It's no secret that employee privacy lawsuits pose a devastating risk to employers.
"Protecting Employees and Your Company" originally appeared in the October, 2007 edition of Kansas City Small Business Monthly.
Better to be penny-wise than pound-foolish is generally sage advice for any small business; but it is particularly relevant for sensitive employee information. Public awareness of privacy issues has never been greater, as millions of people have been victims of identity theft.
Many Federal Laws Apply
Legal protection for employee privacy springs from many sources. A number of federal laws are applicable. The Americans with Disabilities Act (ADA), the Family and Medical Leave Act (FMLA) and the Health Insurance Portability and Accountability Act (HIPAA) all protect employee medical information. The Fair Credit Reporting Act (FCRA), the Fair and Accurate Credit Transactions Act (FACTA), the Wire Tapping Act, Identity Theft and Assumption Deterrence Act and the Computer Fraud and Abuse Act protect other sensitive data.
Employers must also be aware of state and local laws. For instance, Missouri has recently enacted a law that protects employees' Social Security numbers. Finally, employees may try to claim an expectation of privacy even at work.
Limit Information Obtained
Because of the legal obligations and ramifications, it is essential for a company to review its application process, associated consent forms and authorizations, and its interview questions to be sure that only necessary information is collected. Limiting the number of people who will be gathering this information, ensuring they are properly trained and that they, themselves, do not pose a security threat, is also wise.
Once in possession of private employee information, an employer must safeguard it. For example, confidential medical and health information is strictly regulated and must be maintained in a separate confidential medical file. Generally, this information should only be disseminated on a "need to know" basis. Similarly, Social Security numbers must be protected. In Missouri, an employer shall not publicly display, post or intentionally communicate Social Security numbers to the general public or coworkers. Further, an employer cannot require employees to transmit their Social Security number over the Internet or use it as an employee number for any employee-related activity. However, employers may still collect Social Security numbers as required by other state or federal laws.
Consider Technology
A company must also address the unique issues technological advances have had on data security. Twenty years ago, it would have been inconceivable to take home the entire database of our country's veterans. Now, however, laptop computers, mobile phones, wireless Internet access and other electronic advances provide opportunities to work away from the office. Yet, the concern for employee privacy cannot end at the company's front door.
Accordingly, the company should establish policies and security measures for these alternate work arrangements. Telecommuting agreements, password protection, data encryption, firewalls, confidentiality and non-disclosure agreements and electronic data and equipment use policies are a few inexpensive protections available to employers. Employees also should agree to use only company-issued equipment and use it only for company-related business purposes.
For Ex-Employees
It is not enough to securely maintain employee data during employment. Employers must also take precautions when disposing of sensitive employee information after employment ends. Document disposal should only be done pursuant to a written retention policy that complies with all federal, state and local retention schedules, and that contains an exception to immediately stop destruction when litigation is anticipated. Juries can be instructed to make an adverse inference if a document is destroyed after the employer is on notice of litigation.
FACTA requires employers to take reasonable measures to protect sensitive personal information, including background check information. Examples of such reasonable measures include establishment of policies and procedures, training, monitoring and due diligence in selection of vendors. Paper documents should be secured while waiting to be shredded or burned.
Employers must seek references before engaging any third-party disposal companies and should obtain assurances from vendors that they will take measures to safeguard the information throughout the destruction process. Electronic documents must be properly treated before disposal. This may require magnetic sweeping or other destructive methods.
In summary, business-savvy employers will see the benefits of a cradle-to-grave review of sensitive employee information. Applications, background checks and other authorizations, interview questions, file set up and management, document retention and destruction policies and procedures all should be checked for compliance with the array of laws affecting employee privacy. Access to and dissemination of personal information must be limited. Policies should also address "take home" of documents or remote access databases. Employees handling sensitive information should be screened, then trained, to prevent disclosure.
At the end of the day, adequate safeguards are a key to preventing costly but avoidable intrusions of employee privacy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
