On two fronts, the Human Resources department has an increasingly important role in the privacy and security of an organization’s data. On the one hand, HR collects, uses, retains, stores, and disposes of personal information related to the organization’s applicants, employees, and former employees. Employee personal information is valued by hackers and has been targeted specifically, and it could be exposed by hackers even when not targeted. On the other hand, as a liaison between management and employees, HR typically conducts training and administers personnel policies meant to enhance the security of all the organization’s data, whether employee data, consumer data, or company data. This article discusses the legal obligations and best practices HR should consider in its dual role.
Data privacy for HR starts with minimizing the collection of personal information of applicants and employees. This is not to say that HR should collect less information than it needs, but HR should review the types of personal information it collects, and when the information is collected. A prime example is job applications, which too often collect sensitive personal information (such as Social Security numbers or driver’s license numbers) that should not be collected until the background check or identity verification stages. HR should also be wary of using job applications to collect information that is subject to use restrictions, such as arrest and conviction information, protected characteristics or their proxies, and, in some jurisdictions, past salary information.
Job applications are only the first of many points at which HR collects personal information, and the issue becomes how such information must be preserved. Other categories of personal information collected or created by HR include contact information, bank account numbers, background checks, drug test results, physical exams, health and genetic information, employee benefits information, biometric information, personnel action records, payroll records, and more. HR might also administer employee wellness programs or flu shot clinics, or it might be on the HIPAA team for the company’s group health plans. HR should consider conducting a data inventory to understand each of the ways it collects personal information, and the types of personal information it collects, so that it can determine how such information should be stored, and how long it should be retained.
To complicate matters further, nearly all of the categories of information named above are subject to one or more specific federal or state record retention statutes. For example, the FMLA requires retention of leave-related records for at least three years; the FLSA requires retention of certain payroll records for at least three years (and state laws often require longer); and federal law requires retention of personnel action records for at least one year.1 Other statutes, such as the Texas biometric privacy statute, take the opposite approach by mandating destruction after a maximum length of time.2
Because employers have to collect personal information and they have to retain it, the issue becomes how to retain it securely. For practical reasons, employers often store the information above in a single personnel file for each employee.3 At least some of the information in the file is likely entitled to special protection under applicable law. For example, under Texas law, companies that store “sensitive personal information” are required to implement and maintain reasonable procedures to prevent it from being unlawfully disclosed.4 At the outset, HR can help lessen the burden of maintaining information by developing an approach to retaining data consistent with the applicable retention laws.
Although there are industry-standard security frameworks, there is not a “one size fits all” approach to what constitutes a “reasonable procedure” for secure data retention.5 Some of the common technical measures – such as controls on access to electronic data, or encryption in transit and at rest – fall in the domain of IT. Many companies, such as those with obligations under HIPAA or the Gramm-Leach-Bliley Act, already have data security programs in place, and they can consider extending those programs to HR data. HR has a role here, too, by implementing personnel policies that control employees’ access to company information. HR should also work with IT to train employees on information security awareness. Implementing these measures can serve the dual purposes of securing employee data and other company data, such as consumer data.
HR’s role does not end when employee data is securely stored, because there is still the privacy issue of how the stored employee data can be used. In what might be an example of an emerging trend, California has enacted the California Consumer Privacy Act (CCPA), a comprehensive data privacy law that gives employees a variety of rights to their employee data.6 As currently drafted,7 the CCPA will give employees the rights to request access to their personal information, request deletion of their personal information, request disclosure of the business purpose for which their personal information is used, request disclosure of the third parties with whom the employers shares their personal information, and receive certain notices, among others.8 The emergence of comprehensive data privacy laws underscores the importance of having a data inventory that will enable compliance with obligations to employees.
Lastly, HR should understand how to dispose of data securely. Secure disposal is not only a good practice, it is a legal requirement as to certain types of data.9 When the data’s retention period expires, HR should train employees to identify and securely destroy documents and digital files containing employee personal information.
For any company meeting the ongoing challenge of data privacy and security, HR has important roles to play, specifically as to employee data, but also as to all data stored by the company. HR must be prepared to collect, use, store, retain, and dispose of personal information consistent with company practice and applicable law, and to equip employees to do the same.
- 29 C.F.R. § 825.500 (FMLA records); 29 C.F.R. § 516.5 (FLSA records); 29 C.F.R. § 1602.14.
- Tex. Bus. & Com. Code § 503.001 (c)(3) (mandating destruction of biometric identifiers within a reasonable time not later than one year after the purpose for collecting the biometric identifier expires).
- An important exception is employee medical information, which should be stored in a separate file.
- Tex. Bus. & Com. Code § 521.052 (a) (requiring implementation of reasonable procedures to protect “sensitive personal information”). “Sensitive personal information” is generally defined as an individual’s name in combination with his or her social security number, identification card number, or account number and access code. Tex. Bus. & Com. Code § 521.002 (a)(2).
- Some state laws are more specific than Texas on this point. For example, as we have previously written, Ohio law specifically recognizes that certain industry norms constitute reasonable security.
- Please see page 13 herein for more information about the CCPA’s effects on employee data.
- The California legislature is currently considering an amendment to the CCPA (Assembly Bill 25) that, in its current form, would delay most obligations related to employee data until January 1, 2021.
- Less dramatic regulation of use of employee data exists in other areas of the law. For example, by statute, employee genetic information cannot be used in making employment decisions. 42 U.S.C. § 2000ff–1(a). Other employee data, such as background check information, should only be used consistent with the scope of the employee’s authorization. 15 U.S.C. § 1681b. In some jurisdictions, state laws simply give employees the right to access their personnel files. See, e.g., 820 Ill. Comp. Stat. 40/2 (Illinois statute granting employees right to inspect personnel documents).
- See, e.g., 16 C.F.R. § 682.3 (requiring secure disposal of background checks); Tex. Bus. & Com. Code § 521.052 (a) (requiring implementation of reasonable procedures to protect “sensitive personal information”).