- Provide that employees' personnel records shall be maintained in a secure location.
- Acknowledge that personnel records are confidential in nature and, therefore, access to the information in them is to be limited.
- Define what each personnel file will contain and provide that list in your policy. Employees should be able to determine what generally is in their file, even if they don't have the file.
- Provide defined periods, after an employee's separation, for retention and ultimate destruction of personnel files. These periods should be scheduled to coincide with applicable laws, which will vary from business to business.
- Be aware of where critical employee information and corporate data are located, whether electronically stored or in paper form and be able to identify who has access to them.
- Develop an acceptable use policy for all employees that outlines appropriate use of corporate assets and employee information. The policy should also outline the procedures the company will follow when a policy violation takes place.
- Consistently enforce your policies and procedures.
- Require employees who become aware of security breaches, or who suspect the potential of information being lost or misused, to notify appropriate IT, HR, and/or other management contacts immediately.
- Be able to place a "litigation hold" to preserve relevant information when litigation may reasonably be anticipated. Create a team that includes legal counsel, IT, HR, and (as appropriate) operational division personnel that will convene and organize a hold when a need is perceived.
- Identify contacts in IT and HR for employees to call with questions.
- Make sure new hires and exiting hires understand the policy and acknowledge it in writing.