How Safe is Your Employment Application Data?

Carlos asks: "I recently returned to the U.S. after working overseas for the past 16 years. As I visit job sites and corporate sites, I'm finding two issues with applying online I hope Slashdot readers could comment on. I understand security and background checks are important to most employers. However, it seems to me that far too many online applications are asking for sensitive data, such as my social security number and driver's license number. How long is my data stored in their database? Who has access to such data? It seems that every month we hear about a company that has customer/client data stolen or mishandled. I feel that such data shouldn't be required during 'step one' (ie filling out the initial online account in the career section). I'll provide such data when I've been contacted by a staff for an interview. Do Slashdot readers simply bypass such employers, or do they just hand over their identity?"

Another point relates to the pages upon pages we have to endure with an online application. Some companies make the process smooth, for example using a form of OCR with an uploaded resume. There's nothing worse than getting to step 9 (out of 20 steps) and getting a timeout error in your browser. I hope HR people who are reading this, will take a closer look at their employment process. I'm sure some readers might say, 'They make the process hard on purpose — weeding out the lazy applicants.' I fully understand this point and I'm not looking for an easy way into a company, but filling out 20 step applications at 30 companies a day, everyday, can eat a lot of time when hunting for a position."

WTF is this?

[Anonymous Coward]

I clicked on this story and I got:

Error (page title)

Nothing for you to see here. Please move along.

I'm a little paranoid, so what is this supposed to tell me? My employment application data is really safe, because it isn't here to see; or, there is nothing to see because things are so bad that my data is all over the internet and I shouldn't even bother asking how many people have applied for credit in my name?

3P's

[Anonymous Coward]

" However, it seems to me that far too many online applications are asking for sensitive data, such as my social security number and driver's license number."

They get the SSN when you get a job. Your license number isn't really sensetive.

Re:3P's

[GMontag]

They get the SSN when you get a job. Your license number isn't really sensetive.

Yes, this is true, but they don't need that info until they draw up the offer letter.

Re:3P's

[meme lies]

They get the SSN when you get a job. Your license number isn't really sensetive.

Yes, this is true, but they don't need that info until they draw up the offer letter.


Nice thought, but if you are filling out job applications on-line you are most likely not in the position to set any conditions (as opposed to using a headhunter or contacts within the company, in which case you aren't seen as riff-raff off the street.)

I'd also add that with most companies, withholding any information they ask for will raise a red flag. If you don't provide a SSN or license number or whatever else when asked they will immediately assume you have something to hide-- such as a criminal history, a DUI, heavy outstanding debts or a lien against your wages, or the lack of legal work status. Asserting that they do not have the right to ask can just mark you as "trouble"... Companies don't tend to like employees who know their rights and take a stand to protect them.

I'm not saying it's right, but that's the way it is. They're looking for any reason they can NOT to hire you and refusing to play along will seriously hurt your chances. Telling them they can't have your SSN until you get a contract or serious offer will, in most cases, mean you won't get it at all.

Re:

[GMontag]

Nice thought, but if you are filling out job applications on-line you are most likely not in the position to set any conditions (as opposed to using a headhunter or contacts within the company, in which case you aren't seen as riff-raff off the street.)

I'd also add that with most companies, withholding any information they ask for will raise a red flag. If you don't provide a SSN or license number or whatever else when asked they will immediately assume you have something to hide-- such as a criminal histor

Re:

[Heian-794]

There's one more thing that worries me about them asking for the SSN. How about when people who are concerned about leaking personal data, but also don't want to get red-flagged, intentionally give a false-but-believable number (say, their actual one with two digits transposed) with the intention of correcting the "error" when they actually get hired. A corporation searching credit or DMV records will be pulling up data from a different person who never consented to having anything looked at.

Re:

[GeckoX]

Don't do that. It's that simple. Do not lie on an application EVER. Never Never Never.

Not if you like working that is.

Re:

[GeckoX]

It's the integrity involved. If it's an accident, so be it. But if it's intentional, it's a lie. As well you show that you would rather cheat your way around a problem than to face it head on. If you don't want them to have your SSN at application time, deal with that but don't be subversive.

Re:

[GeckoX]

Hey, if you want that job so bad, that's your prerogative. Just don't bitch to us if that sensitive data you gave out comes back to haunt you even though you didn't get the job.

Think about what you're suggesting. You want a job with a company that requires this sensitive date BEFORE even offering you a job...BEFORE even meeting you?

Dude, you deserve what you get. We're not slaves you know. Have some self respect and stand up for yourself already!

Re:

[Em Adespoton]

Indeed... I tend to use such forms as part of my "potential employer" filter system. If I don't like what they're requiring of me to get to the interview stage, I cross the company off my list of desirable workplaces. HR decision makers might want to take note, as such forms are probably filtering out a lot of the "top pick" candidates who would rather get hired through their network of acquaintances than by filling out a rigid and impersonal form that won't submit if it isn't 'just so'.

Re:

[bebing]

Nice thought, but if you are filling out job applications on-line you are most likely not in the position to set any conditions (as opposed to using a headhunter or contacts within the company, in which case you aren't seen as riff-raff off the street.)

If I was to paint any group with a wide brush as 'riff-raff off the street' it would have to be the headhunters. Though they are pretty much the only game in town nowadays.

Re:

[iminplaya]

Telling them they can't have your SSN until you get a contract or serious offer will, in most cases, mean you won't get it at all.

If we all did that, they wouldn't have much choice, would they? Not asserting your rights to avoid raising red flags will cost you those rights. We protect our rights by using them, and if the company thinks you're some kind of criminal for it, then we need to send the collective message of "screw you". If we accept this kind of treatment, then we shouldn't complain when the righ

Re:

[humblecoder]

Two thoughts... First, I have applied for many jobs online, and I don't recall ever having to give my SSN or DL number on a job application. Usually you only have to give them your SSN when you are employed and filling our your W4.

Second, I disagree that not giving your SSN marks you as a person with "something to hide". Most companies are sensitive to people's desire to keep certain information private, given all of the press that "identify theft" is getting these days. Any HR drone who would think of y

SSAN not needed and should not be given

[SgtChaireBourne]

They get the SSN when you get a job. Your license number isn't really sensetive.

Yes, this is true, but they don't need that info until they draw up the offer letter.

Actually they don't need the SSAN until they fill out the W-2 or W-5 so they can pay you. Not a second earlier.

Re:

[josecanuc]

They don't "need" it, but I think a huge number of employers perform a background screening on applicants.

My suspicion is that the asking for such data is just a result of the screening company saying "we need these data" and the braindead HR department doing it because of policy: "Get a background screening on all applicants."

Re:

[GeckoX]

Absolutely.

There is simply no reason for a company to _require_ a SSN before offering a job. You just have in the contract a clause that states as long as the background check doesn't come back with anything that wasn't already disclosed before offering the job, they get to keep it. Otherwise the contract is rendered null and void.

There is NO good reason for a company to ask for this before offering a job. None. If they do, they're either shady, stupid, or complacent. None being qualities I'd suggest lookin

You're right

[Travoltus]

But we managers do this anyway.

I'm going to change that at our place, however. This article is quite enlightening.

Perhaps the Federal Government needs to make it a law that this be concealed on all apps until the employer is actually willing to do a background check at which time they will show due diligence in protecting that info.

Re:

[Derek]

If potential employers bothered to think it through a little bit, I doubt that they would really want to collect private info either (unless of course they were serious about offering the candidate a job.) Think about it, collecting all sorts of highly confidential information from every job applicant is just asking for trouble. What happens when your HR person loses his/her laptop? Not only do you now have to deal with the liability and responsibility for your 40 employees, but you also have to deal with t

Not really

[geekoid]

In many states (probably all states), a resume or CV isn't really needed to be accurates, but an application you sign does.

So some companies won't make you an offer until the can check you accuracy. The can then relate this against your resume to see if they jive.

license number sensitivity

[JimBobJoe]

Your license number isn't really sensetive.

I'm not sure if I agree. I think the issue here is that you can't predict who is using the license number and how, and frankly, I don't think people have become particularly creative with misusing the license number (which, in most states, if not all states, is a fixed number.)

I think this will become an issue with time. It's becoming a back up to the SSN, and since it seems to be on the same path that the SSN was on in the late 70s/early 80s, then I'm going to saf

Re:

[i.r.id10t]

Here in Fl. it is based on your date of birth and your full name without vowels. Had a program on my 8088 that would take that info and spit out the correct DL number, or allow you to enter a DL number and it would spit out the name (no vowels) and DOB.

Re:

[i.r.id10t]

And googling around, I found more info on how they are generated. It also has a java applet that will do name to number to name

http://www.highprogrammer.com/alan/numbers/dl_us_s hared.html [highprogrammer.com]

Make privacy the law! Ban use of SSNs.

[FractalZone]

They usually ask for your SSN (Social inSecurity Number) at the time you apply for a job. If you don't provide it, you probably aren't even considered for any position with their organization.

What would be nice is a strict privacy law that prevents SSNs for being used for anything other than communications with the IRS. Credit bureaus, banks, potential (not actual) employers, would be liable for a large penalty under such a law for even asking about your SSN unless they have already hired you or genera

Re:

[Thirdsin]

True they will get your SSN when you get the job. But he is referring to the application process before landing that job... If you apply to 3 companies the problem becomes where has my info been parked and how secure is it? A compromised license number coupled with other data (perhaps home address etc) add pieces to the puzzle of a person's identity. The more pieces of data an unscrupulous person obtains, the greater threat it becomes. FYI, your license number might be your SSN (This is the case for old l

I would omit sensitive data

[GMontag]

I would omit things like SSAN and DL. If they require these I would just skip that employer (after trying to contact them) move on to another one.

I don't give a fuck about...

[rob1980]

My driver's license number. Every time I buy beer, or cash a check at the bank, somebody gets to see my ID anyway.

Not worried about employment application data

[cerberusss]

I'm not worried about employment application data, but I have been worried about the employment application itself. I mean, the IT industry is a small world, especially if you look for work within the same city. At one time I walked the last part to a company building for an interview, when I passed a current colleague of mine. I just greeted him but I could see the questionmarks in his face.

Re:

[Anonymous Coward]

At one time I walked the last part to a company building for an interview, when I passed a current colleague of mine. I just greeted him but I could see the questionmarks in his face.

... why? What was *he* doing there?

Re:

[waynemcdougall]

when I passed a current colleague of mine. I just greeted him but I could see the questionmarks in his face

One of your colleages was Edward Nigma? [wikipedia.org]

I'm not surprised you were looking for another job.

Re:

[Zonk (troll)]

Or was he Matthew Lesko [wikipedia.org]? (pic [free-college-grants.info])

You shouldn't (only) be using web pages

[Telcontar]

If you have 16 years of work experience, you should contact a headhunter (job agency). They should not have difficulties finding interesting positions for you. Of course some companies only hire directly. However, for all the others, a good headhunter saves you the time of going through countless web sites, only to find job descriptions that are outdated (about positions that are no longer open, even though the web page does not say that). A headhunter won't necessarily find your dream job, but an application at a headhunter costs about as much time as a real application, and can cover dozens of companies at once. This should greatly improve your odds.

Re:

[Anonymous Coward]

Head Hunter != Recruitment Agents

Hunters find good people in jobs already, Agents deal with every one. You cant contact a head hunter, they come to you.

Re:

[GeckoX]

Oh bullshit. That's so not true.

Typically head hunters do more legwork, reach the feelers out farther, have more contacts in the right industry, and charge more accordingly. That is all. They are merely recruiters that have proven their ability to excel at finding the right person for the job.

A good headhunter would never make their job so hard as to have to go out cold and 'find' someone for the job like you suggest. They would also never limit themselves to people that are currently working somewhere.

BTW,

i know where my data is

[Noishe]

Since I organised it..... It's on a paper hardcopy with all electronic forms destroyed, in a locked cabinet behind the photocopier...

technically illegal

[TRRosen]

most of these are technically illegal as this information would be keys to information that is not supposed to be used in the evaluation of applications sex age race etc. Seems to me if you can't ask for someones age you really shouldn't be able to require a copy of a drivers liscence to apply!! (actually that would include age race and sex on the card)

Re:

[Anonymous Coward]

Definitely not illegal to ask for those things. Alot of the information is required by the IRS and other tax agencies. The information is also needed to enroll in benefits programs.

Race is generally optional on the applications I've seen, with a disclaimer stating that the data is only voluntarily requested for EEOC documentation purposes only.

DL is one of the secondary forms of ID asked for to prove citizenship or work eligibility by the government.

Re:

[kfg]

The information is also needed to enroll in benefits programs.

I can get benefits for applying? Cooooooooooooool!

KFG

DL? pfft

[way2trivial]

DL is not an evidence of work elegibility at all.

some states may deny DL to people not elegible to work,
not all of them

Re:

[symbolic]

Drivers license + Social Security card, or a valid Passport.

Re:

[silentounce]

DL is also your state ID, it's not evidence of eligibility to work, but it is proof of ID... Check this out:

http://www.uscis.gov/files/form/i-9.pdf
That should settle the argument.

Re:

[GeckoX]

You're talking about after you've been hired. This is about applying for a job.

NEVER offer up this information before actually being hired. Just Don't Do It. It's simply a bad idea.

Nevermind entering that information ONLINE somewhere! Never Never Never!

If they want that information, they can give you a contract to sign FIRST. Period.

If you don't follow this advice, well don't come crying to me about it when things go bad.

On the other front, I do know that the company I work for keeps any confidential data l

Re:

[Anonymous Coward]

technically illegal? oops looks like we have somebody without herd mentaltity applying for the position.. umm. oops.. I mean... "the position has been taken by a candidate with more on-job experience"

Re:

[Slashdot Parent]

most of these are technically illegal

Which law does it violate?

Don't worry...

[technos]

In the last ten or fifteen years at up to a dozen different places I've only ever seen one storage system for applicants that didn't get the job: Box in the back of a storage closet.

No one knows it's there except the HR drone that hid them, and the closet is locked because it also contains said HR drones stash of candy and Garfield posters.

In fact, it's probably better protected than information people want. In those same places, sales records, customer billing info and record on current employees were treated with less security.

Re:

[bluebox_rob]

But since we're talking about online applications, it's reasonable to assume that the information is stored electronically at some point - and since it's usually more effort to remove old data then let it hang around, I would guess that a lot of it is still knocking around for months or years after they've crossed you off their list.

Re:

[technos]

But since we're talking about online applications, it's reasonable to assume that the information is stored electronically

Bah! You're assuming any company I'd be willing to trust with my retirement is also willing to trust day to day operations to "That Suckwell thing Microsoft sold us" or, heaven forbid, the IT department.

That sucker went into a HR-drone's mailbox the instant you hit "Submit Form".

and since it's usually more effort to remove old data then let it hang around, I would guess that a lot of it

Not very.

[Aeron65432]

If this story [slashdot.org] and its' comments are to say anything, not very safe; good luck trying to get your personal data removed.

Be Careful of ID Theft

[Anonymous Coward]

Actually I would be very wary of providing SSN, DL, DOB, or any other identifying information. It wasn't to long ago (2 months) that the FBI issued warnings about identity theives posing as hiring companies so that they could obtain your information and then use it. Be especially leary of calls/emails from supposed agencies that you did not directly apply too.

I am sure that you are doing your homework on the companies that you are applying to. But it is necessary to restate that if you are going to ask f

Multi-stage applications

[91degrees]

'They make the process hard on purpose -- weeding out the lazy applicants.'

I fully appreciate this idea. Jobhunting is a two way process. I reject any company that has an annoying inflexible application process on the theory that they would be annoying inflexible companies to work for. Of course, for certain jobs, I recommend the right sort of lazy. A clever lazy person will do a job in a way that means all dependent tasks can be done in half the time.

my experience as a criminal background researcher

[Anonymous Coward]

I've been working as a criminal background researcher for a company that gets hired to do pre-employment background checks. I'd describe the security protocols as being more than lax:

a.) I receive the lists of people to check over a non-encrypted HTTP connection. These lists include name, DOB and SSN. (I'll admit to making it worse by accessing this non-encrypted website over my neighbors open wi-fi connection.)
b.) The background checking company gives no instructions about how to treat the data, how to destroy the data after it's been used, etc...all of which seem de rigeur in today's world.
c.) The issues applying to a.) also apply to the government court websites used to check the data.

Background checking companies are often just run by ex HR people, and, as you can expect, many of them are not trained in security issues like this.

Be Careful of ID Theft (Repost)

[$t0mp]

Actually I would be very wary of providing SSN, DL, DOB, or any other identifying information. It wasn't to long ago (2 months) that the FBI issued warnings about identity theives posing as hiring companies so that they could obtain your information and then use it. Be especially leary of calls/emails from supposed agencies that you did not directly apply too. I am sure that you are doing your homework on the companies that you are applying to. But it is necessary to restate that if you are going to ask fo

So what?

[WindBourne]

Even if you do, I have seen loads of worthless companies out there. In fact, many companies would argue that the vast majority of security companies are worthless. They still do not have Windows fully locked down, but claim that it is. Since it is impossible to lock down xp and earlier 100% (During the trial, MS said that it was impossible due to design), then they should not claim that they have done so. And even when they make false claims, most still screw it up.

I made changes

[HangingChad]

I made changes after getting a call from a local IT services company that said they had two of me in their database and wanted to resolve the discrepancy and update my information. What made that unusual is that I'd never applied for a job with them, they were collecting the data from Dice. That was a couple years ago.

What I started doing was stripping all the data out of my old profile and created a new one with the last name of Notdisclosed, or something like that. Then I stripped out my employer names and dates, created a new email address, and replaced my phone number with a message only number.

I have my own company and won't be applying for jobs anymore and their data is getting older by the day. This is going to be an ongoing problem with companies mining online sources for their own systems, but who knows how good their security is? Or if they even have any?

Re:

[Anonymous Brave Guy]

It sounds like your experience is another example of pain from putting sensitive information on-line (in this case, on Dice) without fully appreciating the possible results. That in turn is an example of a wider problem: giving up sensitive information to anyone who doesn't have a vested interest in storing, using and destroying it properly.

An entire generation is about to learn from this mistake, but probably suffer its consequences for much of the rest of their lives. I imagine the problems will eventua

Re:

[profplump]

Just a note about Dice: The company in question was only able to collect information from Dice because you provided that information and marked it as searchable. There's no requirement that you have an account, or that it be active, searchable or non-confidential to use any of the job search or application functions on Dice (as opposed to Monster for example, which requires that you have an account and sign in to apply for jobs). If you just want to search for jobs without letting employeers search for you

Application by shotgun . . .

[bradsenff]

I must be getting old. What the hell happened to the times where you looked around, researched the company you wanted to work for, and you pursued employment there? All I ever see anymore is how people don't have time to apply at all these companies with long processes. What the hell are you doing? Just throwing your resume into the air like war propaganda, hoping some shmoe will latch on to it and call the number? Why don't people take the time to FIND an employer and focus efforts instead of just trying

Re:

[poot_rootbeer]

Why don't people take the time to FIND an employer and focus efforts instead of just trying to find a spot that has the right features (pay, title, responsibilities, etc)?

Because most people, when considering the factors that lead to job satisfaction, would rank pay, title, responsibilities, etc. as more important than which company they work for?

I don't care if my employer is Spacely Sprockets or Cogswell Cogs, as long as I get paid well to apply and develop my skills. And even if I really DID want to wor

Re:

[bradsenff]

You missed the point.

You would be the exception, because you knew enough about the two to determine that you *wanted* to be at Spacely. Why do you want to be at Spacely?

Most applicants these days just blast the resume at both, hope one of em sticks and that the pay/perks/title fall within the range they can tolerate.

My point was that most employers that are actually GOOD to employees, and who want to hire quality people, will find a way to hire you if they find you desirable. So what if Spacely has no open

Re:

[DataBroker]

What the hell happened to the times where you looked around, researched the company you wanted to work for, and you pursued employment there?

While I agree with you that researching a company is valuable, there are limits. Things change so quickly now that people need to look to the shorter and shorter term - companies do.

Companies no longer expect employees to remain through thick and thin. In good times, they pay a premium. In bad times, they have layoffs. As evidence, consider the weight that

Who has access to such data?

[iminplaya]

The guy who steals the laptop. Today you should assume the worse. "Privacy policies" and the lame security procedures are a real joke, designed to protect the company, not the employee or the customer. Anything you put on the net or on any computer connected to net is being broadcast worldwide, just like on the radio. If somebody wants access, they will have it. The internet is not a series of tubes. It's a very leaky pipe. If the Alaska oil pipeline was as leaky as the net, none of the oil would reach the

Better employment strategies

[packrat0x]

Most jobs are found through personal networking. Online applications are a "going through the motions" task to demonstrate the company hired the "Best Qualified Applicant"--the person they already wanted to give the job to. This is also true for resume collectors.

It is a far better use of your time to talk with the people who would become your future co-workers.

Additional Rule of Thumb: The company/agency will be as careful with your application data as it will be with your employee data.

Simple answers

[OhHellWithIt]

• Your driver's license # and SSN are likely being sent right off to the big database companies that do credit scoring and collection of any bit of trivia about you that they can find. Wasn't one of them busted a year or two ago for not being very discriminating about who could buy a copy of the data? So you not only have to worry about the IT practices of the company you're hiring, but also any HR outsourcing company they've hired to handle job applications and job listings, and the behemoths who already

not until I get an offer

[josepha48]

I don't usually like giving that stuff up until I know that I am going to get an offer. You want to check my previous employeers, call them from my resume, just don't call my current employer. That's usually been my rule. Then if they decide to make me a job offer, then I'll fill out all that paperwork. I think it is premature to give an application to someone unless they have a job offer to follow suit. I also don't like doing any of it online.

Look around the website

[abb3w]

First off, there should be a privacy policy covering the website. As an random example, Best Buy refers applicants to a third party with a decent policy [unicru.com]. If there isn't one, it's grossly inadequate, or the policy should preclude asking for such information, then look around some more. Most companies have some manner of contact information available; politely asking for someone with the legal department usually gets you somewhere quickly. Politely inquire about the privacy policy and whatever deficiencies t

Duplicate data all over the place

[VGfort]

Why can't there be a single online application form for any state jobs? I've seen the state duplicate job forms for the University, Health Jobs, and so on. All of the jobs were State based, so they should of used the States Job site, which was done very well. But no, you have to fill out the same forms 1000 times to apply to different jobs in different organizations. The State's Health site was built with ColdFusion and was so damn buggy I gave up. One University's site was JSP and the redirect for every pa