HR data privacy and confidentiality
Personal information definitions
Kentucky House Bill 5, the Personal Information Security & Breach Investigation Procedures & Practices Act, is a data privacy bill that includes data-security requirements.
Personal information is defined as "an individual's first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one or more of the following data elements:
- Name - First and last; first initial and last name
- Personal Mark - Initials; signature
- Biometric/genetic information - Fingerprint; picture
- Social security number / Number issued by US Government
- Driver's License / State ID
- Passport
- Person ID / Number issued by organization
- Identifiable information defined by HIPAA or FERPA
Other less commonly seen elements in HR that in combination with name, personal mark or biometric/genetic information combinations would be considered personal information are:
- An account number, credit card number or debit card number that, in combination with any required security code, access code or password, would permit access to an account;
- A taxpayer identification number that incorporates a Social Security number;
- Individual identification number issued by an agency
How to report a data incident
- In the event of a known or suspected data incident, act quickly and follow all applicable steps
- Report it to your supervisor or manager the moment it’s discovered/suspected,
- Email details to cybersecurity@uky.edu,
- For information containing personal health information or incidents originating from HR Benefits, contact Corporate Compliance at (859) 323-8002.
- Preserve information for security response team.
- Data incidents should be reported by both parties involved
- Person responsible.
- Person(s) who discovered/suspected the incident.
HR data standards
As individuals working in Human Resources, we are trusted with valuable and sensitive personal information for individuals across the entire organization. One of our duties to these individuals, their data and the university is to be good data stewards to limit unnecessary exposure and potential misuse of private data.
HR data access will be granted for individuals with a business need at the following levels:
Level 1 – Basic HR data
- Basic employee information – name, person ID, linkblue, email address, employment dates
- Position/organization information – position, college/area, department, work address, position dates, SOC code, EEO code, supervisor data
- Basic payroll data - Exempt/non-exempt status, bi-weekly or monthly pay
Level 2 – Detailed HR data (approval required)
- Detailed payroll data - salary, work hours, grade
- Employee demographics - gender, ethnicity, race, military/veteran status
Restricted information (as a rule not provided)
- Home address
- Social Security number
- Beneficiaries
- Action reason
- Date of birth with year
- Visa data
- Country of origin
Protocols for all HR employees
- Password- or code-protect all devices used to access personal information
- Lock all devices when stepping away or set an auto lock
- Turn papers containing personal information over when leaving their workspace
- Password-protect files containing personal information even when located on a shared drive
- Send password in a separate email from the data/file
- Do not send unnecessary personal information
- Don’t include Person IDs on training rosters, sign-in sheets or other printed materials
- Never include Social Security number unless absolutely necessary and only to the required individual
- Dispose of paper materials with personal information in locked blue recycle bins or another secure alternative, if off site
- Regularly empty recycle bins
- Do not leave voicemails with personal information
- Do not log another person in using your login
- Use a cover sheet when faxing items with personal information
Protocols for all HR managers and directors
- Conduct a quarterly review of people who have access to personal information in your area. This includes:
- Shared drives
- Distribution lists/listservs
- Systems
- Programs
- Apps
- Ensure team members complete annual data security trainings. This includes the HR Data Privacy and Confidentiality training as well as online trainings. CYB 101 Cybersecurity Awareness Foundations and CYB 401 Protecting Protected Health Information (PHI) & Personal Identifiable Information (PII) are now available at myUK learning. Visit myUK and click on Employee Self Service to access myUK learning.
Useful links
Your responsibility
- Protect sensitive and/or confidential information in any form.
- Follow process for any known or suspected data incidents immediately.
- Follow division-wide data confidentiality, privacy and security protocols outlined as well as HR’s Confidentiality Standards.
- Follow UK policies, procedures, and other privacy and security requirements; follow all ARs.
- Complete HR Data Privacy and Confidentiality training annually.
- Sign and return HR Confidentiality Standards page.
- Complete cyber security trainings annually. CYB 101 Cybersecurity Awareness Foundations and CYB 401 Protecting Protected Health Information (PHI) & Personal Identifiable Information (PII) are now available at myUK learning. Visit myUK and click on Employee Self Service to access myUK learning.
- Report suspected phishing emails using the Report Message feature in Outlook.