Ask Reggi Your Question Now
Can I use third-party HR tools that collect personal information in Pennsylvania? What are the requirements?
Using Third-Party HR Tools in Pennsylvania
If you are using third-party HR tools that collect personal information in Pennsylvania, you must comply with the state’s privacy laws. The Pennsylvania Data Breach Notification Act requires businesses to notify affected individuals in the event of a breach of personal information [1]. Additionally, the state’s breach of personal information law requires businesses to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure [1].
To comply with these laws, you should take the following precautions:
- Only collect personal information that is necessary for conducting your business.
- Encrypt sensitive information that you send to third parties over public networks (like the internet), and encrypt sensitive information that is stored on your computer network, laptops, or portable storage devices used by your employees.
- Regularly conduct security audits to identify and address potential security problems.
- Use Transport Layer Security (TLS) encryption or another secure connection that protects the information in transit when you receive or transmit credit card information or other sensitive financial data.
- Pay particular attention to the security of your web applications—the software used to give information to visitors to your website [1].
Requirements for Using Third-Party HR Tools
When using third-party HR tools that collect personal information, you should ensure that the tools comply with Pennsylvania’s privacy laws. The Pennsylvania Data Breach Notification Act requires businesses to notify affected individuals in the event of a breach of personal information [1]. Additionally, the state’s breach of personal information law requires businesses to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure [1].
To comply with these laws, you should ensure that the third-party HR tools you use:
- Only collect personal information that is necessary for conducting your business.
- Encrypt sensitive information that is sent to third parties over public networks (like the internet), and encrypt sensitive information that is stored on your computer network, laptops, or portable storage devices used by your employees.
- Regularly conduct security audits to identify and address potential security problems.
- Use Transport Layer Security (TLS) encryption or another secure connection that protects the information in transit when you receive or transmit credit card information or other sensitive financial data.
- Pay particular attention to the security of your web applications—the software used to give information to visitors to your website [1].
If you receive personal information from a third-party HR tool under an exception to the Privacy Rule, your ability to use and disclose the information is limited. The limits are discussed in Section G of the Frequently Asked Questions for the Privacy Regulation [3].
Conclusion
To use third-party HR tools that collect personal information in Pennsylvania, you must comply with the state’s privacy laws. Ensure that you only collect necessary personal information, encrypt sensitive information, conduct regular security audits, use secure connections for sensitive financial data, and pay attention to the security of your web applications. Additionally, ensure that the third-party HR tools you use comply with Pennsylvania’s privacy laws.
Source(s):
- [1] Protecting Personal Information: A Guide for Business | Federal …
- [3] FTC’s Privacy Rule and Auto Dealers: FAQs | Federal Trade …
Jurisdiction
Pennsylvania