Browse Definitions :

employee privacy policy

An employee privacy policy is documentation specifying an organization's rules and procedures for gathering, using and disclosing the personal information of former, current or prospective employees. Some elements of privacy policies may be mandated by labor laws, while others are specific to a given organization.

An employee privacy policy should define what constitutes personal information and the means by which it might be collected. As a rule, most companies define personal information to include all employee data (such as home address and work history), and all communications that are not work-related.

A policy should clearly stipulate situations in which an employee should not assume their data and communications are private. Phone calls, texts, emails and social media communications that are transmitted on corporate-owned equipment, for example, are not legally protected. Software and websites that are not required for business purposes may be restricted according to policy or blocked to prevent problems.

It's also important to specify under what conditions employee data will be disclosed. Those conditions could include situations where the employee had consented, emergency situations and legal situations, such as a warrant or a court order.

Privacy policies should also disclose any employee monitoring systems, such as video recording. Employees should be provided with copies of the privacy policy and should be required to confirm that they have read and understood it.

Personal data is becoming more valuable as networked devices are frequently used for work and personal purposes. With sensitive data exchanged on these devices, concerns about personal data tend to exist -- with employees concerned that their data may be poorly handled and leaked to malicious entities. A good employee privacy policy aims to prevent these concerns with upfront disclosures.

Frequent employee privacy concerns

Privacy-related issues employees are likely to be concerned include the following:

  • What personal information/data is being collected about them.
  • Why it is being collected.
  • With whom it is being shared.
  • How their sensitive personal information/data is being protected.
  • Email privacy.
  • Whether use of company assets (such as mobile devices, internet) is being monitored.
  • Whether they are subject to video surveillance.
  • Whether they must submit to background checks and/or drug tests.
  • Whether their use of social media outside the company is being monitored and/or can be controlled.
  • What happens to their personal information/data after they are terminated and/or no longer working for an employer.
  • What their privacy rights are in relation to their personal information/data, such as their ability to access, refuse to provide, request deletion, amend, correct or transfer their personal data.

What is protected employee information?

Typically, only personal information (aka personal data or Personally Identifiable Information, or PII) is afforded special protection by employee data privacy regulations. This usually includes one or more types of personal information that identifies or is linked to an identifiable living individual (such as name, address, phone number, birth date, Social Security number, medical records, etc.) In some cases, it includes a combination of such information that could potentially identify an individual (e.g., birth date, gender and postal code taken together).

Certain types of sensitive data is often given enhanced protection under privacy regulations such as GDPR (General Data Privacy Regulation). Sensitive data under GDPR, for example, includes race, ethnicity or national origin, political opinions or associations, union membership, sexual orientation, marital status, health-related information, and criminal history.

In the United States, a few U.S. federal statutes protect specific types of personal information. One key law is the Health Insurance Portability and Accountability Act (HIPAA), which protects PII when it is used in a medical context (for covered entities). Combined together (PII + medical information), this type of personal data is known as PHI (Personal Health Information). In addition, most U.S. states have laws concerning data security and security data breach notification. Many of these laws are focused on identity theft and/or financial protection measures that generally aim to protect Social Security numbers and similar financial personal information against unauthorized use or disclosure.

Some states in the United States, such as California, have enacted stricter, more comprehensive privacy laws, and this trend is expected to continue in the United States. Those laws offer the consumers covered by them more comprehensive data privacy protection.

Building an employee privacy policy

In general, a great way to prepare for creating an employee privacy notice is to create a personal data processing register, data inventory and/or data map, which identifies the following:

  • Business processes that your organization performs involving personal data and their purposes.
  • How the data is collected for each business process.
  • How the data is used by the organization.
  • Where the data is stored and who (internally and externally) it is shared with.
  • Where and how data is transferred.
  • How data is protected.
  • How long data is retained.

The above information can then be used to determine what privacy regulations apply to the personal information/data, and can be used to create compliant processes and a privacy notice, which addresses the requirements of those regulations.

An employee privacy policy should include:

  • Categories of personal information and data the employer collects about the employee.
  • How the personal information/data is used/purpose of processing.
  • Legal basis for processing the personal information/data, where applicable.
  • Recipients or categories of recipients of the personal information/data.
  • Whether the personal information/data will be transferred out of the country, and the legal mechanism to protect the data when transferred, where applicable.
  • Storage and security policies relating to the personal information/data.
  • How long the organization will keep the personal information/data; how this was decided.
  • Employee rights relating to the personal information/data, if applicable.
  • Any employer statutory obligations as they relate to the personal information/data.
  • How to exercise your rights (who to contact), where applicable.
  • Effective date of the privacy notice.

Please note, the elements that should be included vary by state as well as whether a regulation is in scope for specific employees.

Laws and federal regulations

A few examples of laws and federal regulations include:

HIPAA (Health Insurance Portability and Accountability Act)

  • Protects the confidentiality and security of protected health information. Compliance is required for healthcare organizations and their business associates.

GINA (Genetic Information Nondiscrimination Act)

  • Protects Americans from discrimination based off genetic information (such as genetic testing and family medical history) from employers and health insurance providers.

FACTA (Fair and Accurate Credit Transactions Act)

  • Sets requirements for information privacy, accuracy and disposal; limits the ways consumer information can legally be shared.

CCPA (California Consumer Privacy Act). Allows employees to:

  • Know what data is being collected about them.
  • Know if their personal data is sold or shared, and with whom.
  • Block the sale of their own personal data.
  • Access their own personal data.
  • Request that a business deletes their personal data.
  • Receive no discrimination for using their rights to privacy.

State Data Breach Laws. Each U.S. state (plus Washington D.C., Guam, Puerto Rico, and the Virgin Islands) has laws requiring organizations to notify individuals in the event of a security breach with personal information. It is important to check specific state laws for up-to-date details on regulations.

Workplace privacy. While video surveillance is legal in workplace areas if disclosed, it is not legal in other common areas, such as washrooms and break rooms. Within the United States, video surveillance cannot include audio recording, which is illegal under wiretap law.

This was last updated in March 2020

Continue Reading About employee privacy policy

  • network traffic

    Network traffic is the amount of data that moves across a network during any given time.

  • dynamic and static

    In general, dynamic means 'energetic, capable of action and/or change, or forceful,' while static means 'stationary or fixed.'

  • MAC address (media access control address)

    A MAC address (media access control address) is a 12-digit hexadecimal number assigned to each device connected to the network.

  • Evil Corp

    Evil Corp is an international cybercrime network that uses malicious software to steal money from victims' bank accounts and to ...

  • Trojan horse

    In computing, a Trojan horse is a program downloaded and installed on a computer that appears harmless, but is, in fact, ...

  • quantum key distribution (QKD)

    Quantum key distribution (QKD) is a secure communication method for exchanging encryption keys only known between shared parties.

  • green IT (green information technology)

    Green IT (green information technology) is the practice of creating and using environmentally sustainable computing.

  • benchmark

    A benchmark is a standard or point of reference people can use to measure something else.

  • spatial computing

    Spatial computing broadly characterizes the processes and tools used to capture, process and interact with 3D data.

  • learning experience platform (LXP)

    A learning experience platform (LXP) is an AI-driven peer learning experience platform delivered using software as a service (...

  • talent acquisition

    Talent acquisition is the strategic process employers use to analyze their long-term talent needs in the context of business ...

  • employee retention

    Employee retention is the organizational goal of keeping productive and talented workers and reducing turnover by fostering a ...

Customer Experience
  • BOPIS (buy online, pick up in-store)

    BOPIS (buy online, pick up in-store) is a business model that allows consumers to shop and place orders online and then pick up ...

  • real-time analytics

    Real-time analytics is the use of data and related resources for analysis as soon as it enters the system.

  • database marketing

    Database marketing is a systematic approach to the gathering, consolidation and processing of consumer data.