Given the high prevalence of data security breaches and identity theft today, organizational leadership should be making the protection of their consumers’ and their employees’ confidential information a high priority. It is no surprise that federal contractors who are subject to OFCCP compliance reviews are employing more purposeful data protection strategies to ensure that their sensitive employee information remains secure when it is sent outside of the organization.
DCI recommends, at minimum, the following considerations when releasing data offsite:
- Remove employee names and include an employee or generic ID instead. Do not include social security numbers.
- Include a confidentiality disclaimer (e.g. “information not subject to FOIA”) when submitting information. Although items you provide are not covered under Attorney Client Work Privilege (ACWP), you should still mark them as confidential.
- Password protect reports and zip files. Encrypt data (e.g. excel spreadsheets) or sensitive reports (e.g., background checks, criminal history checks, etc.).
- If sending by mail, use an encrypted media device (e.g. flash drive) and request tracking information. While submitting information to OFCCP via encrypted flash drive may be one of the safer practices we mention, there is still a possibility that these small devices could get lost or stolen along the way.
We recommend that you hold an internal discussion with your EEO and legal experts to determine which option(s) makes the most sense for your organization and to ensure all employees responsible for these communications receive the appropriate training.
By Jeff Henderson, Associate Consultant and Amanda Shapiro, Senior Consultant