From names, addresses, birth dates, social security numbers, health information, citizenship status, and more, a staffing company is privy to a lot of sensitive data. While having this information helps make your company run smoothly, it’s imperative to stay on top of what data you have, how it’s being protected, and what plans you have in place to respond to any potential security incidents.

Effectively securing your data starts with assessing what information you have and who has access to it. Legal requirements on data security vary, but regardless of where you do business, starting with what data you have, where it is stored, and who has access is a great place to start assessing your data security.

The Federal Trade Commission has outlined its advice for a sound security plan by breaking it down to five key principles, as outlined in their article Protecting Personal Information: A Guide for Business¹. These principlesinclude:

1. Take Stock. Know what personal information you have in your files and on your computers.
2. Scale Down. Keep only what you need for your business.
3. Lock It. Protect the information that you keep.
4. Pitch It. Properly dispose of information you no longer need.
5. Plan Ahead. Create a plan to respond to security incidents.

Personal information can be in a myriad of places: computers (both in the office and in homes), file cabinets, mobile phones and devices, flash drives, etc. No assessment of personal data is complete until you check all possible places it can be stored. 

It’s also critical to look at how personal information flows through your business from when it is first collected to every way in which it is stored and used. This could include sales, payroll, customers, and more.

It’s also critical to look closely at the scope of the information you collect. Is all the information collected necessary for a legitimate business need? By limiting the amount of information you collect to only that which is necessary for your business, you reduce the risk of inadvertent exposure.

Data privacy laws generally require security measures to be in place to protect the data that’s collected. In a recent article by the American Staffing Association (ASA) entitled Data Privacy Challenges for Staffing Firms, they outlined some of the measures, which “may include physical security measures (such as using badges and locking computers), electronic security (such as encryption, antivirus software, firewalls, strong password protection, and an intrusion detection system), access controls (restricting the number of people with access), and security training.”²

With regard to the FTC’s key principle “Pitch It,” it’s important to safely destroy personal data when it’s no longer being used. This means ensuring that it cannot be read or reconstructed. This can include using software that automates the process, as well as shredding, burning or otherwise destroying physical files or means of storing the data. This includes any documents or devices for employees who work from home. 

It's also important to plan ahead and have an action plan in place should a security breach happen. The FTC advises having a senior team member be selected as a lead to coordinate the response in case of a breach. They also instruct businesses to disconnect any compromised computers from your network, as well as take steps to mitigate any further threats. The FTC also suggests to “Consider whom to notify in the event of an incident, both inside and outside your organization. You may need to notify consumers, law enforcement, customers, credit bureaus, and other businesses that may be affected by the breach. In addition, many states and the federal bank regulatory agencies have laws or guidelines addressing data breaches. Consult your attorney.”

The staffing industry is unique in that data protection may also involve that of your customers. ASA points out that “Clients are increasingly requesting that staffing firms sign data processing agreements if the firm’s assigned employees will handle personal data.”  Such data processing agreements may require that the staffing firm agree to handle personal data in a particular way and maintain certain technical and organizational safeguards. The agreements may also require the staffing firm to provide assistance with the client’s fulfillment of its obligations under data privacy laws, including following a data breach.”

There is a question, however, as to who the “data processor” is in each case, and thus who should sign a data processing agreement. Is it the staffing company’s employee who handles the physical aspect of processing the customer’s data? If so, he or she could be asked to sign the agreement. Will the staffing company be asked to sign a data processing agreement, as well?

According to ASA, that depends on the facts of the situation. “For example, is the assigned employee processing the client’s data entirely on the client’s premises? Is the assigned employee using only the client’s equipment to process the data? Does the staffing firm receive the client’s personal data at all?”

Essentially, if you decide to sign a data processing agreement, examine the terms closely to ensure you understand your staffing company’s responsibilities and are able to be in compliance of the agreement.

There is no one foolproof approach to data security. However, it can be much cheaper to implement strong data security procedures than to lose the trust of your employees, temporary workers and customers. Ultimately, you may choose to turn over your data security to an outside company for peace of mind. Make sure all your security expectations are covered in a written contract that includes a provision indicating that they notify you of any security incidents they may experience.