Securely Accessed and Stored
All of the above is of little use if the information is not stored properly and accessed properly.  Proper storage of personnel data means storing information in a secure system.  Regardless of whether that system is paper-based or electronic, it needs to have the proper access controls and physical security.  Properly accessed means having a system that not only has proper access controls but also has a well defined parameters or rules as to who, why, and for whom, personnel information will be accessed.

Not Transferred to Situations Without Adequate Protection
Lastly, all of the security and proper handling of personal information will come to naught if that information once properly obtained and properly retrieved is transferred to an area of the organization or to another organization where it will not be properly protected.  Large companies often have branches in foreign countries with different laws regarding data privacy as well as different cultural norms regarding the use of personnel information.  Managers in charge of protecting personnel information need to be especially aware of who the organization shares this information with and under what rules it will be used.

Now that we know how to handle personnel information, we can learn a little bit about some of the things we can do to make this a less painful process.  Some of the tips below may seem like common sense simple things organizations believe they probably already do.  In reality some of the things are done in some of the things aren't.

1. Tell individuals why you are collecting their information and what will be done with it. Ensure there is a clear and foreseeable need for all information collected.

2. Train HR staff and anyone who may come in contact with data to ensure they follow the rules when processing sensitive information.

3. Use personal information in a secure and confidential way. If you must give it to third parties be sure they are entitled to it.

4. Give individuals a right to access their own personnel information. This will make the system transparent and take away a lot of the fear factor involved. It will also allow corrections of gross errors.

5. Protect personnel information by ensuring file systems are locked and keys are controlled. Make sure electronic information is secure by controlling passwords and installing anti-virus software and firewalls.

7. Put an audit trail into computerized systems so you can check who has accessed a particular record or records.