Privacy Matters

Beverly Widger, SPHR, senior vice president for human resources at Claremont Savings Bank in Claremont, N.H., introduces new hires to the realm of corporate privacy during orientation. "We are constantly aware of our customers’ privacy as well as our own employees’ privacy," says Widger, a member of the Society for Human Resource Management’s (SHRM) Employee Relations Special Expertise Panel.

Widger and other HR managers at companies with mature privacy programs emphasize that creating privacy policies represents only one of several components necessary for effective privacy management. They say managing the policies requires board-level action, an ongoing collaborative management effort, employee education and, just as important, making the policies meaningful to all employees.

That explains why HR professionals play a crucial role in managing privacy policies and why Widger presents real-world scenarios related to privacy during orientation and in workforce communication.

Says Bernard Ruesgen, SPHR, logistics HR group manager for Sports Authority in Englewood, Colo.: "Whether you’re talking about Internet security, e-mail security, personnel files, health care or other privacy issues that touch almost every element of the business, you have to make it meaningful." In short, HR professionals need to place these policies in a context that employees can relate to.

This communication effort never ends, privacy experts say, because of the expanding use of technology and communication in personal and business lives. The risks of mismanaging employees’ privacy can be severe: lost revenue, lost productivity, legal or regulatory actions, declines in brand value and shareholder value, and recruiting and retention problems.

HR professionals need to understand privacy issues to manage and mitigate the risks associated with the data they work with, says J. Trevor Hughes, executive director of the International Association of Privacy Professionals (IAPP) in York, Maine.

An Emerging Patchwork

Corporate privacy generally covers customer and employee privacy, with subcategories including the privacy of job applicants and how vendors such as benefits providers protect the privacy of client companies’ employees. The emergence of the chief privacy officer position reflects the growing importance of corporate privacy management. (See "New Face in the C-Suite" in the January 2010 issue of HR Magazine.)

Hughes says HR professionals should sharpen their skills in spotting privacy issues, an area of expertise covered in the Certified Information Privacy Professional designation that the IAPP offers members. Yet, spotting such issues can be tricky, given the fluctuations in privacy regulations globally.

The European Union requires companies doing business in its member countries to adhere to employee privacy principles. The U.S. government has not passed a sweeping privacy law since the Electronic Communications Privacy Act of 1986, which regulates how employers monitor employee telephone calls. 

Since then, a patchwork of requirements has slowly developed, notes Philip Gordon, a shareholder in Littler Mendelson’s Denver office and chair of the employment and labor law firm’s data privacy and protection practice.

The Americans with Disabilities Act of 1990 contains confidentiality requirements, and the Health Insurance Portability and Accountability Act of 1996 includes rules protecting the security and privacy of employee health data. Most recently, the Genetic Information Nondiscrimination Act of 2008—which prevents employers from using genetic information, including family medical histories, in staffing decisions—and several state laws governing personal data have been enacted. In addition, the threat of identity theft casts privacy protection in a new light; many state laws require notice when there has been a privacy breach.

As such privacy protection increases, corporate policies concerning privacy require improvement, insists Lewis Maltby, president and founder of the National Workrights Institute in Princeton, N.J., and author of Can They Do That? Retaking Our Fundamental Rights in the Workplace (Portfolio, 2010).

At many companies, the privacy policy "is what employees see on their screens when they turn their computers on," Maltby explains. "That so-called notice is really a reservation of rights. It doesn’t really indicate anything about the company’s actual privacy practice."

As a result, employees’ expectations and employers’ actions concerning privacy frequently are misaligned, creating problems. Maltby notes that 25 percent of employers have fired employees because of "inappropriate" e-mails, yet many organizations fail to define what "inappropriate" means.

"Some privacy advocates suggest that employers are Big Brother and want to spy on employees," Maltby says. "That’s not the case. This is a sin of omission. … Employees have virtually no privacy in e-mail communications, text messages or web sites that they visit at work. And when they find out, it damages morale and productivity in ways that don’t usually get noticed. On occasion, it affects recruitment and retention."

Creating a Policy

The first step in aligning privacy expectations involves creating a corporate privacy policy.

Many companies create two types of policies, says Gordon. An employee-facing policy provides relatively high-level principles governing the organization’s collection, use, disclosure, safeguarding and disposal of employee data. An operational policy or manual is directed internally for people who access and use employee data to perform legitimate job functions.

The principles typically describe what employee data the company collects and how the data are collected; used; shared, if applicable; accessed; stored; and, when necessary, disposed of. The operational policy usually consists of numerous policies tailored to the privacy issues of different departments and groups. Companies such as Claremont Savings Bank, Sports Authority and Eastman Kodak Co. in Rochester, N.Y., follow the approach Gordon describes.

For example, when job candidates visit Kodak’s job-posting site, they see a privacy notice geared toward them; this notice differs from both the policy employees see and the policies directed at customers.

Widger and Ruesgen emphasize that developing a corporate privacy policy is a board-level effort requiring regular and deep collaboration among HR, legal, information technology (IT) and privacy professionals. "Create a cross-functional team," Gordon says. "No single person has all of the knowledge or skills necessary."

Each year, Claremont Savings Bank’s compliance officer and at least one other senior officer review the bank’s privacy policy. After that, the policy goes to the board for approval. Then, Widger and her team communicate the policy—focusing on updates and areas requiring attention—to managers and employees, who are required to sign off annually. Training, online or in person, accompanies the effort.

A compliance officer develops the policies and makes updates, and an internal auditor ensures that the policies are being adhered to, says Widger, who recently worked with her compliance officer, the bank’s top IT executive and other senior-level officers to expand the policy to address social media issues.

HR’s Role

HR professionals help craft and communicate the policies while operating as perhaps the organization’s most important protectors of employee privacy.

"HR professionals may be touching more-sensitive, and potentially more-damaging, personal data than anyone else," says Hughes. "As our concept of sexual harassment evolved, HR professionals became educated and more sophisticated in their management of those issues. As our concept of privacy in the marketplace evolves, HR professionals are going to have to step up once again and get themselves educated on, and aware of, these issues."

This awareness extends beyond having employees sign receipts for handbooks that contain the privacy policy and even beyond the company’s walls. "Incorporate the elements of the policy into your daily discussions," Ruesgen says. "If you have a managers’ meeting that covers leave-of-absence policies, a natural segue into privacy exists, and you have to leverage that conversation." In the situation Ruesgen describes, for example, explain to managers that if an employee takes leave for a personal medical or financial reason, that information must remain confidential.

One reason Brian O’Connor, Kodak’s chief security and privacy officer, works closely with HR colleagues: "HR can help by making sure that what you are drafting can be understood by the average employee," he says.

And don’t just look at your own organization, Widger notes. "Look at your payroll provider, your benefits provider, your 401(k) provider—any vendor that you use—to understand what they have in place to protect your employees’ information."

Claremont Savings Bank requires relevant vendors to complete Statement of Auditing Standards (SAS) 70 audits and to sign a privacy policy agreement stating that they will keep employee information confidential and protected.

SAS 70 audits were developed by the American Institute of Certified Public Accountants in the late 1980s and finished in the early 1990s. Their use has increased since enactment of the Sarbanes-Oxley Act of 2002. The audits come in two types, depending on their rigor, and are designed to help vendors show client companies that internal privacy controls are up to snuff.

All of this can sound overwhelming to HR professionals in organizations without formal privacy functions or pre-Internet-era policies in hard-copy employee handbooks. Fortunately, there are several steps that can kick-start improvement efforts. (See the sidebar "Get Started.") The most important step for HR professionals involves understanding and accepting their key roles in shaping and disseminating privacy policies.

"The more personal stories that you can give to help drive home the importance of the policy, the better," Widger advises.