Editor’s note: This post was originally published in January of 2016 and has been updated for accuracy.
Employee Privacy Laws
All employees have a number of rights at work, including the right to privacy, fair compensation, and freedom from discrimination. Both federal and state governments have enacted a wide range of employment laws protecting employees from discriminatory treatment, unfair labor practices, unsafe work conditions, and more.
In practice, you need to treat all personal information about an employee and their family as private and confidential.
Here are 5 ways you might be breaching employee privacy laws:
- Publishing employee’s personal mobile phone numbers
- Using email for sensitive conversations
- Unsecured employee files
- Poor housekeeping
- No enforcement of data protection policy
Data protection laws
Before we dive into violations of employee privacy laws, it’s important to be familiar with data protection laws and the Privacy Act. In the US, the laws around data protection and privacy rely on a patchwork of national legislation (the Privacy Act of 1974 which dictates how government agencies handle personally identifiable information (PII)), state regulation, and self-regulation.
Forty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.
In practice, private employers typically recognize that they have a serious responsibility to protect sensitive personal information. And to do so, they implement their own robust policies and use best-in-class technology to prevent the dissemination of their employees’ private information.
But in our 24/7, always-on-the-go world, it’s easy to accidentally breach employee privacy laws. Here are five common ways where businesses get it wrong:
With work schedules and rosters, if you’re using applications like Excel, you probably list everyone’s mobile numbers so that you can contact them to find out where they are if they’re running late, or find someone else to cover a shift if they call in sick.
But when you publish a schedule containing this information (i.e. employees’ personal cell phone numbers, not work provided mobiles), and pin it up in your workplace, you’re actually putting your employees at risk along with your business.
Yes, it’s handy for a co-worker to use the list to find a replacement if someone’s called in sick. But what if it falls into the wrong hands? And while we’d like to think that this is highly unlikely, it does happen. Identity theft is becoming increasingly common, you may be unwittingly aiding and abetting a stalker, in the process opening up the potential for a harassment lawsuit.
2. Using email for sensitive conversations
Many employers routinely use email to communicate anything and everything with their employees – the good, the bad, and the ugly. But when you use email for everything, it’s too easy to inadvertently copy or forward sensitive information to other parties. This, of course, can land you in all sorts of trouble and do serious damage to your employer brand. For conversations on remuneration, performance and professional development, choose your communication platform with care!
Record keeping is a basic business requirement. It can be onerous, but it’s certainly not optional.
In Australia, you must keep employee records for 7 years. This includes general details like the employee’s name, commencement date, pay rate, leave entitlements, and more. American-based businesses must retain basic payroll tax records for four years. And it’s prudent to keep records of events like workplace injuries for 10 years or more.
But rather than keeping highly confidential employee data in paper files that are at risk of being compromised, an online system gives you secure but easy access to your files 24×7 with a full audit trail.
While you have obligations to retain employee data, you also have obligations to dispose of out-of-date information. Retaining employee information beyond the legislated requirements can expose your business to legal challenges against your data protection practices.
While you may think your business is safe once you’ve introduced a robust, and compliant personal data protection policy, but if it’s not enforced, it’s essentially meaningless and won’t protect your business in the event of a claim.
A personal data protection policy should be tailored to your business to take account of the particular personal data that you collect and retain. You must communicate the policy to your workers and monitor its use in the business. Getting your employees to sign the policy and keep a copy on their HR file gives you an audit trail and proof that the policy is practiced.
Do you know what rights you have at work? Here’s what to do if your employer is violating one of these laws.
- Talk to your manager
- Bring the legal issue to their attention – they might not even be aware of it.
- File a complaint
- Get a lawyer
- Meet with a local employment for employees attorney sooner rather than later to protect your rights.
See our list below, for more information on privacy and data protection laws:
How Deputy can help
Deputy strives to improve the lives of employers and employees, using technology to transform operations and help businesses thrive. Deputy can handle complex compliance laws that other workforce management software cannot. Multiple rules are enforced every time a schedule is produced or updated to enforce workforce compliance.
U.S. businesses should invest in a time tracking technology to avoid many of the time recording issues faced by most compliance lawsuits.
Subscribe to the Deputy Blog to stay updated on workforce laws and how your business can stay compliant.