1 00:00:00,005 --> 00:00:02,001 - [Narrator] During the course of employment, 2 00:00:02,001 --> 00:00:05,004 organizations gather all kinds of sensitive information 3 00:00:05,004 --> 00:00:07,001 about their employees. 4 00:00:07,001 --> 00:00:09,008 Much of this information employees would normally 5 00:00:09,008 --> 00:00:11,008 prefer to be kept private. 6 00:00:11,008 --> 00:00:13,001 This includes the results 7 00:00:13,001 --> 00:00:15,006 of preemployment background checks, credit checks 8 00:00:15,006 --> 00:00:17,003 and other screenings, 9 00:00:17,003 --> 00:00:20,002 Social Security numbers collected for tax purposes, 10 00:00:20,002 --> 00:00:23,003 salary and other payroll information, 11 00:00:23,003 --> 00:00:25,004 health information and information 12 00:00:25,004 --> 00:00:27,007 about other types of employee benefits, 13 00:00:27,007 --> 00:00:29,004 and a large number of other pieces 14 00:00:29,004 --> 00:00:33,000 of sensitive information that the organization collects. 15 00:00:33,000 --> 00:00:36,008 Employers have both a legal and ethical responsibility 16 00:00:36,008 --> 00:00:39,007 to protect employee information from prying eyes 17 00:00:39,007 --> 00:00:43,006 and ensure that it is not lost or stolen. 18 00:00:43,006 --> 00:00:45,006 Employees trust their employers 19 00:00:45,006 --> 00:00:47,005 to preserve their privacy, 20 00:00:47,005 --> 00:00:49,006 and there are many ways that the organization 21 00:00:49,006 --> 00:00:52,001 can meet this responsibility. 22 00:00:52,001 --> 00:00:54,009 First is the principle of minimization. 23 00:00:54,009 --> 00:00:57,006 Organizations should collect only the information 24 00:00:57,006 --> 00:01:00,008 that they need in the legitimate course of employment, 25 00:01:00,008 --> 00:01:02,006 and they should store that information 26 00:01:02,006 --> 00:01:04,009 only as long as it remains necessary 27 00:01:04,009 --> 00:01:07,002 for a valid business reason. 28 00:01:07,002 --> 00:01:10,000 Second, organizations should limit access 29 00:01:10,000 --> 00:01:11,008 to sensitive information to those 30 00:01:11,008 --> 00:01:13,008 with a valid need to know. 31 00:01:13,008 --> 00:01:15,008 For example, an organization 32 00:01:15,008 --> 00:01:17,005 requires Social Security numbers 33 00:01:17,005 --> 00:01:19,007 for tax reporting purposes. 34 00:01:19,007 --> 00:01:21,008 Only employees directly involved 35 00:01:21,008 --> 00:01:23,008 in the tax reporting process 36 00:01:23,008 --> 00:01:26,005 should have access to those SSNs. 37 00:01:26,005 --> 00:01:28,007 Even then, access should be limited 38 00:01:28,007 --> 00:01:31,007 to the smallest number of employees possible. 39 00:01:31,007 --> 00:01:34,004 Finally, organizations should use encryption 40 00:01:34,004 --> 00:01:37,000 and data masking whenever possible. 41 00:01:37,000 --> 00:01:38,005 Encrypting records prevents them 42 00:01:38,005 --> 00:01:41,002 from being accessed outside of normal channels, 43 00:01:41,002 --> 00:01:43,006 such as when a laptop is lost or stolen 44 00:01:43,006 --> 00:01:46,001 or someone gains direct access to a database, 45 00:01:46,001 --> 00:01:49,001 bypassing the normal application channels. 46 00:01:49,001 --> 00:01:51,008 Masking data allows it to be used 47 00:01:51,008 --> 00:01:53,006 for identification purposes 48 00:01:53,006 --> 00:01:56,003 without exposing sensitive records. 49 00:01:56,003 --> 00:01:59,001 For example, an organization can replace 50 00:01:59,001 --> 00:02:02,000 the first five digits of a Social Security number 51 00:02:02,000 --> 00:02:04,003 with Xs in their records. 52 00:02:04,003 --> 00:02:06,003 The last four digits can still be used 53 00:02:06,003 --> 00:02:08,004 to distinguish one employee from another 54 00:02:08,004 --> 00:02:09,008 with the same name. 55 00:02:09,008 --> 00:02:11,007 But it doesn't expose the employee 56 00:02:11,007 --> 00:02:13,008 to significant identity theft risk 57 00:02:13,008 --> 00:02:16,007 if those last four digits are exposed. 58 00:02:16,007 --> 00:02:19,002 All of these techniques help an organization 59 00:02:19,002 --> 00:02:22,004 protect the privacy and security of their employees.