University-wide Navigation
CAREERS

HR data privacy and confidentiality

Personal information definitions

The Personal Information Security & Breach Investigation Procedures & Practices Act, also known as Kentucky's Cyber Secruity bill, is a data privacy bill that includes data-security requirements.

Personal information is defined as an individual's first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one or more of the following data elements:

  • Name - First and last; first initial and last name
  • Personal Mark - Initials; signature
  • Biometric/genetic information - Fingerprint; picture
  • Social Security number/number issued by U.S. government
  • Driver's license/state ID
  • Passport
  • Person ID/personnel number/number issued by organization
  • Identifiable information defined by HIPAA or FERPA

Other less commonly seen elements in HR that in combination with name, personal mark or biometric/genetic information combinations would be considered personal information are:

  • An account number, credit card number or debit card number that, in combination with any required security code, access code or password, would permit access to an account;
  • A taxpayer identification number that incorporates a Social Security number.

How to report a data incident

  • In the event of a known or suspected data incident, act quickly and follow all applicable steps
    • Report it to your supervisor or manager the moment it’s discovered/suspected,
    • Email details to cybersecurity@uky.edu,
    • For information containing personal health information or incidents originating from HR Benefits, contact Corporate Compliance at (859) 323-8002.
    • Preserve information for security response team.
  • Data incidents should be reported by both parties involved
    • Person responsible.
    • Person(s) who discovered/suspected the incident.

HR data standards

As individuals working in Human Resources, we are trusted with valuable and sensitive personal information for individuals across the entire organization. One of our duties to these individuals, their data and the university is to be good data stewards to limit unnecessary exposure and potential misuse of private data.

HR data can be provided to individuals with a business need, for their respective areas, at the following levels with examples provided:

Level 1 – Basic HR data
 

  • Basic employee information – name, person ID, linkblue, email address, employment dates
  • Position/organization information – position, college/area, department, work address, position dates, SOC code, EEO code, supervisor data
  • Basic payroll data - Exempt/non-exempt status, bi-weekly or monthly pay 

Level 2 – Detailed HR data (approval required)
 

  • Detailed payroll data - salary, grade
  • Employee demographics - gender, ethnicity, race, military/veteran status

Restricted data (as a rule not provided)
 

  • Home address
  • Social Security number
  • Beneficiaries
  • Action reason
  • Date of birth with year

Protocols for all HR employees
 

  • Password- or code-protect all devices used to access personal information
  • Lock all devices when stepping away or set an auto lock
  • Turn papers containing personal information over when leaving their workspace
  • Password-protect files containing personal information even when located on a shared drive
    • Send password in a separate email from the data/file
  • Do not send unnecessary personal information
    • Don’t include Person IDs on training rosters, sign-in sheets or other printed materials
    • Never include Social Security number unless absolutely necessary and only to the required individual after justification and appropriate approval has been obtained
  • Dispose of paper materials with personal information in locked blue recycle bins or another secure alternative, if off site
    • Regularly empty recycle bins
  • Do not leave voicemails with personal information
  • Do not log another person in using your login
  • Use a cover sheet when faxing items with personal information

Protocols for all HR managers and directors
 

  • Conduct a quarterly review of people who have access to personal information in your area. This includes:
    • Shared drives
    • Distribution lists/listservs
    • Systems
    • Programs
    • Teams channels
  • Ensure team members complete annual data security trainings. This includes the HR Data Privacy and Confidentiality training as well as CYB 101 Cybersecurity Awareness Foundations and CYB 401 Protecting Protected Health Information (PHI) & Personal Identifiable Information (PII).
Useful links

Your responsibility

  • Protect sensitive and/or confidential information in any form.
  • Follow process for any known or suspected data incidents immediately.
  • Follow division-wide data confidentiality, privacy and security protocols.
  • Follow UK policies, procedures, and other privacy and security requirements.
  • Complete the following annually:
  • Report suspected phishing emails using the Report Message feature in Outlook. 

HUMAN RESOURCES

Jobs
Policies and Procedures
myUK Online Guide
UK HealthCare Enterprise Learning
Records
Forms
Unemployment

CONTACT US

Main Office
106 Bosworth Hall
631 S. Limestone
Lexington, KY 40506-0652
Phone: (859) 257-9555
Fax: (859) 323-8512
hr@uky.edu

All locations
Directory

Campus Map
University of Kentucky Homepage A link to return to the University of Kentucky Homepage
An Equal Opportunity University
Accreditation
Directory
Email
Privacy Policy
Accessibility
Disclosures
© University of Kentucky
Lexington, Kentucky 40506