HR data privacy and confidentiality
Personal information definitions
The Personal Information Security & Breach Investigation Procedures & Practices Act, also known as Kentucky's Cyber Secruity bill, is a data privacy bill that includes data-security requirements.
Personal information is defined as an individual's first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one or more of the following data elements:
- Name - First and last; first initial and last name
- Personal Mark - Initials; signature
- Biometric/genetic information - Fingerprint; picture
- Social Security number/number issued by U.S. government
- Driver's license/state ID
- Passport
- Person ID/personnel number/number issued by organization
- Identifiable information defined by HIPAA or FERPA
Other less commonly seen elements in HR that in combination with name, personal mark or biometric/genetic information combinations would be considered personal information are:
- An account number, credit card number or debit card number that, in combination with any required security code, access code or password, would permit access to an account;
- A taxpayer identification number that incorporates a Social Security number.
How to report a data incident
- In the event of a known or suspected data incident, act quickly and follow all applicable steps
- Report it to your supervisor or manager the moment it’s discovered/suspected,
- Email details to cybersecurity@uky.edu,
- For information containing personal health information or incidents originating from HR Benefits, contact Corporate Compliance at (859) 323-8002.
- Preserve information for security response team.
- Data incidents should be reported by both parties involved
- Person responsible.
- Person(s) who discovered/suspected the incident.
HR data standards
As individuals working in Human Resources, we are trusted with valuable and sensitive personal information for individuals across the entire organization. One of our duties to these individuals, their data and the university is to be good data stewards to limit unnecessary exposure and potential misuse of private data.
HR data can be provided to individuals with a business need, for their respective areas, at the following levels with examples provided:
Level 1 – Basic HR data
- Basic employee information – name, person ID, linkblue, email address, employment dates
- Position/organization information – position, college/area, department, work address, position dates, SOC code, EEO code, supervisor data
- Basic payroll data - Exempt/non-exempt status, bi-weekly or monthly pay
Level 2 – Detailed HR data (approval required)
- Detailed payroll data - salary, grade
- Employee demographics - gender, ethnicity, race, military/veteran status
Restricted data (as a rule not provided)
- Home address
- Social Security number
- Beneficiaries
- Action reason
- Date of birth with year
Protocols for all HR employees
- Password- or code-protect all devices used to access personal information
- Lock all devices when stepping away or set an auto lock
- Turn papers containing personal information over when leaving their workspace
- Password-protect files containing personal information even when located on a shared drive
- Send password in a separate email from the data/file
- Do not send unnecessary personal information
- Don’t include Person IDs on training rosters, sign-in sheets or other printed materials
- Never include Social Security number unless absolutely necessary and only to the required individual after justification and appropriate approval has been obtained
- Dispose of paper materials with personal information in locked blue recycle bins or another secure alternative, if off site
- Regularly empty recycle bins
- Do not leave voicemails with personal information
- Do not log another person in using your login
- Use a cover sheet when faxing items with personal information
Protocols for all HR managers and directors
- Conduct a quarterly review of people who have access to personal information in your area. This includes:
- Shared drives
- Distribution lists/listservs
- Systems
- Programs
- Teams channels
- Ensure team members complete annual data security trainings. This includes the HR Data Privacy and Confidentiality training as well as CYB 101 Cybersecurity Awareness Foundations and CYB 401 Protecting Protected Health Information (PHI) & Personal Identifiable Information (PII).
Your responsibility
- Protect sensitive and/or confidential information in any form.
- Follow process for any known or suspected data incidents immediately.
- Follow division-wide data confidentiality, privacy and security protocols.
- Follow UK policies, procedures, and other privacy and security requirements.
- Complete the following annually:
- Complete HR Data Privacy and Confidentiality training.
- Sign and return HR's Professional Standards: Sensitive and/or Confidential Information
Agreement. - Complete cyber security trainings:
- CYB 101 Cybersecurity Awareness Foundations and
- CYB 401 Protecting Protected Health Information (PHI) & Personal Identifiable Information (PII).
- Report suspected phishing emails using the Report Message feature in Outlook.