Some of the largest data breaches in recent years involved the loss of employment records. Knowing the type of data that a human resource department collects, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most data security programs. The process of answering these questions is often referred to as a “data inventory,” and can be an instrumental component in preventing a data breach.

Although the questions that a data inventory tries to solve are relatively straightforward, the process of conducting a data inventory can be daunting depending upon the size and structure of an organization. In addition, it is important to remember that data constantly changes within an organization. As a result, organizations must consider how often to invest the time to conduct an inventory and, once invested, how long the information will be useful. Many organizations find the process of conducting an enterprise-wide data inventory overwhelming. Often conducting a more limited exercise to catalog just human resource-related data can be more manageable; can lead to immediate results; and can work out a manageable process for conducting data inventories of other departments in the future.

What you should think about when deciding whether to conduct a data inventory of your human resource records:

1. How many human resource departments does your organization have? In other words, is human resource a centralized function in one office, or a decentralized function spread across multiple subsidiaries, in multiple locations?

2. If you have more than one human resource department, are they all using similar forms, templates, computer software, vendors, and systems?

3. In addition to Human Resources, what departments within your organization are most likely to have human resource-related data?

4. Who within each non-HR department would you need to speak with to find out what (if any) HR data they maintain?

5. Is it more efficient to send the relevant people a questionnaire or to speak with them directly?

6. What is the best way to receive information from each person in the organization that collects HR data so that the information provided can be organized and sorted with information received from others?

7. How much time will it take to complete the data inventory?

Consider including the following information in your human resource-related data inventory:

1. The types of sensitive data that are collected about employees (e.g., SSN, Driver’s License Numbers, direct deposit, health information, demographic information, information about dependents, background and credit checks, work history, performance reviews, etc.)

2. Where is each data element physically housed (e.g., the building or location)?

3. Where is each data element logically housed (e.g., the electronic location within a server)?

4. Is encryption applied to the data in transit (i.e., when it is moving)? If it is, what encryption standard is being used?

5. Is encryption applied to the data at rest (i.e., when it is being stored)? If it is, what encryption standard is being used?

6. The custodian of the data (i.e., who is responsible for it).

7. Who has access within the organization to the data?

8. Who has access outside of the organization to the data? This might include service providers such as payroll processors, accountants, or financial institutions.

9. Whether the data crosses national boundaries.

10. The retention schedule (if any) applied to the data.

[1] Nymity, Privacy Management Program Benchmarking and Accountability Report, (2015), https://www.nymity.com/data-privacy-resources/data-privacy-research/privacy-management-benchmarking-report.aspx. 
[2] Id.
[3] Id.
[4] Id.
[5] Ellen Nakashima, “Hacks of OPM Databases Compromised 22.1 Million People, Federal Authorities Say,” Washington Post (July 9, 2015).