One of the roles of HR is to “mind the business.” We develop policies and procedures to safeguard employees in compliance with a multitude of laws. What happens however, when the HR guards are the thieves?
HR is not supposed to be bad
In my experience most HR people are ethical and honest. We go out of our way to watch out for the interests of the company balanced with the interest of the employees. Sometimes HR people get caught in a moral vise as a result. I have had a number of my HR students relate situations where they know their boss or the higher-ups in the organization are doing wrong. Reporting them will most likely cost them the whistleblower their job. Sure there are protections against retaliation but not everyone is willing to fight that battle. I wrote about some of these situations in Are Your Ethics Fixed or Situational?
Sometimes HR is bad
Sometimes HR is not in the position of protecting the organization and its employees, rather they take advantage of their position. In HR we are exposed to a great deal of information. Social security numbers, addresses, next of kin, bank account information and more are things we keep record of on a daily basis. Certainly there are laws like HIPAA that are made to safeguard that information. The problem is that if someone is intent on stealing this information there is not a lot that can be done rather than internal safeguards. A thief in HR will find a way.
This just what happened at the Home Depot, headquartered in Atlanta. Three HR employees, now former employees, are accused of stealing Social Security numbers, birthdates and addresses of up to 20,000 employees. Fortunately for Home Depot one of these people shared with another employee what they were doing. That person, to their good credit, turned them in.
Procedures in place
Many companies have IT safeguards in place to check periodically what employees may be downloading, storing on other devices or email to a personal computer. If you do not have these in place they need to be developed. Unfortunately smaller companies may not have an IT department that can do that. What can you do then? Well you can periodically search an employee’s computer. That is why you have a policy in place that allows you to search company equipment. I was once told by a Federal investigator that the most common embezzler was a 50ish woman who was the trusted advisor of the president of the company. This might be easily interpreted as the HR person in many companies. I hate to tell you that you need to be suspicious of everyone, but a healthy dose of suspicion might not hurt. Lastly make sure you listen to the complaints of any of your employees about breaches of their personal information.
Anyone have any other suggestions?