Depending on the employer, the role, and regulatory requirements, employers require pre-employment medical checks and assessments including laboratory drug and alcohol screening, general medical examinations, audiogram and spirometry, and functional capacity assessments. Understandably, candidates and employees may feel uncomfortable with organisations managing this sensitive information.
In this article, we explore five ways for organisations to mitigate risk when managing health check records.
Document privacy and security policies
Put candidates and employees at the heart of your privacy and security policies by structuring them around the most commonly asked questions. For example, a candidate who has been asked to complete a drug and alcohol test may ask what the organisation will do with the data, who will have access to it, how will they keep it secure, and how long they will keep it for.
Remember, a policy is no good without compliance training for the people involved in handling the information. Privacy and security training should be included in induction training for new staff members to ensure they are aware of relevant privacy legislation and security protocols that apply to their role. Conduct ongoing refresher training session to maintain high levels of security and privacy awareness.
Privacy and security policies should be easily accessible and use plain English rather than complex language or “legalese”. They should be live documents that are regularly updated in response to regulatory changes.
Go paperless to reduce the risk of a physical security breach
Even the most sophisticated cybersecurity measures can be thwarted if a staff member thoughtlessly prints out a document and leaves it lying on their desk.
If you must have sensitive paper documents, they should be kept in a secure and controlled access environment. The organisation should dispose of all paper-based documents using secure shredding or incineration services.
While paper document security can be managed, a paperless environment eliminates the risk of a physical breach altogether (assuming your systems have an acceptable level of security).
Best-practice software and systems security includes:
- File and database encryption at rest, meaning data is protected all the time rather than just when it is being transferred.
- Role-based security to ensure data is only available on a need-to-know basis.
- Firewalls, anti-virus software, login and password protection and threat monitoring.
- Secure sockets layer (SSL) for establishing an encrypted link between a server and a client (such as a web server and a browser).
- Secure point-to-point transport mechanisms to transfer sensitive data. In other words, medical records should be sent via a secure platform rather than an unsecure channel such as email.
- Rigorously updated patches/security maintenance.
- Regular, independent audits and penetration testing.
- On-shore data centres.
While malicious cyberattacks make the headlines, keep in mind that human error is another significant cause of data breaches. Organisations can reduce this risk by conducting periodic, ongoing refresher training and by having clearly established data protocols and processes.
Supply chain privacy and security
The safety and security of a supply chain is only as strong as its weakest link. Every organisation that is handling your candidates’ or employees’ data should meet your security standards.
In the case of medical checks and assessments, your supply chain will likely include medical clinics and medical labs. Work with your organisation’s procurement team to ensure only compliant suppliers are shortlisted before making a decision about a medical assessments service provider.
Outsource to a trusted partner
Visit Cited to learn about our range of pre-employment medical checks and medical assessments.