In the face of seemingly daily news reports of company data breaches and the mounting legislative concern and efforts on both the state and federal level to enact laws safeguarding personal information maintained by companies, employers should be questioning whether they should implement privacy policies to address the protection of personal information they maintain on their employees.
To date, there is no all-encompassing federal privacy law. Rather, there are several federal laws which touch upon an aspect of protecting personal or private information collected from individual, such as the Children’s Online Privacy Protection Act (giving parents control over the information collected from their children online); Federal Trade Commission Act (pursuant to which the FTC has sought enforcement against companies who failed to follow their own privacy policies relating to consumers); Gramm-Leach-Bliley Act (requiring financial institutions, such as banks, to protect consumer financial information); Health Insurance Portability and Accountability Act of 1996 (requiring covered entities to protect individually identifiable health information); and the Americans with Disabilities Act and Family and Medical Leave Act (requiring confidentiality of employee medical information obtained by employer).
Employers maintain various types of personally identifiable information on their employees, including, but not limited to: names, dates of birth, social security numbers, addresses, telephone numbers, financial information (such as bank account numbers and credit/debit card numbers), email addresses and passwords, driver’s license, state issued identification and passport numbers, health insurance number, biometric data, and personally identifiable information on an employee’s spouse and/or children (most commonly contained in benefit enrollment forms), and any other information maintained about an individual that could be used to identify him/her or obtain access to an online account.
Employer privacy policies should at a minimum address: (1) the types of personal information, (such as that listed above), whether in electronic or paper format, obtained and maintained regarding employees and their family members; (2) where the information is maintained/stored; (3) how the information is protected both while being maintained and also when being transferred from the employee to the employer, between the employer’s systems/departments, and outside of the employer’s organization (such as to a third party vendor); (4) who has access to the information, including any outside vendors who perform personnel-related services for the employer; (5) the effective date of the policy; and (6) identify the individual within the organization responsible for compliance with the policy.
Additionally, employers should consider training their employees on the policy. Employees who handle private information in the course of their employment should be trained on the contents of the policy; importance of maintaining the privacy of the information; methods to be used to achieve the protection of such information; limiting disclosure of the information within the duties performed by the employee with respect to use of the information; and what to do when a suspected breach of the information has occurred. The general employee population should also be trained on the contents of the policy; the importance of maintaining the privacy of the information; and what to do if the employee suspects or has knowledge that the information has been breached.