Venky,
I would create two new DI connections - one for the HR data and one for the HR failed data. For additional security, you could also add a HR DI project. All of these can then be secured with new HR groups (which you will need to create as sub-groups under existing DI groups).
As you would put the failures into a separate DB schema, you would have to talk to your DBAs about how that is encrypted/ accessed in the DB layer to prevent access. You could look at VPD in Oracle if that's your DB technology, but would then need to give an exemption to the HR user that is used for the failed data repository connection.
regards
Adrian