Every business that hires, collects and stores personal information. From resumes and identification documents, medical clearances, superannuation and bank details, licences, and reference checks, this data tells the story of the people who make your business run. Managing that People Data securely is a daily responsibility for every employer.
With a few structured, repeatable habits, and by making better use of the tools you already have, you can protect your people’s information, meet privacy requirements, and build lasting trust.
1. Identify what you collect, where it lives, and who touches it
Start with visibility. List what personal and sensitive data you gather at each stage of employment:
- Pre-hire: resumes, ID, licences, qualifications, references.
- Onboarding: tax and super forms, bank details, emergency contacts, training certificates.
- During employment: performance notes, medical clearances, leave forms, payroll data.
Next, note where this information is stored – email inboxes, shared drives, laptops, HR systems, even messaging apps – and who can access it. Many businesses find data scattered across personal folders and email attachments. Consolidate where possible and set one “source of truth” per person.
You likely already have secure storage tools: Microsoft 365 and Google Workspace both include encrypted cloud drives, multi-factor authentication (MFA), and controlled sharing options. Use these features instead of emailing documents or saving them to unsecured desktops.
When an employee leaves, treat their data like a formal project rather than an afterthought. Confirm what information must be retained for legal, tax, or safety purposes (for example, payroll, superannuation, and injury records) and what can be securely deleted such as copies of ID, medical notes, and access credentials. Remove their access to all systems immediately, transfer ownership of any shared files, and reset shared passwords. Archive essential employment records in a restricted folder with a clear retention end date, then schedule a follow-up review (typically after seven years) to confirm deletion. This ensures compliance, prevents unauthorised access, and keeps your records lean and accurate.
2. Build trust and compliance into hiring
Transparency builds confidence. Let candidates know why you collect data, how it’s collected and used, who will see it, and when it’s deleted. A short, plain-English privacy and consent statement attached to your onboarding pack goes a long way.
Other low-cost practices include:
- Data minimisation: Only collect what’s needed for each stage. For example, don’t request a driver’s licence until the role requires driving.
- Role-based access: Give recruiting staff access to candidate data, but limit payroll or medical information to HR only.
- Audit trail: Keep a simple log (spreadsheet or system note) recording who uploaded or accessed sensitive documents.
- Breach checklist: Prepare a two-page guide on how to isolate an incident, who to notify, and what to communicate.
These steps reduce administrative risk and the human errors that often lead to data leaks.
3. Delete data methodically, not emotionally
Most breaches occur because data lingers long after it’s useful. Set clear retention rules:
- Unsuccessful candidates: keep applications and interview notes for 6–12 months, then securely delete.
- Employees: retain payroll and contractual records as legally required and remove unnecessary supporting documents.
- Referee contacts: delete once the hiring decision is final unless there’s a legal or audit need.
Add a “Delete by” date to file names (e.g., Smith_ID_DEL-2026-06) or create quarterly calendar reminders for data clean-ups. For secure destruction:
- Digital: use your system’s permanent-delete function; for devices, run a secure-erase before resale or disposal.
- Physical: use a cross-cut shredder or a certified destruction service, keeping the certificate for your records.
If you use external vendors (for payroll, screening, or training), ask how they handle data expiry, and how a user is able to control the removal of their data.
4. Treat HR data with the same rigour as financial data
Most small businesses protect their bank accounts meticulously but underestimate the sensitivity of HR information. Apply the same controls:
- Two-person approval for changes to personal or payroll details.
- Regular reviews of who can access HR folders or systems.
- Password protection for any file containing personal data.
- Vendor due diligence – ask where data is hosted and how it’s encrypted.
5. Detecting fraud through smart, practical verification
As recruitment becomes more remote, identity and reference fraud are growing risks. Simple tools can help:
- Track the IP address or time zone of online referees – if a “Sydney manager” submits a reference from an overseas server at midnight, it’s worth a quick verification call.
- Prefer references from company email domains rather than free accounts.
- Keep reference links one-time use to prevent spoofing.
- Confirm referees via a company ‘contact us’, not a mobile number provided by the candidate.
- Conduct an identity check either in person, or, if you use a system, a digital ID check and use a Document Verification Service, combined with a biometric check.
These small steps protect both your business and genuine candidates from fraudulent behaviour.
6. Lessons from ISO 27001:2022 – continuous improvement, not compliance theatre
When WorkPro achieved its ISO 27001:2022 accreditation, the biggest insight wasn’t about technology – it was about rhythm. Data protection isn’t a one-off project; it’s an ongoing cycle of review and refinement.
Even without certification, SMEs can borrow this approach: once a year, review who has access to what, test your breach response plan, check vendor contracts, review your privacy policy and collections notice, and refresh your team’s awareness via training. A simple online search will help you find practical security training providers. Additionally, the company delivering your technology support may also be able to provide user security training.
Use the annual review as an opportunity to tidy, update, and strengthen. Small, consistent improvements make a business more resilient – and reinforce that protecting people’s data is as much about trust as it is about compliance.
—
Contributed by Tania Evans, Founder & CEO of WorkPro
WorkPro is an Australian workforce compliance and job-readiness platform helping businesses implement and deliver a consistent, robust, streamlined screening, onboarding and legal compliance program for their workforce.
