In many cases, this information is stored on your HRMS, but could betransmitted at some point to outside parties such as insurance carriers,employee self-service providers, or external auditors. How can you ensure theprivacy of this information?
Here are a few steps you can take:
1) Evaluate your outside contacts. These can include any of the following:
Health insurance carriers and administrators (includes flexible spendingaccounts, COBRA, workers’ compensation, long-term disability, etc.)
Outside employee self-service providers
External compensation consultants or survey firms
Corporate auditors or other governmental agencies
Once you’ve identified the potential places where employee information maybe available outside the organization, begin dialogue with these vendors on howthey protect the privacy of the data. Develop specific, written agreements onhow this information will be protected and the terms under which the informationwill be used. This not only helps protect your information but also determinesthe integrity of your vendor.
2) Evaluate your inside contacts. Some examples would be:
Human resources staff, especially field-office staff that may be in manylocations
Finance and accounting analysts
Information technology analysts, especially those with access to the HRMS
Internal security personnel
Once you’ve identified these individuals, again review whether they need tohave access to potentially private employee information and, if so, remind themof their duty to protect the confidentiality of the data. This could includetraining seminars or a policy that explicitly indicates the need for maintainingthe privacy of employee information and the consequences of not complying.
3) Develop a corporate employee information protection policy. This is notunlike the policies that you’ve been seeing from every bank, credit cardissuer, or other service company that states how your personal information willor will not be used and, primarily, shared with other organizations.
However, in the employee information area, the focus is on protecting theprivacy of the information and stating how it will be protected; you won’t besharing the information for "marketing" purposes. Evaluate the places whereyou collect employee information and have a statement at each of those "collectionpoints" that simply states that this information will be kept confidential andwill be used only for employment, benefits, or law-related issues.
The language and wording in this policy is only an example of some of theitems that can be included. Additional items may be added or removed accordingto your own corporate situation and workforce. Please review any policydeveloped from this sample with legal counsel before distribution.
The XYZ Corporation, in the course of its business practice and, in somecases, as required by law, collects, uses, and maintains personal andconfidential information about each employee. This information is used for manypurposes, including:
Compliance with federal, state, or local laws
Determination of eligibility for employment
Determination of eligibility for employee benefits
Communication with employees regarding the company
Other company-sponsored programs (not employment-related) that rely onfactors such as age, gender, geographic location, etc. (e.g.,retirement-planning seminars)
We respect the privacy of our employees and the confidentiality of personalinformation. At no time will confidential information be knowingly shared ordisseminated to unauthorized parties. To attain this standard, XYZ Corporationhas committed significant resources to ensuring the safety and confidentialityof our employees’ personal information. This is done through:
[LIST WAYS IN WHICH YOU PROTECT INFORMATION--MAY INCLUDE SPECIFIC SECURITYMEASURES ON YOUR HRMS, EMPLOYEE TRAINING REGARDING CONFIDENTIALITY, ON-SITESECURITY PERSONNEL AROUND EMPLOYEE INFORMATION, ETC.]
[If you have some sort of employee self-service (e.g., Web site, interactivevoice-response system, or intranet), include the following:
We also have electronic technologies that enable us to efficiently manage ouremployees’ information. Examples of these include [list examples here]. Wehave protected our systems from unwanted access through the following securitymeasures:
[LIST EXAMPLES OF DATA-ENTRY SECURITY SUCH AS ENCRYPTION, FIREWALLS,ID/PASSWORD COMBINATIONS, ETC.]
WHEN WE SHARE INFORMATION
As part of our commitment to your privacy, certain policies have beenestablished to protect your information when it is shared inside and outside thecompany. Employees of XYZ Corporation that are authorized to have access toemployee information have received specific instruction in issues of informationconfidentiality, and their actions are covered under Policy X in the XYZCorporation Employee Handbook.
It is also necessary for information to be shared with outside organizationssuch as health-plan providers, governmental agencies, and other third-partyvendors. In cases where confidential information might be shared, specificwritten agreements regarding confidentiality are enacted and monitored with anyoutside organization.
In all other cases in which information might be shared with individuals ororganizations that may not have specific policies or agreements in place, XYZCorporation will obtain permission from any affected employee prior to releasingthe information, unless the law prescribes otherwise.
This is intended to provide useful information on the topic covered, butshould not be construed as legal advice or a legal opinion.
Workforce Online, December 2002 -- Register Now!