Offboarding & Your HRMS Data: 3 Invaluable Security Tips

Once an employee is no longer employed, HRMS data associated with this employment is the forgotten, or worse, mishandled. What can you keep? What can you utilize in future? How long should you keep data? It’s an interesting conundrum, and answers will depend on the context.

Understand the Legal and Audit Requirements

Different countries have various laws about retaining employee data and in some cases, the need to archive or remove employee data. Your industry may also have additional requirements to these geographic ones. HRMS data retention best practices may also vary for different types of data, such as payroll data needing to be kept longer than health or benefits data. Fortunately, most companies have a legal department to analyze the legislation and provide the answers as a starting point.

Identify Data Retention Requirements

Identity theft can be a worry for many and an HRMS contains a whole host of sensitive data such as social security numbers and bank details which can make it a target for thieves. Once an employee is terminated, the need to access an employee’s data is reduced. It is beneficial to think about who would need to access a terminated employee’s data, and for what business purpose?

A local HR generalist may need to answer an employee’s question about transferring a 401k or cobra coverage, so will need to see the employee’s record for the first few months. A benefits or payroll department may need to access the data for the first year from termination, or payroll may need to see the data for up to seven years in the event of a tax audit. A specialized HR analytics team may have a responsibility to produce annual metrics such as turnover over the past three years, so will still need to access some of this HRMS data. Finally, a recruitment team may need to access if a former employee is suitable for rehire.

Define User Access Levels & Rules

Does anyone else have a business reason to access all of the terminated employee’s personal details, in particular for greater lengths of time, such as five years? Many companies have employees who have left 10 or more years ago in the HRMS, and full access remains to the employee data. Such a scenario is an HRMS data security risk as well as a source for mistakes or confusion, if HR professionals need to sift out old data to get to the current employees. Best practice suggests to set some guidelines and use security access levels in the HRMS to hide old data from most users as time goes on.