Sue Trombley, Managing Director of Thought Leadership at Iron Mountain explains why job-hopping employees create data privacy problems for themselves and their employers.
Job hopping is the new normal. Talk to anyone in their early 30s and the chances are they will have changed jobs at least four times since leaving full-time education. This trend has implications for employees and for their employers. For job-hopping employees, it presents obvious challenges in terms of how they manage their finances, their pension plans and their working relationships with colleagues. For employers, alongside the loss of knowledge and the drain on resources to recruit and train new employees, it creates a significant yet often ignored information management challenge.
An inconvenient truth about changing jobs that few of us consider is the trail of personal information we leave behind the moment we walk out the office door on our way to new pastures. We leave behind records containing highly sensitive information such as CVs and copies of our passports, ID cards and driving licenses, we leave salary information, performance reviews, a disciplinary record and even, in some instances, details of our medical history. The law dictates that such information should be retained and securely deleted after a defined period of time. But with the average millennial worker set to have up to 16 jobs during their career, keeping track of which employer holds what information about us and until when is an impossible task.
The majority of us aren’t aware of the information our previous employers have about us and probably don’t give it a second thought. However, we do expect our personal data to be protected and managed according to legal requirements. After all, we have a right to be forgotten and should be able to trust our former employers to respect that right. Herein lies the information challenge facing HR departments and information and records managers everywhere.
An employee leaving represents a trigger event that starts a clock ticking. This requires the employer to ensure that the employment records associated with the individual employee are destroyed at a predetermined date some five, six, or more years into the future. This event-based retention and destruction of records is hard to get right. Think of the numbers of clocks that are ticking in any HR department, all set to go off at different times. Think of the complexity involved in making sure that all copies of digital and paper records are accounted for. Overlay the complexity with the increasing staff turnover and evolving data privacy rules and it’s easy to see why businesses and their HR departments in particular have a tough clean up job ahead of them once a departing employee has left the building.
Recent research from Iron Mountain has shown us that 50% of mid-market businesses (250-2500 employees) in Europe and the US are poorly placed to meet the requirements of event-based retention. They are managing their HR records with out-of-date processes which could be putting personal information at risk. The same research also shows us that a third of mid-market businesses (31%) store HR documents relating to employees longer than they are legally entitled to and a quarter (25%) are unaware of the legal requirements.
There’s no doubt that getting event-based retention right is a headache for businesses. The ‘2013-2014 Information Governance Benchmarking Survey’ by Cohasset Associates, ARMA International and AIIM revealed that 67% of organisations believe that their records and information management programme would benefit from fewer event-based retention periods. Perhaps that’s no surprise considering that HR records are just the tip of the iceberg for businesses looking to comply with retention rules – other sensitive documents such as contracts or financial records can also be affected.
Nevertheless, managing the complexity of event-based retention as more employees join the job-hopping trend is certainly something that HR departments need to master. To help, here are four different approaches for businesses to consider –and if these methods are too reliant on employees, it is possible to work with a central ‘event registry,’ which can manage and monitor retention schedules as events occur.
- Regularly review what you are holding onto
Keep track of events, such as the termination of an employee’s contract, and enter that event date into a designated record system so you can begin the retention countdown as soon as the clock starts and the employee leaves the building. Review the employee records your business has on file on a regular basis and check that you are safely destroying all the information that you no longer have the right to keep.
- Get your terminology straight
Ensure that your company-wide definitions of trigger events, and exactly what information is affected, are clear. One person’s ‘date of event,’ for example, might be different to someone else’s. This will help you and other members of the business to be aware of the information you hold and the restrictions that should be placed on that information.
- Use workflows to make record management easier
An event can be triggered by a specific point in a workflow or a business process – such as when a contract is closed or a project is completed. With the right technology or automation in place a record can be tagged as it moves through a workflow and the record can be removed from the work stream when it is no longer active.
- Convert to a fixed date rule
Review your records retention schedule and put set ‘fixed date’ rules in place for the different types of record held within the business. Enforce these rules across the whole company so that all employees, not just the HR department, have a clear guide on exactly how long they should be keeping hold of personal information.
Whatever method you chose, gaining consensus within the business and a commitment to consistent practice is key to getting event-based retention right. In the face of increased staff turnover and evolving data privacy rules, it’s high time for HR departments to ensure their processes for records management are keeping up and prepared to protect their organisations from treading on the wrong side of the law.
Iron Mountain has free resources available to help organisations address the challenge of event-based retention at ironmountain.co.uk/eventbasedrecords.