Here it is May, and I’m just now getting all of my April IT Compliance in Realtime Journal articles blogged about! Being in Las Vegas for a week at CSI SX / Interop really put a monkey wrench in my blogging activity last week.
While at the conference I spoke with many information security and IT leaders about privacy. Most have customer privacy on their minds, but a significant portion have not thought about employee privacy issues.
So, this article, “What Business Leaders Need To Know About Employee Privacy,” which is the third in my April IT Compliance in Realtime Journal issue, is pretty timely.
Download the April issue to get a much prettier, formatted version. Here is the unformatted article…
……………………………………..
Most attention on privacy tends to revolve around consumer and customer information privacy. However, it is important for organizations to also address workplace privacy issues. Business leaders must ensure the privacy of employee personally identifiable information (PII) as stringently as customer privacy. In some areas, the privacy requirements are even more stringent.
Current Workplace Privacy Concerns
There are multiple employee privacy issues that business leaders must address:
- Maintaining surveillance technology, including closed-circuit television, RFID tags, computer use monitoring, message tracking, and biometrics
- Protecting access to employee PII; ensuring only those with a business need can access it
- Enacting policies that dictate employee activities away from work
- Tracking employees outside of company facilities
- Addressing privacy issues within labor contracts
As new technology evolves, the issues will increase. Smart business leaders must keep up with the technology, privacy issues, and subsequent laws and regulations.
When to Address Workplace Privacy
In addition to knowing the multiple employee privacy issues that the organization must tackle, smart business leaders must know when to address workplace privacy issues. Generally, business leaders must address workplace privacy during three phases of employment:
1. Before employment occurs, business leaders must consider how to answer and address the following:
a. How is privacy protected within procedures around job applications and interview questions?
b. What type of employee candidate testing and background checks do you perform?
2. During employment, business leaders must answer and address the following:
a. How is Human Resources (HR) information, in all forms, protected and managed?
b. What type of workplace monitoring occurs, such as closed-circuit televisions, phone call recording, keystroke monitoring, Web site logging, and so on? Do you have policies governing the use of such monitoring? Have they been communicated to your employees?
c. What types of investigation policies and procedures are in place for personnel misconduct? Are privacy issues adequately and appropriately addressed?
3. following privacy-related issues:
a. Do your personnel exit procedures address the privacy of the associated individuals’ PII?
b. Do policies and procedures exist to ensure these privacy issues are addressed within management transition and ongoing privacy obligations for the individual?
c. What privacy issues could materialize from post-termination claims?
d. How is the terminated individual’s privacy addressed within documented retention and destruction procedures?
To answer these questions, you must not only be well versed in your privacy policies and practices but also ensure a position exists that is responsible for knowing the applicable workplace laws and the associated privacy implications.
Workplace Privacy Laws
U.S. laws typically emphasize employer duties. The focus is on how to safeguard PII. The U.S. laws generally allow continuous and multi-dimensional employee monitoring. Aggressive background checks are also typically allowed, and, in fact, are increasingly required for certain types of positions where individuals have access to sensitive information or have enterprise-critical responsibilities, such as network management. Employee expectations explicitly stated within U.S. laws are very limited.
Some of the U.S. laws that prohibit discrimination, which means limiting inquiries that involve PII, include those highlighted in Table 1.
[See PDF for Table 1: U.S. laws prohibiting employee discrimination]
A few of the U.S. federal laws that regulate employee benefits management, and which often mandate the collection of medical information, include those highlighted in Table 2.
[See PDF for Table 2: U.S. laws regulating employee benefits]
There are many other laws with employee privacy implications and requirements for data collection and recordkeeping. Table 3 offers a few examples.
[See PDF for Table 3: U.S. laws with employee privacy implications]
U.S. federal employers also must consider laws such as those listed in Figure 4.
[See PDF for Table 4: U.S. employee privacy laws applicable to federal government agencies]
There are also many state-level laws, and growing numbers of state bills, that govern employee privacy. Each organization must keep up with the state-level workplace privacy laws in all locations where they have employees. For example, consider the four active bills in Michigan that could significantly impact workplace privacy:
- Bill H.B. 4532, The Employee Privacy Protection Act, would prohibit employers from making any employment decisions, including hiring or firing, based on the private, off-duty conduct of workers or job applicants, for a wide range of activities, from smoking to blogging. It would bar employers from taking action against employees for engaging in any “lawful activity” outside the workplace and during non-work hours.
- Bill H.B. 4887, The Job Applicant Credit Privacy Act, would prohibit an employer from refusing to hire an individual because of his or her credit history, and would bar employers from asking about job applicants’ credit histories.
- Bill H.B. 4926 would prohibit employers from discriminating against employees or job applicants because of “body type, degree of physical fitness, or other physical characteristic.”
- Bill H.B. 4927 would prohibit employers from discriminating against employees or job applicants because of health conditions of employees’ family members.
All the bills would provide a private right of action for individuals to file discrimination and retaliation lawsuits for breaches. All of the bills passed the Michigan House Labor Committee November 6, 2007 and are currently in their “third reading.” If enacted, these bills will create broad protections for both workers and prospective workers and be among the broadest worker privacy statutes in the country.
If you have employees outside the U.S., the legal privacy requirements are generally much different. Most countries emphasize employees’ rights. For example, within the European Union (EU), privacy concerns of workers predominately govern how personnel PII is used. Monitoring is only permitted with specific, limited legal justification. There are very limited allowances for background checks. Employees have very broad expectations and rights for privacy.
Each country and region has distinct privacy requirements, a few of which are highlighted in Table 5.
[See PDF for Table Table 5: International employee privacy considerations]
Putting It into Action
The bottom line is that business leaders must address not only customer and consumer privacy issues but also workplace privacy perspectives. Legal issues that must be considered:
- HR data management policies and processes must include careful consideration of privacy laws and related liability issues not only within the U.S. but also in countries outside the U.S. where strict data protection laws are in place.
- Workplace privacy laws in each country, and within individual states, have different requirements. Business leaders must work to harmonize the common requirements to meet compliance with as many laws as possible with a common set of policies and procedures.
Considering the wide range of civil and criminal penalties that apply for noncompliance with these laws, smart business leaders should consider these issues far from optional — they should be considered a priority. Business leaders can use the following checklist to help guide their workplace privacy planning and associated activities.
Business Leader Workplace Privacy Checkup
Before employment occurs:
- Ensure employee and contract labor applications and interview questions do not break applicable data protection laws
- Perform testing and background checks for potential personnel, but do so within the limits of applicable laws
During employment:
- Ensure HR data management policies and procedures exist to ensure only individuals with a business need can access personnel files
- Confirm workplace monitoring that does occur is within the allowance of applicable laws
- Know the privacy restrictions for performing misconduct investigations
After the employment relationship ends:
- Ensure termination procedures preserve employee privacy and are in compliance with laws
- Incorporate privacy preservation actions within transition management procedures and ongoing obligations
- Review procedures for addressing post-termination claims related to privacy
- Document retention and destruction procedures for employee PII
……………………………………..
Please let me know your thoughts!
I’m also putting together my topics for the next 3 – 4 months of Realtime Journal articles, so if there is a topic you’d like to see me write about, please let me know! I want to write papers that will help you meet your information security, privacy and compliance goals and support your initiatives.
Tags: awareness and training, employee privacy, Information Security, IT compliance, policies and procedures, privacy, risk management, security awareness, security training