The files safeguarded by the Human Resources department are among the most sensitive in many government agencies. HR file access is typically limited to HR and high-level administrators.  While this is the law, it is also good practice.  If this wasn’t the case, someone would almost certainly discover they had access to that data, either intentionally or by accident, and it would quickly lead to a bad situation for everyone involved.

In the IT world, this is known as the principle of least privilege.  Employees should have access to the least amount of information that is necessary to complete their jobs.  This makes it less likely that data will leak or be destroyed or altered.  While the HR team has an excellent grasp on data security, that’s not necessarily true of every team inside of a local, state or federal agency.

In many cases, employees are provided access to systems or data if they might need them during the course of their duties.  While this is sometimes a deliberate choice, it often isn’t; without sophisticated access controls in place, it can be difficult to manage differing levels of access for dozens (or hundreds) of different positions.

The problem with this is that it often provides vast amounts of access to employees. Because it’s plausible that some employees might need access to dozens of different files, databases and software during the course of their jobs, they are provided access to a huge range of data. 

There are many problems with this.  First, auditing access to all of these systems would be a huge undertaking, so it’s rarely done.  That means that data deletion or manipulation may go unnoticed for months or years.  Second, employees are given the impression that data access is widely available, so if they’re looking for a way to snoop on employees or commit fraud, they will be less likely to fear getting caught.  Finally, the opportunity is there – if employees have broad access to information systems, it doesn’t take a lot of work on their part to use them.

Of course, the principle of least privilege extends beyond technology.  In general, employees shouldn’t be provided any sensitive information that doesn’t contribute to their ability to do their jobs.  They shouldn’t have physical access to areas that aren’t relevant to their duties.  While employees shouldn’t feel ‘locked down’ every time they attempt to complete their job responsibilities, asking for access to information shouldn’t be an uncommon occurrence.  An agency’s best employees will feel better knowing that the agency is protecting sensitive information, and anyone who is considering viewing sensitive agency or employee information will face constant reminders that the agency is watching over its most valuable data.

To learn how CMTS:HR can help your agency manage HR investigations more efficiently, call us at 919-747-3812 or email us at