Secure Archiving and Disposal of HR Records

Today, human resource departments collect, use, and disclose employee personal data for many different reasons through different channels. Organizations have a wealth of personal data that needs to be securely stored and managed while consistently adhering to compliance laws.

The Personal Data Protection Commission in Singapore enforces the Personal Data Protection Act (PDPA) by investigating incidents related to data breaches. A data breach is defined as any action, whether purposefully or unintentionally, that exposes personal data in an organization’s possession through unauthorized access, collection, use, disclosure, copying, modification, or disposal.  This includes information and data on paper or electronic storage mediums.

While there is increasing awareness of secure digital storage, the governance around archiving and the disposal of personal records are often overlooked.

Identifying Personal Data

The PDPA classifies personal data as:

• Full name
• NRIC, foreign identification number, passport number
• Photograph or video of the employee
• Contact telephone numbers
• Personal email address
• Thumbprint, Biometric data
• Residential address

When some or all of this information is included in the paper or electronic personnel records (paper or electronic), storage, retention, and disposal of the records must adhere to the PDPA policies and processes for potential, active, and past employees.

These records may include:

• Resumés
• Employee contracts
• Job descriptions
• Leave records
• Training and development records
• Appraisals
• Transfers and promotions
• Redundancy
• Medical records
• Tax and payroll records
• Employee benefits
• Grievances and disputes
• Health and safety incidents
• Termination, resignation, exiting records
• Reports, analysis, and communication related to an individual that includes personal data

However, once data has exceeded its retention period, it is not realistic or practical for a company to expend unnecessary resources and efforts in implementing and maintaining strict security on data that is no longer required. 

The Singapore PDPA also emphasizes the increased threat of a data breach when keeping personal data for longer than necessary, which is why there are regulations around the disposal of HR records.

So, what happens once personal data fulfills its retention period? 

How does HR handle disposal and destruction to ensure there is no risk of a data breach?

Neutralizing Risks

It is critical to understand how to navigate the strict legal landscape pertaining to the correct disposal of personal data. HR should be able to identify the records that should no longer be kept and then follow the proper process to cease possession. This means complete destruction, disposal, returning information to the employee, or redacting any identifying information.

When anonymizing data using redacting techniques, it is worth noting that when combined with other data, it may still be possible to identify an individual. Redacting requires careful consideration and additional steps to separate any related information.

Physical Destruction

Traditionally, physical paper media was destroyed by tearing it up and throwing it in the bin. This does not however, destroy the personal data as it is possible to reassemble and repair the media to access the information.

Proper disposal methods would be shredding or cutting paper into very small pieces, so it’s impossible to reconstruct it. Pulping and incineration processes are also used in large organizations. However, these methods may be restricted in Singapore.

Shredding is an effective method, and shredding machines must always be regularly maintained and cleaned to ensure it is always available and ready for use.

Finally, any media containing information should never be left lying around in an unsecured or unsupervised area, even when they are marked for destruction.

Electronic Disposal

Deleting, emptying the PC’s recycle bin, or reformatting a hard drive is not a sufficient disposal process. The information is still retained but hidden, and there are commercial software tools that can restore deleted data.

To properly dispose of electronic media, the organization should implement at least one of the following processes:

• Invest in dedicated software that overwrites sectors in any electronic storage media that guarantees it cannot be recovered.
• Crushing electronic media or using a degausser machine to destroy data that is recorded magnetically.

Getting Guidance with Data Retention and Disposal

KRIS HR Document Management system (DMS) offers a solution for automated record retention with notifications to alert HR on required actions for expiring personal data. By collaborating with our consultants, we can help your organization establish good practices to ensure secure and safe data storage and disposal.