In my line of work, it is often a requirement to provide our customers with background information on the employees who will be performing on-site professional services. This is not in itself an issue, but how the customer receives and handles that information can be. Tripwire best practice is for HR to provide an attestation of all requested background checks to our clients rather than providing detailed background reports or having the client run a background check on our employees. This allows us to meet our client’s background check requirements while protecting our employees’ personally Identifiable Information (PII) and privacy.
Security vs Convenience: The PII Debate
Recently, I worked with a client that requested numerous checks, including a full background, for an employee. Again, not a problem, but the amount of information and how they wished to receive the information was cause for concern. Not only did they require that we attest to each check completed in the background, but they also required the employee to provide most of the PII required to run a background check along with a full detailed report of the background results (from which we redacted as much PII as possible). Additionally, this client insisted that the information be sent to a blind email box (i.e. email@example.com). The HR team sent the client an email with a link to securely download the file, which they declined to open. Because the client had a policy against clicking on an external link to our secure file share, HR sent a password protected PDF to the customer with the password communicated separately.
During the back and forth of attempting to provide PII in a secure fashion, we learned that the blind mailbox was not the final destination, instead, it was being forwarded to a third party that provides security services for the client’s facilities.
Mission accomplished, but how many folks would think to add password protection instead of just sending it in clear text, redacting PII from the detailed report, and asking for details on how the information would be used?
How Companies Should Handle PII
Companies that request PII should have a policy for securely handling such information and be transparent with their vendors. If they have a third party review that info, then a policy disclosure from that company should also be included. Both of these requirements are part of the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR).
Companies should also think about if they are requesting more information than is truly necessary. Information that is nice to have does not mean it is required – and there can be more risk for the company in managing detailed information and PII rather than getting the basic information they require. In most cases, requiring anything beyond an attestation seems unnecessary. In speaking with a member of our HR team on the topic, Theresa, she commented, “a critical part of the HR function is to ensure the security of our employee’s personal information. Regardless of who is requesting data, whether it is an internal department or a client, we should be confirming the business need and limiting the information provided to only what is necessary in order to ensure our employees’ privacy.”
If the company wishes to receive the information electronically, then they should provide a secure upload site for that information to be delivered to and further secure that by generating a unique code that is required to download the information. That code can then be separately communicated to the requestor. They can also choose to accept the information from the vendor-supplied transfer site.
These are just a couple of ways to better handle PII transactions. If you’d like to learn more about the subject, please read this article on the Federal Trade Commission’s website: https://www.ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business.