The use of personal information is commonplace in the hiring, promotion and termination processes. Employers also may have access to employee health records containing information about an individual’s physical health, medical family history and prescription drug use. Having access to these personal details can be risky with regard to an employee’s right to privacy.
At times, employers will obtain consumer reports to evaluate employees for hiring purposes, reassignments and retentions. Under the Fair Credit Reporting Act (FCRA), the employer must protect the privacy of the employee regarding the information on the report, as it may contain credit payment records, driving records and history of any criminal activity. Before obtaining a copy of a consumer report, the employer must obtain written permission from the individual.
As of June 1995, employers were required to dispose of consumer reports in a specific manner to reduce the risk of identity theft and other forms of consumer fraud. Any business or individual who uses a consumer report for a business purpose is subject to the requirements of this Disposal Rule.
According to the Consumer Financial Protection Bureau (CFPB), the standard for proper disposal of consumer report information is flexible and allows the organizations covered by the rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology.
As a stipulation of this regulation, employers must burn, pulverize or shred papers so that information cannot be read or reconstructed. In addition, electronic data must be destroyed or erased by overwriting the information so it cannot be read or reconstructed as well. Beyond this, employers can seek out a document destruction contractor in due diligence to dispose of the material.
Also, effective January 1, 2013, the Fair Credit Reporting Act (FCRA) requires new background forms explaining consumer rights be distributed to potential employees. Failure to update or distribute these forms may result in substantial fines.
Employees have great protections concerning the privacy of their medical records and employer use of this type of information. Employers should become familiar with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which regulates the access, use and disclosure of protected health information (PHI). For instance, HIPAA includes nondiscrimination rules regarding charging employees more or denying coverage based on health factors, genetic information or wellness activities.
Drug testing is one of the more widely used forms of medical testing in the workforce. Alcohol testing may also be standard in your industry as well, to reduce the risk that employees will act negligently while under the influence on the job. However, some states have regulations concerning employment-related drug or alcohol screenings. Check applicable laws before conducting testing.
If personal information about employees is transmitted electronically, the security of the information may be questioned. When individuals send personal information electronically outside of work, the security of the information is their own responsibility. At work, however, employees likely expect that the network is secure—if an individual sends an email to HR verifying personal information, he or she does not anticipate that unauthorized parties will be able to access that information.
As an employer, it is important to discuss electronic privacy with your employees. Having employees sign a statement acknowledging that the company can access any information sent or received on its network is a good place to start. It seems simple, but this acknowledgement could save you from litigation.
To protect your company against privacy infringement against your employees, learn about relevant laws and ensure your policies and procedures comply.