top of page

Employee Data – considerations in a post Optus data breach world


Many employers are grappling with data security as a result of the recent Optus security incident, and particularly wondering how they can make their employee data as secure as possible.


Organisations collect a HUGE amount of employee data during the employment lifecycle; the Optus breach has given cause for us to reflect on what information we collect, what we store, how we store it, for how long and why. It’s great to see this care and consideration for key information we’re trusted with as employers; hopefully this will result in some more contemporary practices and improvements to systems we work within.


I’ve recently attended a seminar on the collection and storage of employee data led by a panel of experts representing cyber security, HR systems and employment law. They had some very interesting things to say which I share with you in the hopes it supports your exploration of your employee data security:


System level

  • In HR system world we’ve learned that API’s are our friends (they create a pipeline connecting HR systems with enterprise systems, helping us to develop great HR Analytics and streamline user experiences). It’s important to know they can also create a vulnerability for security of employee information. Our IT and cyber security teams really are our key partners – now’s the time to ask them to review your API security.

  • Lots of organisations developed inhouse apps over the past few years, some will have used the low code or no code products to quickly build nifty apps that link to HR systems and spreadsheets in the background. These can also be vulnerable to security risks. Your tech team are well placed to review these with you.

  • Passwords and sharing of system logins/access. It’s so important to regularly educate staff to not have simple passwords and allow other team members to use their logins or system access. Apparently, the baddies just need one password to get into then across our enterprise systems to do their dastardly work.

  • Internal tech and cyber security teams are highly skilled and can undertake regular assessments of the security of your systems of data collection and storage, so make sure you’re tapping into their support.

Practice level

  • Regularly review and remove data you don’t require indefinitely, and/or store key data in varied secure ‘locations’.

  • Minimise access to critical employee data and link access to job function/role rather than person (when people change roles, change their access to employee data).

  • Review the body of employee data collected. For each item, ensure that you need to collect it (rather than just ‘sight’ it), what it is being collected for, if & why it needs to be stored and for how long. This will help you determine if some legacy processes can be modernised to mitigate over collection and data retention beyond your obligation, plus where the most suitable storage ‘location’ should be.

  • Change your practice - where possible, have trusted roles ‘sight’ key employee identification data, rather than ‘collect’ it.

  • Consider replacing photograph ID with avatar ID where possible.

  • Consider data you’re currently storing for ex-employee’s. Do you still need it, what for and where should it be stored.

  • Consider data you collect from potential new employees. How securely is it stored and what do you do with it if they’re not successful in their application for work at your organisation.

Thankfully, the Federal Government are also looking into data security as a priority. This will hopefully see revisions to the current requirement for actual evidence of employee data to satisfy accreditation standards. As this may take some time, you should review your accreditation standard obligations when reviewing any of your employee data collection and storage methods.


In addition to adversely impacting employee trust and your organisational reputation, there are also financial penalties that can apply where you are found to not have upheld your data security obligations. These penalties are being increased and a review is underway to consider removing the small business exemptions to the Privacy Act.


If you haven’t recently, it’s probably timely to communicate with your employees about the data you collect, how it’s stored and provide a reminder about cyber security, using complex passwords, not sharing logins etc and share your cyber security policy.


I hope you’ve found this information useful as a guide to considering how you can review employee data security. Our tech teams are experts in this space, so now’s the time to engage with them to partner in a review which will help you sleep better at night, knowing your employee data is safe and sound.


Melissa

Comments


Commenting has been turned off.
bottom of page