Privacy Matters

Safeguarding employees’ privacy requires an effective policy, sound practices and ongoing communication.

By Eric Krell Feb 1, 2010
Reuse Permissions

February CoverBeverly Widger, SPHR, senior vice president for human resources at Claremont Savings Bank in Claremont, N.H., introduces new hires to the realm of corporate privacy during orientation. "We are constantly aware of our customers’ privacy as well as our own employees’ privacy," says Widger, a member of the Society for Human Resource Management’s (SHRM) Employee Relations Special Expertise Panel.

Widger and other HR managers at companies with mature privacy programs emphasize that creating privacy policies represents only one of several components necessary for effective privacy management. They say managing the policies requires board-level action, an ongoing collaborative management effort, employee education and, just as important, making the policies meaningful to all employees.

That explains why HR professionals play a crucial role in managing privacy policies and why Widger presents real-world scenarios related to privacy during orientation and in workforce communication.

Says Bernard Ruesgen, SPHR, logistics HR group manager for Sports Authority in Englewood, Colo.: "Whether you’re talking about Internet security, e-mail security, personnel files, health care or other privacy issues that touch almost every element of the business, you have to make it meaningful." In short, HR professionals need to place these policies in a context that employees can relate to.

This communication effort never ends, privacy experts say, because of the expanding use of technology and communication in personal and business lives. The risks of mismanaging employees’ privacy can be severe: lost revenue, lost productivity, legal or regulatory actions, declines in brand value and shareholder value, and recruiting and retention problems.

HR professionals need to understand privacy issues to manage and mitigate the risks associated with the data they work with, says J. Trevor Hughes, executive director of the International Association of Privacy Professionals (IAPP) in York, Maine.

An Emerging Patchwork

Corporate privacy generally covers customer and employee privacy, with subcategories including the privacy of job applicants and how vendors such as benefits providers protect the privacy of client companies’ employees. The emergence of the chief privacy officer position reflects the growing importance of corporate privacy management. (See "New Face in the C-Suite" in the January 2010 issue of HR Magazine.)

Hughes says HR professionals should sharpen their skills in spotting privacy issues, an area of expertise covered in the Certified Information Privacy Professional designation that the IAPP offers members. Yet, spotting such issues can be tricky, given the fluctuations in privacy regulations globally.

The European Union requires companies doing business in its member countries to adhere to employee privacy principles. The U.S. government has not passed a sweeping privacy law since the Electronic Communications Privacy Act of 1986, which regulates how employers monitor employee telephone calls. 

Since then, a patchwork of requirements has slowly developed, notes Philip Gordon, a shareholder in Littler Mendelson’s Denver office and chair of the employment and labor law firm’s data privacy and protection practice.

The Americans with Disabilities Act of 1990 contains confidentiality requirements, and the Health Insurance Portability and Accountability Act of 1996 includes rules protecting the security and privacy of employee health data. Most recently, the Genetic Information Nondiscrimination Act of 2008—which prevents employers from using genetic information, including family medical histories, in staffing decisions—and several state laws governing personal data have been enacted. In addition, the threat of identity theft casts privacy protection in a new light; many state laws require notice when there has been a privacy breach.

As such privacy protection increases, corporate policies concerning privacy require improvement, insists Lewis Maltby, president and founder of the National Workrights Institute in Princeton, N.J., and author of Can They Do That? Retaking Our Fundamental Rights in the Workplace (Portfolio, 2010).

At many companies, the privacy policy "is what employees see on their screens when they turn their computers on," Maltby explains. "That so-called notice is really a reservation of rights. It doesn’t really indicate anything about the company’s actual privacy practice."

As a result, employees’ expectations and employers’ actions concerning privacy frequently are misaligned, creating problems. Maltby notes that 25 percent of employers have fired employees because of "inappropriate" e-mails, yet many organizations fail to define what "inappropriate" means.

"Some privacy advocates suggest that employers are Big Brother and want to spy on employees," Maltby says. "That’s not the case. This is a sin of omission. … Employees have virtually no privacy in e-mail communications, text messages or web sites that they visit at work. And when they find out, it damages morale and productivity in ways that don’t usually get noticed. On occasion, it affects recruitment and retention."

Creating a Policy

The first step in aligning privacy expectations involves creating a corporate privacy policy.

Many companies create two types of policies, says Gordon. An employee-facing policy provides relatively high-level principles governing the organization’s collection, use, disclosure, safeguarding and disposal of employee data. An operational policy or manual is directed internally for people who access and use employee data to perform legitimate job functions.

The principles typically describe what employee data the company collects and how the data are collected; used; shared, if applicable; accessed; stored; and, when necessary, disposed of. The operational policy usually consists of numerous policies tailored to the privacy issues of different departments and groups. Companies such as Claremont Savings Bank, Sports Authority and Eastman Kodak Co. in Rochester, N.Y., follow the approach Gordon describes.

For example, when job candidates visit Kodak’s job-posting site, they see a privacy notice geared toward them; this notice differs from both the policy employees see and the policies directed at customers.

Widger and Ruesgen emphasize that developing a corporate privacy policy is a board-level effort requiring regular and deep collaboration among HR, legal, information technology (IT) and privacy professionals. "Create a cross-functional team," Gordon says. "No single person has all of the knowledge or skills necessary."

Each year, Claremont Savings Bank’s compliance officer and at least one other senior officer review the bank’s privacy policy. After that, the policy goes to the board for approval. Then, Widger and her team communicate the policy—focusing on updates and areas requiring attention—to managers and employees, who are required to sign off annually. Training, online or in person, accompanies the effort.

A compliance officer develops the policies and makes updates, and an internal auditor ensures that the policies are being adhered to, says Widger, who recently worked with her compliance officer, the bank’s top IT executive and other senior-level officers to expand the policy to address social media issues.

HR’s Role

HR professionals help craft and communicate the policies while operating as perhaps the organization’s most important protectors of employee privacy.

"HR professionals may be touching more-sensitive, and potentially more-damaging, personal data than anyone else," says Hughes. "As our concept of sexual harassment evolved, HR professionals became educated and more sophisticated in their management of those issues. As our concept of privacy in the marketplace evolves, HR professionals are going to have to step up once again and get themselves educated on, and aware of, these issues."

This awareness extends beyond having employees sign receipts for handbooks that contain the privacy policy and even beyond the company’s walls. "Incorporate the elements of the policy into your daily discussions," Ruesgen says. "If you have a managers’ meeting that covers leave-of-absence policies, a natural segue into privacy exists, and you have to leverage that conversation." In the situation Ruesgen describes, for example, explain to managers that if an employee takes leave for a personal medical or financial reason, that information must remain confidential.

One reason Brian O’Connor, Kodak’s chief security and privacy officer, works closely with HR colleagues: "HR can help by making sure that what you are drafting can be understood by the average employee," he says.

And don’t just look at your own organization, Widger notes. "Look at your payroll provider, your benefits provider, your 401(k) provider—any vendor that you use—to understand what they have in place to protect your employees’ information."

Claremont Savings Bank requires relevant vendors to complete Statement of Auditing Standards (SAS) 70 audits and to sign a privacy policy agreement stating that they will keep employee information confidential and protected.

SAS 70 audits were developed by the American Institute of Certified Public Accountants in the late 1980s and finished in the early 1990s. Their use has increased since enactment of the Sarbanes-Oxley Act of 2002. The audits come in two types, depending on their rigor, and are designed to help vendors show client companies that internal privacy controls are up to snuff.

All of this can sound overwhelming to HR professionals in organizations without formal privacy functions or pre-Internet-era policies in hard-copy employee handbooks. Fortunately, there are several steps that can kick-start improvement efforts. (See the sidebar "Get Started.") The most important step for HR professionals involves understanding and accepting their key roles in shaping and disseminating privacy policies.

"The more personal stories that you can give to help drive home the importance of the policy, the better," Widger advises.

Consider a Model Policy

In his book, Can They Do That? Retaking Our Fundamental Rights in the Workplace (Portfolio, 2010), National Workrights Institute founder and President Lewis Maltby presents a model corporate privacy policy. The policy explains how companies will address seven areas of employee privacy: personal information, medical information, employee monitoring, off-duty conduct, substance abuse, notice of monitoring practices and enforcement. The “monitoring” section specifies how employers may monitor computer use, telephone conversations and employee location—with, for example, global positioning systems—and how they may conduct video surveillance.

Get Started

Below are some tips for improving privacy management:
Begin with principles. Mature corporate privacy programs typically contain detailed operational policies as well as high-level principles that briefly and clearly state how employee information will be collected and safeguarded. Communicating those principles can better align the privacy management expectations of employees and managers.

Create a policy governing information technologists’ review of e-mail. National Workrights Institute founder and President Lewis Maltby says employees understand that there are legitimate business reasons for an employer to read their e-mail. “They are not upset about that,” he says, “unless they find out that the IT employees are reading their personal e-mails for their personal amusement.” He says what is more upsetting to employees is finding out—as they do one time in four—that there isn’t even a rule directing IT employees not to read personal e-mail. Maltby says this element of the privacy policy should include an enforcement mechanism.

Define “inappropriate.” This step is crucial, according to Maltby, and requires addressing difficult questions. “Figure out what you’re going to permit in a systematic manner and then communicate that upfront to your employees,” he insists.

Consider Internet time curbs. The biggest problem posed by employee Internet surfing is not pornography or other offensive site visits, according to Maltby. “The biggest problem is the lost time.” Web-access software that only blocks offensive sites does not address this problem. Maltby says other software can support specific privacy policies, including applications that eliminate access to Facebook, Amazon, ESPN and all other sites not related to work, after employees have used an allotted personal surfing time.

Lose the legalese. Human resource professionals should play a key role in translating legal privacy issues into practice. It’s “easy to have your general counsel stamp out something that reads like a lawyer wrote it,” says Bernard Ruesgen, SPHR, logistics HR group manager for retail chain Sports Authority. HR professionals have “to put a human touch on the whole process.”

Web Extras

SHRM article: New Face in the C-Suite (HR Magazine)

SHRM article: U.S. Supreme Court to Hear Employee Text Message Privacy Case (SHRM Online Legal Issues)

SHRM video: Jason Morris, president and chief operation officer of employeescreenIQ, discusses safekeeping employee and applicant data

SHRM sample policy: Employee Records Confidentiality Philosophy

SHRM sample policy: Personnel Information Disclosure to External Parties

SHRM sample policy: Cameras in the Workplace

SHRM sample policy: Recording Devices in the Workplace

Web site: The International Association of Privacy Professionals

Sample policy: Corporate Privacy Policy (Can They Do That? Retaking Our Fundamental Rights in the Workplace​ by Lewis Maltby by arrangement with Portfolio, a member of Penguin Group (USA) Inc., Copyright (c) Lewis Maltby, 2010.)

Reuse Permissions


CA Resources at Your Fingertips

View all Resources Now

Job Finder

Find an HR Job Near You


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect