Economy

Dated HR practices could threaten privacy of applicants — security expert

PIXABAY

Human resources (HR) departments should take better care of the personal information that passes through their hands during the hiring process, a data security expert said.

Sensitive documents, such as the resumes of rejected applicants, should be shredded and anonymized by hiring managers instead of being used as scratch paper, said Ernest Richard Ocson of Cosaint Consulting, a company that offers governance, risk, and compliance services.

“The data is still theirs,” he said. “We process their documents, but the data is still theirs.”

HR practices that also need to be reevaluated include selling old documents, such as manuals, for recycling as well as processing a job applicant’s resume without their explicit consent. Neither align with the Data Privacy Act, Mr. Ocson said in a Jan. 13 webinar organized by the Learning Innovation Hub PH.

The Data Privacy Act (DPA) of 2012, or Republic Act 10173, assures the “free flow of information to promote innovation and growth” while protecting an individual’s rights to privacy.

“Integrity is ensuring data privacy is kept throughout the life cycle of that data,” Mr. Ocson said, who also advised verification before disclosure.

If the HR department gets a call from someone supposedly doing background checks on an employee applying for a bank loan, whoever accepts the call shouldn’t “blindly disclose information,” said Mr. Ocson.

“We need to verify the identity of the person calling first,” he added. “If we don’t verify, then we already violated that employee’s rights.”

Coordination is likewise necessary between HR and the information technology department as the company submits its annual security incident report to the National Privacy Commission (NPC).

The definition of a security incidence is relatively broad, Mr. Ocson said. A security breach can mean anything from sending documents to the wrong person, opening files that should not have been opened, visiting links that should not have been visited, losing access to corporate resources, or misplacing identification cards.

Not every company will need to register their data processing systems in compliance with NPC Circular 17-01, Mr. Ocson added. Every company that processes personal information, however, will need to comply with the DPA.

(Per NPC Circular 17-01, an organization that employs fewer than 250 persons is not required to register, unless “the processing it carries out is likely to pose a risk to the rights and freedoms of data subjects, is not occasional, or includes sensitive personal information of at least 1,000 individuals.”)

“Data privacy compliance at the organizational level has business value,” Mr. Ocson said. “The other risks for not complying — apart from penalties and fines — are employee disengagement, operational disruptions, and reputational damage.” — Patricia B. Mirasol

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

Your daily news source covering investing ideas, market stocks, business, retirement tips from Wall St. to Silicon Valley.

Disclaimer:

TheProficientInvestor.com, its managers, its employees, and assigns (collectively "The Company") do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice.
The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.

Copyright © 2021 TheProficientInvestor. All Rights Reserved.

To Top