Experts say it’s crucial for employers to protect job applicant data at all times. How does your organization safeguard candidate information—from printed applications and resumes to information distributed to remote hiring managers and teams? Learn these 8 considerations for how to better protect job applicant data from a possible breach.
1. Practice Data Minimization
Experts advise employers to avoid requesting unnecessary information from applicants that could later be shared inadvertently with hiring managers or other employees and cause identity theft and privacy concerns.
To help lower this risk, HR professionals should consider practicing data minimization. This means only collecting and storing information the company absolutely needs, purging data as soon as there is no longer a business need to retain it, and limiting access to applicant and employee data to only those individuals who require it.
2. Delay Asking Candidates for a Social Security Number
According to experts, employers generally should not request Social Security numbers on an initial employment application form. If the hiring for the position will require a credit check or background check, the candidate will likely need to sign a specific authorization form, and a Social Security number could be collected at that time.
Employers are also recommended to ensure they fully understand state laws regarding collecting Social Security numbers from job applicants. Although experts say that employers are permitted to ask applicants for their Social Security numbers in all states, some states require employers to have encryption in place to protect candidate privacy. Several states have prohibited or limited the use of credit checks for job applicants.
3. Vet Partners that Conduct Background Checks
Experts say that employers who use a consumer reporting agency or background check firm for background screening services should be sure to look for the proper accreditation. Consumer reporting agencies should have accreditation through the National Association of Professional Background Screeners, and background check firms should have the Service Organization Control (SOC 2) audit from the American Institute of Certified Public Accountants.
Some organizations will need to consider the European Union's General Data Protection Regulation (GDPR). This may include employers that conduct background checks on EU citizens or employers with international operations that exchange personal data from employees in the EU to the US.
4. Investigate the Security Practices of Your Organization’s Applicant Tracking System
Modern applicant tracking systems can help HR and Recruiting teams manage every aspect of hiring, but they can also be a rich source of data for identity thieves. According to HR experts, the flood of information collected, managed, and stored in an organization's talent management platform can carry risks as well as reward.
Data security should be a top priority of an applicant tracking system, according to experts. The chosen provider should have an excellent reputation in terms of security and demonstrate meticulous care in the way it manages and protects data.
5. Consider Practices for Safe Disposal of Printed Applicant Information
Employers should consider its policies for shredding printed employment application materials submitted by applicants who were never employed. It’s recommended that these policies also specifically address remote employees. Remote employees should be discouraged from printing confidential records if possible, as well as instructed on how to properly store or destroy printouts.
6. Map Where Applicant Data Is Stored
Applicant and employee data is often scattered across an organization. Experts say that HR and Recruiting professionals should consider mapping out the applicant and employee data residing in each system, as well as the ways data flows between systems in order to maintain oversight of the information and establish processes for granting access.
These systems may include: the organization’s candidate relationship management and applicant tracking systems, learning platforms, payroll management systems, integrations to third-party systems (such as external vendors for background checks, employment verification, and benefits management), and data gathered manually that may reside in spreadsheets or another unsecure format.
7. Maintain an Up-to-Date Record Keeping Policy
According to the Society for Human Resources Management (SHRM), there are several federal laws that address the retention of employment and hiring records, including Title VII, the Americans with Disabilities Act (ADA) and the Age Discrimination in Employment Act (ADEA). Hiring records may include: applications, resumes, employment tests, drug tests, reference checks, background checks, or credit checks. Experts warn that some states may require longer record retention periods, and employers are recommended to follow the longer retention policy for conflicting laws as the penalties could be severe.
SHRM provides a sample record-keeping policy including procedures to consider for retaining and destroying employment application materials.
8. Be Prepared to Act Quickly in the Event of a Data Breach
According to experts, one of the most important things an HR professional can do is prepare for a possible breach of applicant or employee data. This may include forming a cross-departmental breach response team, preparing messaging templates, and creating a plan documenting how HR will work with IT to identify exposed data, notify affected individuals, and correct any issues. The FTC provides more information on its recommended data breach actions through the Data Breach Response: A Guide for Business.