HR data are typically confidential and sensitive. Consequently, a key concern with HRIS is the potential for the invasion (and abuse) of employee privacy by both authorised and unauthorised personnel. It is important for ensuring employee and management confidence in a HRIS to thoroughly explore questions about user access, data accuracy, data disclosure, employee rights of inspection and security. Failure to do so may result in ethical, legal and employee relations problems of a magnitude which could destroy the credibility of the system. ‘Establishing security and end user privileges’, says O’Connell, ‘calls for a balance of incorporating HR policy, system knowledge and day to day operations.’
The HRIS security checklist is:
- Review all PC-based HR applications.
- Verify that all users are properly trained in the secure use and handling of equipment, data and software.
- Ensure that all users sign-off (log-off) before they leave the PC unattended, regardless of how long they intend to be away.
- Caution users not to give or share their password with anyone. Each user should be accountable for everything done with his or her ID and password.
- Recommend a change of password on a monthly or quarterly basis.
- Caution users against duplicating not only copyrighted programs purchased from vendors but also programs and data that are proprietary to the company. Copies should be made only to provide necessary backup.
- Ensure that all software acquired from sources other than vendors are run through a virus detection program prior to installing on your system.
- Consider the feasibility of separating the duties of the users (ie. assigning the tasks of inputting data, balancing control totals, etc. to different people) to achieve and maintain confidentiality. Keep in mind, the separation of some duties may cause users to lose the continuity of the entire task. Look at the whole function and how it relates to others in the department before separating duties.
- Review who will use the PCs and where their equipment will be located.
- Ensure that current and backup copies, data files, software, and printouts are properly controlled so that only authorised users can obtain them.
- Conduct reviews, scheduled and unscheduled, to ensure that an effective level of security is being maintained by PC users. Staff members who use PCs in their work must be responsible for ensuring that practices and administrative procedures adhere to security.