How to handle personnel information

When considering cybersecurity in healthcare, the focus usually lies on the protection of the personal data of patients. However, as is the case for each organisation, healthcare organisations deal with a second category of data subjects, namely their staff. According to information security experts, human resources and administrative departments receive little to no attention when healthcare organisations update their security procedures and implement training sessions (, 2019).

Personnel data protection issues

According to the European Data Protection Supervisor (EDPS), there are five core issues that should be addressed (Simoncini, 2017):

  • Data quality: do not process more personal data than necessary. Only process data that is relevant to HR activities.
  • Right of information: inform staff members of their rights and for what purposes their data is processed. Information about this right should be available at all times.
  • Right of access: when requested, provide access to staff members’ (medical) files for verification and rectification purposes. Information on how to exercise this right should be available at all times.
  • Retention period: ensure data is kept according to the appropriate retention period.
  • Data security: make sure personnel data is handled by the appropriate staff members and that staff members are reminded of their confidentiality responsibilities. All staff dealing with any personal data, including administrative or financial data, should sign a confidentiality declaration.

Personnel data protection issues in the workplace

Additional issues to those stated above may exist (Van Der Sype, 2017). The following lists were found to be core aspects of personnel data handling (Kaminski, 2018; Mintern & Rayner, 2018; Rouse & Rosencrance, 2019;, 2019):

Physical access

  • A lock on the door prevents unauthorised access to personnel files
  • Storage and filing space should be locked to prevent unauthorised access
  • Access should be granted only on a need-to-know-basis, e. to those who need access in order to perform their job (HR staff, maintenance, facilities)

Digital access and devices

  • Identity and Access Management (‘IAM’) lies at the basis of roles and access rights to personnel files
  • Implement multi-factor authentication
  • Workplace owned device management
  • Bring Your Own Device policies
  • Guidelines for storing personal data on portable storage devices


  • Software updates and patches
  • Regular maintenance of hardware
  • Secure wireless communication
  • Encrypt data (both stored and ‘in motion’)


  • Information security awareness
  • Confidentiality and data sharing guidelines
  • Privacy and data protection

Cybersecurity management

  • Risk assessment
  • Cyber incident and response plan
  • Policy and guidelines development
  • Foster a cybersecurity positive culture

Further reading and resources


Kaminski, J. (2018). Nursing and Cyber Security Awareness. 13(3/4). Retrieved from

Mintern, T., & Rayner, S. (2018, March). 8 steps to GDPR compliance: A brief guide for HR functions. Retrieved 3 September 2019, from Bird & Bird website:

Rouse, M., & Rosencrance, L. (2019, May). What is Identity and Access Management? Retrieved 3 September 2019, from SearchSecurity website: (2019). Trainer interviews report. Retrieved from

Simoncini, N. (2017, January 4). Health data in the workplace. Retrieved 2 September 2019, from European Data Protection Supervisor website:

Van Der Sype, Y. S. (2017). Naar een geïntegreerde privacybescherming in de onderneming. Mechelen: Wolters Kluwer.