-boarding checklist for HR and IT teams. Capture all necessary steps in one place, so the process is consistent for all employees.
- Clarify the access this role requires to different systems and data sets. When employees change roles, they may have new requirements around data access. Work with their manager and IT to confirm both what access is now needed and what access may need to be turned off.
- Train employees that now have access to PII information. If a shift in role exposes an employee to PII, confirm that they have the proper training to understand how your organization handles PII. Especially for those moving to people manager roles with access to their direct reports information, it’s vital to ensure an understanding of confidentiality and trust with the data visibility.
Successfully offboarding an employee can be incredibly complicated, so it’s no wonder that 13% of ex-employees can still access the systems of their former employer. Here’s how to securely offboard an employee:
- Create an offboarding checklist for HR and IT teams. As with onboarding and cross-boarding, memorialize your practices around offboarding to confirm that each step has been addressed.
- Collect IT equipment, credit/debit cards & ID badges. All company material needs to be collected before the employee’s departure.
- Clear people managers’ computers of employee data. Though you may be focused on collecting employee equipment, don’t forget that the people manager no longer needs access to any employee PII.
- Sign agreements about confidentiality. Depending on the employee’s exposure to data, it may be critical to document confidentiality requirements.
A strong HR and IT team partnership will help facilitate seamless transitions of PII data and system access. Providing your IT team with a list of access provisions by role and level in the company allows the right people to have visibility into the right information at all times during onboarding and cross-boarding. Further, a detailed offboarding process ensures that separated employees have a clean cut-off from the company’s system.
From a compliance perspective, managing employee data is an ongoing practice that requires due diligence. Onboarding, cross-boarding and offboarding are key moments for employee data flow, but data must be regularly audited to ensure accuracy. For example, employee records need to reflect any change in life events. At all times, you’ll need to preserve personnel files, payroll files, medical records, EEO records and I-9 forms, as well as maintain inactive employee records as required by law.
In addition, ensure that your policies and practices are up to date, which includes reviewing data access privileges and removing data from systems no longer in use. When you make any changes, your training and handbook must be updated to reflect the updates.
If you’re feeling overwhelmed by the requirements surrounding PII, adopting an HRIS system—if you haven’t already—is a great first step, since it acts as one source of truth for all employee data. Organizing and tracking your employee PII data, standardizing your practices via checklists and regular reviews, and a strong HR-IT partnership will set you and your organization up for long-term success.
Want to learn more about how Namely and OneLogin work together to protect PII? Read on.