This Month Only! >> $20 off and a FREE SHRM tote with your membership and code TOTE2018!
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Safeguarding employees’ privacy requires an effective policy, sound practices and ongoing communication.
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
Beverly Widger, SPHR, senior vice president for human resources at Claremont Savings Bank in Claremont, N.H., introduces new hires to the realm of corporate privacy during orientation. "We are constantly aware of our customers’ privacy as well as our own employees’ privacy," says Widger, a member of the Society for Human Resource Management’s (SHRM) Employee Relations Special Expertise Panel.
Widger and other HR managers at companies with mature privacy programs emphasize that creating privacy policies represents only one of several components necessary for effective privacy management. They say managing the policies requires board-level action, an ongoing collaborative management effort, employee education and, just as important, making the policies meaningful to all employees.
That explains why HR professionals play a crucial role in managing privacy policies and why Widger presents real-world scenarios related to privacy during orientation and in workforce communication.
Says Bernard Ruesgen, SPHR, logistics HR group manager for Sports Authority in Englewood, Colo.: "Whether you’re talking about Internet security, e-mail security, personnel files, health care or other privacy issues that touch almost every element of the business, you have to make it meaningful." In short, HR professionals need to place these policies in a context that employees can relate to.
This communication effort never ends, privacy experts say, because of the expanding use of technology and communication in personal and business lives. The risks of mismanaging employees’ privacy can be severe: lost revenue, lost productivity, legal or regulatory actions, declines in brand value and shareholder value, and recruiting and retention problems.
HR professionals need to understand privacy issues to manage and mitigate the risks associated with the data they work with, says J. Trevor Hughes, executive director of the International Association of Privacy Professionals (IAPP) in York, Maine.
An Emerging Patchwork
Corporate privacy generally covers customer and employee privacy, with subcategories including the privacy of job applicants and how vendors such as benefits providers protect the privacy of client companies’ employees. The emergence of the chief privacy officer position reflects the growing importance of corporate privacy management. (See "New Face in the C-Suite" in the January 2010 issue of HR Magazine.)
Hughes says HR professionals should sharpen their skills in spotting privacy issues, an area of expertise covered in the Certified Information Privacy Professional designation that the IAPP offers members. Yet, spotting such issues can be tricky, given the fluctuations in privacy regulations globally.
The European Union requires companies doing business in its member countries to adhere to employee privacy principles. The U.S. government has not passed a sweeping privacy law since the Electronic Communications Privacy Act of 1986, which regulates how employers monitor employee telephone calls.
Since then, a patchwork of requirements has slowly developed, notes Philip Gordon, a shareholder in Littler Mendelson’s Denver office and chair of the employment and labor law firm’s data privacy and protection practice.
The Americans with Disabilities Act of 1990 contains confidentiality requirements, and the Health Insurance Portability and Accountability Act of 1996 includes rules protecting the security and privacy of employee health data. Most recently, the Genetic Information Nondiscrimination Act of 2008—which prevents employers from using genetic information, including family medical histories, in staffing decisions—and several state laws governing personal data have been enacted. In addition, the threat of identity theft casts privacy protection in a new light; many state laws require notice when there has been a privacy breach.
As such privacy protection increases, corporate policies concerning privacy require improvement, insists Lewis Maltby, president and founder of the National Workrights Institute in Princeton, N.J., and author of Can They Do That? Retaking Our Fundamental Rights in the Workplace (Portfolio, 2010).
As a result, employees’ expectations and employers’ actions concerning privacy frequently are misaligned, creating problems. Maltby notes that 25 percent of employers have fired employees because of "inappropriate" e-mails, yet many organizations fail to define what "inappropriate" means.
"Some privacy advocates suggest that employers are Big Brother and want to spy on employees," Maltby says. "That’s not the case. This is a sin of omission. … Employees have virtually no privacy in e-mail communications, text messages or web sites that they visit at work. And when they find out, it damages morale and productivity in ways that don’t usually get noticed. On occasion, it affects recruitment and retention."
Creating a Policy
Many companies create two types of policies, says Gordon. An employee-facing policy provides relatively high-level principles governing the organization’s collection, use, disclosure, safeguarding and disposal of employee data. An operational policy or manual is directed internally for people who access and use employee data to perform legitimate job functions.
The principles typically describe what employee data the company collects and how the data are collected; used; shared, if applicable; accessed; stored; and, when necessary, disposed of. The operational policy usually consists of numerous policies tailored to the privacy issues of different departments and groups. Companies such as Claremont Savings Bank, Sports Authority and Eastman Kodak Co. in Rochester, N.Y., follow the approach Gordon describes.
For example, when job candidates visit Kodak’s job-posting site, they see a privacy notice geared toward them; this notice differs from both the policy employees see and the policies directed at customers.
A compliance officer develops the policies and makes updates, and an internal auditor ensures that the policies are being adhered to, says Widger, who recently worked with her compliance officer, the bank’s top IT executive and other senior-level officers to expand the policy to address social media issues.
HR professionals help craft and communicate the policies while operating as perhaps the organization’s most important protectors of employee privacy.
"HR professionals may be touching more-sensitive, and potentially more-damaging, personal data than anyone else," says Hughes. "As our concept of sexual harassment evolved, HR professionals became educated and more sophisticated in their management of those issues. As our concept of privacy in the marketplace evolves, HR professionals are going to have to step up once again and get themselves educated on, and aware of, these issues."
One reason Brian O’Connor, Kodak’s chief security and privacy officer, works closely with HR colleagues: "HR can help by making sure that what you are drafting can be understood by the average employee," he says.
And don’t just look at your own organization, Widger notes. "Look at your payroll provider, your benefits provider, your 401(k) provider—any vendor that you use—to understand what they have in place to protect your employees’ information."
SAS 70 audits were developed by the American Institute of Certified Public Accountants in the late 1980s and finished in the early 1990s. Their use has increased since enactment of the Sarbanes-Oxley Act of 2002. The audits come in two types, depending on their rigor, and are designed to help vendors show client companies that internal privacy controls are up to snuff.
All of this can sound overwhelming to HR professionals in organizations without formal privacy functions or pre-Internet-era policies in hard-copy employee handbooks. Fortunately, there are several steps that can kick-start improvement efforts. (See the sidebar "Get Started.") The most important step for HR professionals involves understanding and accepting their key roles in shaping and disseminating privacy policies.
"The more personal stories that you can give to help drive home the importance of the policy, the better," Widger advises.
Consider a Model Policy
Below are some tips for improving privacy management:Begin with principles. Mature corporate privacy programs typically contain detailed operational policies as well as high-level principles that briefly and clearly state how employee information will be collected and safeguarded. Communicating those principles can better align the privacy management expectations of employees and managers.
Define “inappropriate.” This step is crucial, according to Maltby, and requires addressing difficult questions. “Figure out what you’re going to permit in a systematic manner and then communicate that upfront to your employees,” he insists.
Consider Internet time curbs. The biggest problem posed by employee Internet surfing is not pornography or other offensive site visits, according to Maltby. “The biggest problem is the lost time.” Web-access software that only blocks offensive sites does not address this problem. Maltby says other software can support specific privacy policies, including applications that eliminate access to Facebook, Amazon, ESPN and all other sites not related to work, after employees have used an allotted personal surfing time.
Lose the legalese. Human resource professionals should play a key role in translating legal privacy issues into practice. It’s “easy to have your general counsel stamp out something that reads like a lawyer wrote it,” says Bernard Ruesgen, SPHR, logistics HR group manager for retail chain Sports Authority. HR professionals have “to put a human touch on the whole process.”
SHRM article: New Face in the C-Suite (HR Magazine)
SHRM article: U.S. Supreme Court to Hear Employee Text Message Privacy Case (SHRM Online Legal Issues)
SHRM video: Jason Morris, president and chief operation officer of employeescreenIQ, discusses safekeeping employee and applicant data
SHRM sample policy: Employee Records Confidentiality Philosophy
SHRM sample policy: Personnel Information Disclosure to External Parties
SHRM sample policy: Cameras in the Workplace
SHRM sample policy: Recording Devices in the Workplace
Web site: The International Association of Privacy Professionals
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 10,000 companies