Practical Tips on Privacy-Respectful HR Data Practices

Date: May 21, 2003

In today's workplace, all sorts of electronic communications, like telephones, e-mail and the Internet, are being used in the workplace. New delivery vehicles, like wireless phones and e-mail, hand-held personal data administrators (PDAs), are routine, and employees use laptops and even in-home computers for work. Biometrics and Smart Card technology are further revolutionizing today's workplace. Further, in the post 9/11 environment, both the National Strategy to Secure Cyberspace and the National Strategy to Secure Physical Infrastructures emphasize the crucial need for data and physical operation security.

Balancing worker privacy with corporate security obligations, both physical security of personnel, third parties and assets, and data security, continues to be a complex task. Here are a few tips on electronic surveillance, monitoring, and searches in today's workplace:

    • Adopt a written policy establishing that electronic resources (e.g., internal telephone and e-mail systems, lines providing access to the Internet, computer hardware and software, etc.) are the property of the employer. The policy should specifically state that employees should have no expectation of privacy in the use of these systems, prohibit unauthorized use by employees or third parties of computers and electronic systems, and reserve the right to access all computer hardware and software to implement with the policy.

    • Identify relevant laws and requirements. If you operate outside the U.S., make sure you understand national privacy rules. Database registration and other requirements may apply outside the U.S. and affect HR databases. This may prove particularly problematic as companies move to enterprise management data systems to manage global HR data. Various laws restrict the transfer of personal data - including HR data - to countries without an "adequate" scheme of protection, posing special challenges for U.S.-based multinationals. You may also need to modify employee consent procedures and forms to comply with national data protection laws.

    • Limit surveillance and monitoring to assure that it is work-related and conducted by trained personnel. Before initiating electronic monitoring, recording or videotaping of employees, you should identify a legitimate business need, assure that the application will be non-discriminatory, provide at least general notice, and seek legal advice.

    • Inform employees of the general types of data or information that will be collected, activities (e.g., telephone calls, e-mails, etc.) that will be monitored, and parties with whom data must or may be shared. Make sure to explicitly state that information, including personal information, will be shared or disclosed as permitted or required by law; to investigate violations of company policies, rights or the rights of third parties; or to protect company property, employees or third parties.

    • Adopt administrative, physical and technical procedures to assure security of HR data. The HIPAA security rules and Gramm-Leach-Bliley rules may provide useful guidance. Test and update your security procedures.

    • Use special care with employee Social Security numbers. Do not post Social Security numbers or leave materials with sensitive personal information of this sort where they could be accessed by unauthorized parties inside or outside the company.

    • Distribute the policy and require employees to acknowledge receipt. Adopt consent procedures for prospective employees.

    • Conduct training, education and refresher sessions on your policy.

    • Monitor privacy developments, and update and revise your policy and training sessions as needed.

For more information, please contact Sheila A. Millar at (202) 434-4143, or via e-mail at millar@khlaw.com .