03 Jun PO Box vs Home Address: HR Privacy Practices
Want to protect employee home addresses from ending up in the wrong hands?
HR departments hold some of the most private data in any company. Names, bank accounts, emergency contacts… home addresses. Did you know that last piece of information presents a far larger privacy threat than most people realize.
Here’s the thing…
The second a home address hits a company’s HR system, it’s put in a bullseye. Facts and figures support this — HR data found in 81.7% of breaches, making it one of the most commonly stolen data types of all.
So what’s the fix? A PO Box.
If you are an employee who is able to request a PO box instead of providing your home address to HR, this is one of the easiest and most underutilized privacy choices you can make. If you haven’t already, learning how to set up a PO box is a great place to start if you want to keep your home address off of company records.
This guide walks through everything HR teams and employees need to know.
Here’s What’s Inside:
- Why Home Addresses Are an HR Privacy Risk
- PO Box vs Home Address: What’s the Real Difference?
- When HR Can (and Can’t) Accept a PO Box
- Best Practices for HR Address Privacy
- Frequently Asked Questions
Why Home Addresses Are a Serious HR Privacy Risk
Home addresses are not just mailing details.
They’re personally identifiable information — PII — and PII is something that matters more every passing year. 45% of HR professionals have shared employee personal data to a person outside their role. Home addresses included. It doesn’t take a high-tech cyberattack to reveal where someone lives. Sometimes, all you need is a human error.
But the digital threats are just as real.
The per-record cost of a data breach rose to $4.88 million in 2024 — the biggest year-on-year increase since the pandemic began. With home addresses in HR systems, when a breach occurs every employee on file becomes a potential victim.
The risks of storing home addresses in HR systems include:
- Stalking and physical harassment from a former partner or disgruntled ex-colleague
- Identity theft when a residential address is combined with other stolen data
- Targeted phishing and mail scams sent directly to someone’s home
- Public records exposure through background check databases or court filings
Bottom line: Your home address is sensitive data. Handling it that way should be your HR policy. Not an add-on.
PO Box vs Home Address: What’s the Real Difference?
A home address is a street location of someone’s residence. Typically this information is publicly searchable on voter rolls, court records and data broker websites.
A PO Box is a locked rented mailbox located at a post office or private mail centre. PO Boxes provide a mailing address that does not disclose an individual’s physical location.
Here’s why that difference matters for HR…
When an employee gives a home address to an employer, that address travels through various systems:
- Payroll software
- Benefits portals
- Tax documents (W-2s and similar)
- Emergency contact records
- Background check reports
Each and every one of those is a point of failure. A PO Box eliminates that risk. It allows critical mail to reach the employee without publicly announcing their home location on every channel it propagates.
Breaches containing employee information surged 14% in 2024 — the highest level in six years. Since HR records are often at the heart of the issue, one of the simplest ways to reduce risk is to offer employees a PO box for general correspondence.
When HR Can (and Can’t) Accept a PO Box
Here’s where it gets important…
Did you know that not all HR processes allow for a PO Box. There are legal requirements that both you and HR should be aware of prior to making changes.
Where a PO Box is generally accepted:
- General mailing address for correspondence
- Payroll and benefits communication
- Tax form delivery (W-2s and equivalents)
- Employee self-service profile addresses
Where a physical address is legally required:
- For the I-9 Employment Eligibility Verification form, you must include your physical home address. A PO Box is not accepted.
- Some state-level tax forms require a residential address
- Certain benefits providers and insurers require a home address for underwriting purposes
Pay attention to this. Writing a PO Box rather than your home address on an I-9 is a violation. You can be fined over $2,000 per box.
Rule of thumb: Don’t collect a street address unless you absolutely have to (for legal reasons) and then only allow access to that data on a strict need to know basis. Allow employees to use a PO Box for all non-specific HR communication.
Best Practices for HR Address Privacy
Getting a PO box is just one piece of the puzzle.
HR teams also need to internally evaluate how they store, access and share address data. Here’s what every HR department should have:
1. Minimise access to address data Limit who can see a home address to only those who absolutely need it. Limit access within payroll applications and HR systems to the bare minimum.
2. Encrypt all stored address data PII data for employees such as home addresses should be encrypted both at rest and in transit. Files that sit unencrypted on a shared drive or legacy system are an open invitation.
3. Let employees use PO Boxes wherever legally permitted Let people choose. If a PO Box is legal, permit it. This minimizes the number of systems storing an actual residential address.
4. Audit address data regularly Audit who has access to address data and why. Previous employee data should be purged based on a predetermined schedule. Storing outdated home addresses long after seems unnecessary and could pose liability.
5. Train HR staff on what counts as sensitive Human mistakes are responsible for the vast majority of data exposure events. Ensure that each member of your HR staff realizes that a home address is sensitive information — and treats it that way.
The Final Word
PO Box vs home address is more than a mailing preference. It’s a legitimate HR privacy decision with consequences either way.
Home addresses can pose significant risk in 2025. Whether it’s a data privacy risk or putting actual people at risk, HR teams can no longer afford to consider home addresses as benign data.
To recap:
- Home addresses are sought-after targets in cyberattacks. Home addresses feature in the majority of data breaches
- PO Box — Allows employees to keep their whereabouts confidential without missing vital mail
- PO Boxes are accepted for most HR correspondence, but not for I-9 compliance
- Limiting internal access and encrypting stored addresses are the strongest protections available
- Allow employees to opt into having a PO Box for privacy — Easy privacy win that won’t cost you much.
Review internal access controls first. Then allow employees to use a PO Box if state law permits — it’s one of the simplest actions HR can implement.
Frequently Asked Questions
Can an employee use a PO Box as their address for HR records?
Yes, usually. You can put a PO Box for payroll / tax forms and general HR mail. Certain forms though — such as the I-9 — mandate a home address. A PO Box will not meet that requirement.
Is a PO Box safer than a home address for HR?
Yes, from a privacy perspective. PO Box doesn’t give your physical location. Having your home address stored in numerous systems open you up to identity theft, spear phishing, and physical danger.
Do employers have to protect employee home addresses?
Yes. Addresses are considered personally identifiable information (PII) in most regions. Therefore, they should be stored, processed and secured according to all relevant data privacy laws. There are penalties for failing to comply.
Can HR share an employee’s home address?
A valid and lawful reason is required. Disclosing a home address without authorisation could violate privacy laws and open your company up to liability.
No Comments