RSS icon

Top Stories

Privacy Policies in a Self-Service World

These steps, along with a sample privacy policy, will help protect the best interests of employees.

November 28, 2002
Related Topics: Policies and Procedures
Perhaps you have general policies in place that address some of thehigh-profile areas of privacy--employee monitoring, searches, random drugtesting, even protection of medical information (can you say HIPAA?). But mostlikely you are or will be dealing with some sort of employee self-service,through which employees are able to make changes to their own personalinformation or make benefit elections.

    In many cases, this information is stored on your HRMS, but could betransmitted at some point to outside parties such as insurance carriers,employee self-service providers, or external auditors. How can you ensure theprivacy of this information?

    Here are a few steps you can take:

    1) Evaluate your outside contacts. These can include any of the following:

  • Health insurance carriers and administrators (includes flexible spendingaccounts, COBRA, workers’ compensation, long-term disability, etc.)

  • Outside employee self-service providers

  • External compensation consultants or survey firms

  • Payroll providers

  • Corporate auditors or other governmental agencies

    Once you’ve identified the potential places where employee information maybe available outside the organization, begin dialogue with these vendors on howthey protect the privacy of the data. Develop specific, written agreements onhow this information will be protected and the terms under which the informationwill be used. This not only helps protect your information but also determinesthe integrity of your vendor.

    2) Evaluate your inside contacts. Some examples would be:

  • Human resources staff, especially field-office staff that may be in manylocations

  • Finance and accounting analysts

  • Information technology analysts, especially those with access to the HRMS

  • Internal security personnel

  • Payroll staff

    Once you’ve identified these individuals, again review whether they need tohave access to potentially private employee information and, if so, remind themof their duty to protect the confidentiality of the data. This could includetraining seminars or a policy that explicitly indicates the need for maintainingthe privacy of employee information and the consequences of not complying.

    3) Develop a corporate employee information protection policy. This is notunlike the policies that you’ve been seeing from every bank, credit cardissuer, or other service company that states how your personal information willor will not be used and, primarily, shared with other organizations.

    However, in the employee information area, the focus is on protecting theprivacy of the information and stating how it will be protected; you won’t besharing the information for "marketing" purposes. Evaluate the places whereyou collect employee information and have a statement at each of those "collectionpoints" that simply states that this information will be kept confidential andwill be used only for employment, benefits, or law-related issues.

    As with all such things, have your new policies and procedures reviewed bylegal counsel before putting them out to your employees. And keep in mind thatan employee information privacy policy is not required, but rather is anemployee-relations booster that puts a good face on your HR efforts. It’s goodfor business and can help employees feel better about the company.



    The language and wording in this policy is only an example of some of theitems that can be included. Additional items may be added or removed accordingto your own corporate situation and workforce. Please review any policydeveloped from this sample with legal counsel before distribution.

    The XYZ Corporation, in the course of its business practice and, in somecases, as required by law, collects, uses, and maintains personal andconfidential information about each employee. This information is used for manypurposes, including:

  • Compliance with federal, state, or local laws

  • Determination of eligibility for employment

  • Determination of eligibility for employee benefits

  • Communication with employees regarding the company

  • Other company-sponsored programs (not employment-related) that rely onfactors such as age, gender, geographic location, etc. (e.g.,retirement-planning seminars)

    We respect the privacy of our employees and the confidentiality of personalinformation. At no time will confidential information be knowingly shared ordisseminated to unauthorized parties. To attain this standard, XYZ Corporationhas committed significant resources to ensuring the safety and confidentialityof our employees’ personal information. This is done through:


    [If you have some sort of employee self-service (e.g., Web site, interactivevoice-response system, or intranet), include the following:

    We also have electronic technologies that enable us to efficiently manage ouremployees’ information. Examples of these include [list examples here]. Wehave protected our systems from unwanted access through the following securitymeasures:




    As part of our commitment to your privacy, certain policies have beenestablished to protect your information when it is shared inside and outside thecompany. Employees of XYZ Corporation that are authorized to have access toemployee information have received specific instruction in issues of informationconfidentiality, and their actions are covered under Policy X in the XYZCorporation Employee Handbook.

    It is also necessary for information to be shared with outside organizationssuch as health-plan providers, governmental agencies, and other third-partyvendors. In cases where confidential information might be shared, specificwritten agreements regarding confidentiality are enacted and monitored with anyoutside organization.

    In all other cases in which information might be shared with individuals ororganizations that may not have specific policies or agreements in place, XYZCorporation will obtain permission from any affected employee prior to releasingthe information, unless the law prescribes otherwise.

This is intended to provide useful information on the topic covered, butshould not be construed as legal advice or a legal opinion.

Workforce Online, December 2002 -- Register Now!

Recent Articles by William Dickmeyer, CEBS

Comments powered by Disqus

Hr Jobs

View All Job Listings