A policy should clearly stipulate situations in which an employee should not assume their data and communications are private. Phone calls, texts, emails and social media communications that are transmitted on corporate-owned equipment, for example, are not legally protected. Software and websites that are not required for business purposes may be restricted according to policy or blocked to prevent problems.
It's also important to specify under what conditions employee data will be disclosed. Those conditions could include situations where the employee had consented, emergency situations and legal situations, such as a warrant or a court order.
Frequent employee privacy concerns
Privacy-related issues employees are likely to be concerned include the following:
- What personal information/data is being collected about them.
- Why it is being collected.
- With whom it is being shared.
- How their sensitive personal information/data is being protected.
- Email privacy.
- Whether use of company assets (such as mobile devices, internet) is being monitored.
- Whether they are subject to video surveillance.
- Whether they must submit to background checks and/or drug tests.
- Whether their use of social media outside the company is being monitored and/or can be controlled.
- What happens to their personal information/data after they are terminated and/or no longer working for an employer.
- What their privacy rights are in relation to their personal information/data, such as their ability to access, refuse to provide, request deletion, amend, correct or transfer their personal data.
What is protected employee information?
Typically, only personal information (aka personal data or Personally Identifiable Information, or PII) is afforded special protection by employee data privacy regulations. This usually includes one or more types of personal information that identifies or is linked to an identifiable living individual (such as name, address, phone number, birth date, Social Security number, medical records, etc.) In some cases, it includes a combination of such information that could potentially identify an individual (e.g., birth date, gender and postal code taken together).
Certain types of sensitive data is often given enhanced protection under privacy regulations such as GDPR (General Data Privacy Regulation). Sensitive data under GDPR, for example, includes race, ethnicity or national origin, political opinions or associations, union membership, sexual orientation, marital status, health-related information, and criminal history.
In the United States, a few U.S. federal statutes protect specific types of personal information. One key law is the Health Insurance Portability and Accountability Act (HIPAA), which protects PII when it is used in a medical context (for covered entities). Combined together (PII + medical information), this type of personal data is known as PHI (Personal Health Information). In addition, most U.S. states have laws concerning data security and security data breach notification. Many of these laws are focused on identity theft and/or financial protection measures that generally aim to protect Social Security numbers and similar financial personal information against unauthorized use or disclosure.
Some states in the United States, such as California, have enacted stricter, more comprehensive privacy laws, and this trend is expected to continue in the United States. Those laws offer the consumers covered by them more comprehensive data privacy protection.
In general, a great way to prepare for creating an employee privacy notice is to create a personal data processing register, data inventory and/or data map, which identifies the following:
- Business processes that your organization performs involving personal data and their purposes.
- How the data is collected for each business process.
- How the data is used by the organization.
- Where the data is stored and who (internally and externally) it is shared with.
- Where and how data is transferred.
- How data is protected.
- How long data is retained.
The above information can then be used to determine what privacy regulations apply to the personal information/data, and can be used to create compliant processes and a privacy notice, which addresses the requirements of those regulations.
- Categories of personal information and data the employer collects about the employee.
- How the personal information/data is used/purpose of processing.
- Legal basis for processing the personal information/data, where applicable.
- Recipients or categories of recipients of the personal information/data.
- Whether the personal information/data will be transferred out of the country, and the legal mechanism to protect the data when transferred, where applicable.
- Storage and security policies relating to the personal information/data.
- How long the organization will keep the personal information/data; how this was decided.
- Employee rights relating to the personal information/data, if applicable.
- Any employer statutory obligations as they relate to the personal information/data.
- How to exercise your rights (who to contact), where applicable.
- Effective date of the privacy notice.
Please note, the elements that should be included vary by state as well as whether a regulation is in scope for specific employees.
Laws and federal regulations
A few examples of laws and federal regulations include:
HIPAA (Health Insurance Portability and Accountability Act)
- Protects the confidentiality and security of protected health information. Compliance is required for healthcare organizations and their business associates.
GINA (Genetic Information Nondiscrimination Act)
- Protects Americans from discrimination based off genetic information (such as genetic testing and family medical history) from employers and health insurance providers.
- Sets requirements for information privacy, accuracy and disposal; limits the ways consumer information can legally be shared.
CCPA (California Consumer Privacy Act). Allows employees to:
- Know what data is being collected about them.
- Know if their personal data is sold or shared, and with whom.
- Block the sale of their own personal data.
- Access their own personal data.
- Request that a business deletes their personal data.
- Receive no discrimination for using their rights to privacy.
State Data Breach Laws. Each U.S. state (plus Washington D.C., Guam, Puerto Rico, and the Virgin Islands) has laws requiring organizations to notify individuals in the event of a security breach with personal information. It is important to check specific state laws for up-to-date details on regulations.
Workplace privacy. While video surveillance is legal in workplace areas if disclosed, it is not legal in other common areas, such as washrooms and break rooms. Within the United States, video surveillance cannot include audio recording, which is illegal under wiretap law.