Slashdot Mirror
How Safe is Your Employment Application Data?
Carlos asks: "I recently returned to the U.S. after working overseas for the past 16 years. As I visit job sites and corporate sites, I'm finding two issues with applying online I hope Slashdot readers could comment on. I understand security and background checks are important to most employers. However, it seems to me that far too many online applications are asking for sensitive data, such as my social security number and driver's license number. How long is my data stored in their database? Who has access to such data? It seems that every month we hear about a company that has customer/client data stolen or mishandled. I feel that such data shouldn't be required during 'step one' (ie filling out the initial online account in the career section). I'll provide such data when I've been contacted by a staff for an interview. Do Slashdot readers simply bypass such employers, or do they just hand over their identity?"
Another point relates to the pages upon pages we have to endure with an online application. Some companies make the process smooth, for example using a form of OCR with an uploaded resume. There's nothing worse than getting to step 9 (out of 20 steps) and getting a timeout error in your browser. I hope HR people who are reading this, will take a closer look at their employment process. I'm sure some readers might say, 'They make the process hard on purpose — weeding out the lazy applicants.' I fully understand this point and I'm not looking for an easy way into a company, but filling out 20 step applications at 30 companies a day, everyday, can eat a lot of time when hunting for a position."
I'm a little paranoid, so what is this supposed to tell me? My employment application data is really safe, because it isn't here to see; or, there is nothing to see because things are so bad that my data is all over the internet and I shouldn't even bother asking how many people have applied for credit in my name?
" However, it seems to me that far too many online applications are asking for sensitive data, such as my social security number and driver's license number."
They get the SSN when you get a job. Your license number isn't really sensetive.
I would omit things like SSAN and DL. If they require these I would just skip that employer (after trying to contact them) move on to another one.
Eve Fairbanks says I drive a hybrid!LOL
My driver's license number. Every time I buy beer, or cash a check at the bank, somebody gets to see my ID anyway.
I'm not worried about employment application data, but I have been worried about the employment application itself. I mean, the IT industry is a small world, especially if you look for work within the same city. At one time I walked the last part to a company building for an interview, when I passed a current colleague of mine. I just greeted him but I could see the questionmarks in his face.
8 of 13 people found this answer helpful. Did you?
If you have 16 years of work experience, you should contact a headhunter (job agency). They should not have difficulties finding interesting positions for you. Of course some companies only hire directly. However, for all the others, a good headhunter saves you the time of going through countless web sites, only to find job descriptions that are outdated (about positions that are no longer open, even though the web page does not say that). A headhunter won't necessarily find your dream job, but an application at a headhunter costs about as much time as a real application, and can cover dozens of companies at once. This should greatly improve your odds.
Their storage goes up to eleven.
Having no current job, and thus no fuel for my car, I find no choice but to surrender my (intangible?) right to privacy in that regard. I would figure companies would try their very hardest to prevent 'leakage' but with any system, theres always the human element.
There is no XUL, only WebExtensions...
Since I organised it..... It's on a paper hardcopy with all electronic forms destroyed, in a locked cabinet behind the photocopier...
most of these are technically illegal as this information would be keys to information that is not supposed to be used in the evaluation of applications sex age race etc. Seems to me if you can't ask for someones age you really shouldn't be able to require a copy of a drivers liscence to apply!! (actually that would include age race and sex on the card)
In the last ten or fifteen years at up to a dozen different places I've only ever seen one storage system for applicants that didn't get the job: Box in the back of a storage closet.
No one knows it's there except the HR drone that hid them, and the closet is locked because it also contains said HR drones stash of candy and Garfield posters.
In fact, it's probably better protected than information people want. In those same places, sales records, customer billing info and record on current employees were treated with less security.
.sig: Now legally binding!
If this story and its' comments are to say anything, not very safe; good luck trying to get your personal data removed.
Actually I would be very wary of providing SSN, DL, DOB, or any other identifying information. It wasn't to long ago (2 months) that the FBI issued warnings about identity theives posing as hiring companies so that they could obtain your information and then use it. Be especially leary of calls/emails from supposed agencies that you did not directly apply too.
I am sure that you are doing your homework on the companies that you are applying to. But it is necessary to restate that if you are going to ask for a job, then you should know who the h3ll you are going to work for.
As for the poorly designed application processes, if they insist on data entry in these fields on their web forms, then use the old tried and true 999-99-9999 or some other such bogus info. I would stick to the 999-99-9999 type of entry to avoid being accused of fraud. I have heard rumors of court decissions that have supported the concept of this being a universal way of saying that you do not wish to divulge that yet. If they allow you to submit additional comments then state that the additional information will be provided when a contingent offer of employment is made.
With ID theft such a huge issues these days, I would expect that many companies would understand your position and will attempt to assuage your concerns. Do you really want to work there if they don't?
- Nuff said
'They make the process hard on purpose -- weeding out the lazy applicants.'
I fully appreciate this idea. Jobhunting is a two way process. I reject any company that has an annoying inflexible application process on the theory that they would be annoying inflexible companies to work for. Of course, for certain jobs, I recommend the right sort of lazy. A clever lazy person will do a job in a way that means all dependent tasks can be done in half the time.
Your license number isn't really sensetive.
I'm not sure if I agree. I think the issue here is that you can't predict who is using the license number and how, and frankly, I don't think people have become particularly creative with misusing the license number (which, in most states, if not all states, is a fixed number.)
I think this will become an issue with time. It's becoming a back up to the SSN, and since it seems to be on the same path that the SSN was on in the late 70s/early 80s, then I'm going to safely bet that in the next 10 years or so that you're going to have to end up protecting your license number in the same way you protect your SSN.
I've been working as a criminal background researcher for a company that gets hired to do pre-employment background checks. I'd describe the security protocols as being more than lax:
a.) I receive the lists of people to check over a non-encrypted HTTP connection. These lists include name, DOB and SSN. (I'll admit to making it worse by accessing this non-encrypted website over my neighbors open wi-fi connection.)
b.) The background checking company gives no instructions about how to treat the data, how to destroy the data after it's been used, etc...all of which seem de rigeur in today's world.
c.) The issues applying to a.) also apply to the government court websites used to check the data.
Background checking companies are often just run by ex HR people, and, as you can expect, many of them are not trained in security issues like this.
Actually I would be very wary of providing SSN, DL, DOB, or any other identifying information. It wasn't to long ago (2 months) that the FBI issued warnings about identity theives posing as hiring companies so that they could obtain your information and then use it. Be especially leary of calls/emails from supposed agencies that you did not directly apply too. I am sure that you are doing your homework on the companies that you are applying to. But it is necessary to restate that if you are going to ask for a job, then you should know who the h3ll you are going to work for. As for the poorly designed application processes, if they insist on data entry in these fields on their web forms, then use the old tried and true 999-99-9999 or some other such bogus info. I would stick to the 999-99-9999 type of entry to avoid being accused of fraud. I have heard rumors of court decissions that have supported the concept of this being a universal way of saying that you do not wish to divulge that yet. If they allow you to submit additional comments then state that the additional information will be provided when a contingent offer of employment is made. With ID theft such a huge issues these days, I would expect that many companies would understand your position and will attempt to assuage your concerns. Do you really want to work there if they don't? - Nuff said
My data better be really, really good... considering I work for a data security company!
They usually ask for your SSN (Social inSecurity Number) at the time you apply for a job. If you don't provide it, you probably aren't even considered for any position with their organization.
What would be nice is a strict privacy law that prevents SSNs for being used for anything other than communications with the IRS. Credit bureaus, banks, potential (not actual) employers, would be liable for a large penalty under such a law for even asking about your SSN unless they have already hired you or generated taxable income for you. Ideally, there would be a FairTax, not an income tax, and latter point would be moot -- SSNs would be irrelevant and you could (legally) fill in any 9-decimal-digit number where a form requests/demands an SSN and nobody could object to the figure you provide on legal grounds -- to do so would be unfair discrimination. The idea there is to make the government turn against itself, with the equal opportunity folks battling the revenuers, leaving the rest of us citizens to quietly enjoy our lives without annoying intrusions by Big Brother and Big Corp.
"You're young, you're drunk, you're in bed, you have knives; shit happens." -- Angelina Jolie
Yes, this is true, but they don't need that info until they draw up the offer letter.
Actually they don't need the SSAN until they fill out the W-2 or W-5 so they can pay you. Not a second earlier.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
I made changes after getting a call from a local IT services company that said they had two of me in their database and wanted to resolve the discrepancy and update my information. What made that unusual is that I'd never applied for a job with them, they were collecting the data from Dice. That was a couple years ago.
What I started doing was stripping all the data out of my old profile and created a new one with the last name of Notdisclosed, or something like that. Then I stripped out my employer names and dates, created a new email address, and replaced my phone number with a message only number.
I have my own company and won't be applying for jobs anymore and their data is getting older by the day. This is going to be an ongoing problem with companies mining online sources for their own systems, but who knows how good their security is? Or if they even have any?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Many of these companies take far more data than they should and do not have good security. All data is loaded on windows (most do that, but still scary). But they request that you send the information via e-mail so that they have a good copy. Do not allow it. Go with pgp, gpg, or at least snail mail. GCI, Sai, and Perot are great examples of very incompetent companies.
Even if you do, I have seen loads of worthless companies out there. In fact, many companies would argue that the vast majority of security companies are worthless. They still do not have Windows fully locked down, but claim that it is. Since it is impossible to lock down xp and earlier 100% (During the trial, MS said that it was impossible due to design), then they should not claim that they have done so. And even when they make false claims, most still screw it up.
I prefer the "u" in honour as it seems to be missing these days.
But we managers do this anyway.
I'm going to change that at our place, however. This article is quite enlightening.
Perhaps the Federal Government needs to make it a law that this be concealed on all apps until the employer is actually willing to do a background check at which time they will show due diligence in protecting that info.
--- Grow a pair, liberals... stop letting the Republicans bully you!
DL is not an evidence of work elegibility at all.
some states may deny DL to people not elegible to work,
not all of them
every day http://en.wikipedia.org/wiki/Special:Random
I must be getting old. What the hell happened to the times where you looked around, researched the company you wanted to work for, and you pursued employment there? All I ever see anymore is how people don't have time to apply at all these companies with long processes. What the hell are you doing? Just throwing your resume into the air like war propaganda, hoping some shmoe will latch on to it and call the number? Why don't people take the time to FIND an employer and focus efforts instead of just trying to find a spot that has the right features (pay, title, responsibilities, etc)? Could this be the reason that the IT industry is viewed as poor, downtrodden, and abused? Take pride. If you have skills, and needed abilities, find the place you want to work and PURSUE it. Call them, meet with them, invade their cafeteria. To the "hey man, we gotta get a job, billz to pay yanno" crowd: Learn to invest, save, and NOT spend beyond your means. When you find yourself needing a new job or wanting a new job, you will have the comfort of knowing you have enough tucked away to survive the 3-6 months of actual leg-work finding that job that you will stick with for a while. Instead of that 1 to 2 year stint at the carcass of a company you blasted with your 12-gauge resume shotgun. -b
The guy who steals the laptop. Today you should assume the worse. "Privacy policies" and the lame security procedures are a real joke, designed to protect the company, not the employee or the customer. Anything you put on the net or on any computer connected to net is being broadcast worldwide, just like on the radio. If somebody wants access, they will have it. The internet is not a series of tubes. It's a very leaky pipe. If the Alaska oil pipeline was as leaky as the net, none of the oil would reach the other end. On the net, you don't send a message, you spray it all over. A spit-take is the best way to visualize it.
What?
Most jobs are found through personal networking. Online applications are a "going through the motions" task to demonstrate the company hired the "Best Qualified Applicant"--the person they already wanted to give the job to. This is also true for resume collectors.
It is a far better use of your time to talk with the people who would become your future co-workers.
Additional Rule of Thumb: The company/agency will be as careful with your application data as it will be with your employee data.
227-3517
- Your driver's license # and SSN are likely being sent right off to the big database companies that do credit scoring and collection of any bit of trivia about you that they can find. Wasn't one of them busted a year or two ago for not being very discriminating about who could buy a copy of the data? So you not only have to worry about the IT practices of the company you're hiring, but also any HR outsourcing company they've hired to handle job applications and job listings, and the behemoths who already know too much about you. (Well not you, perhaps, since you've been out of the country for the last 16 years.)
- You probably won't get the job anyway. I've never talked to anyone who manages at a company with one of those online job application systems and likes the system. Your best avenue into a job is getting someone you know to put your resume in front of a hiring manager, who will then ride the backs of the HR people if necessary to get you into the company.
I may be wrong, but that's been my experience with job applications."Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
I don't usually like giving that stuff up until I know that I am going to get an offer. You want to check my previous employeers, call them from my resume, just don't call my current employer. That's usually been my rule. Then if they decide to make me a job offer, then I'll fill out all that paperwork. I think it is premature to give an application to someone unless they have a job offer to follow suit. I also don't like doing any of it online.
Only 'flamers' flame!
Does slashdot hate my posts?
First off, there should be a privacy policy covering the website. As an random example, Best Buy refers applicants to a third party with a decent policy. If there isn't one, it's grossly inadequate, or the policy should preclude asking for such information, then look around some more. Most companies have some manner of contact information available; politely asking for someone with the legal department usually gets you somewhere quickly. Politely inquire about the privacy policy and whatever deficiencies thereto which you perceive. You might also reasonably ask if they how frequently the security systems for HR are audited.
If you don't like the answers, ask for the snailmail contact for the head of HR. Make up a form letter which says something on the lines that you are a highly qualified IT professional with 16 plus years of experience; that it is your professional belief that their privacy protections for applicants' personal information are inadequate ("grossly," "unprofessionally", "dangerously" as you feel needed); that you are concerned such policies might leave the corporation and employees open to unnecessary liability; that you feel use of their website would involve undue personal risk; and that because of this, you cannot in good conscience seek potential employment with them via their application website.
Some places will no doubt ignore you as a fruitcake; some will suggest alternate (probably dead-tree) means, or indicate the personal information may be omitted without prejudice; and it's unlikely but not impossible that one might ask you to interview for a security/audit position.
//Information does not want to be free; it wants to breed.
All you have to do is a make a couple "typos" when filling out the form. For instance, if your ssn is 123-45-6789, just accidentally type 123-95-6789. If they really care, they'll call you and ask for the correction at which point, at least you'll have a human being with an actual voice to deal with. I'm going to guess they probably won't care enough unless they're really interested in you. And if they're really interested, you probably won't mind correcting it for them.
In many states (probably all states), a resume or CV isn't really needed to be accurates, but an application you sign does.
So some companies won't make you an offer until the can check you accuracy. The can then relate this against your resume to see if they jive.
The Kruger Dunning explains most post on
Why can't there be a single online application form for any state jobs? I've seen the state duplicate job forms for the University, Health Jobs, and so on. All of the jobs were State based, so they should of used the States Job site, which was done very well. But no, you have to fill out the same forms 1000 times to apply to different jobs in different organizations. The State's Health site was built with ColdFusion and was so damn buggy I gave up. One University's site was JSP and the redirect for every page drove me insane as I couldnt use the back button, I had to go through the pages in the right order, or use their special back form button. Needless to say how all corporations want to use their own online job application forms, they should just rely on the State's especially if they are going to use it to look for candidates.