The use of personal information is commonplace in the hiring, promotion and termination processes. Employers also may have access to employee health records containing information about an individual’s physical health, medical family history and prescription drug use. Having access to these personal details can be risky with regard to an employee’s right to privacy.
At times, employers will obtain consumer reports to evaluate employees for hiring purposes, reassignments and retentions. Under the Fair Credit Reporting Act (FCRA), the employer must protect the privacy of the employee regarding the information on the report, as it may contain credit payment records, driving records and history of any criminal activity. Before obtaining a copy of a consumer report, the employer must obtain written permission from the individual.
As of June 1995, employers were required to dispose of consumer reports in a specific manner to reduce the risk of identity theft and other forms of consumer fraud. Any business or individual who uses a consumer report for a business purpose is subject to the requirements of this Disposal Rule.
According to the Consumer Financial Protection Bureau (CFPB), the standard for proper disposal of consumer report information is flexible, and allows the organizations covered by the rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology.
This rule applies to the following industries and individuals who obtain consumer reports:
- Consumer reporting agencies
- Government agencies
- Mortgage brokers
- Automobile dealers
- Attorneys and private investigators
- Debt collectors
- Entities that maintain information in consumer reports as part of their role as service providers for other organizations
As a stipulation of this regulation, employers must burn, pulverize or shred papers so that information cannot be read or reconstructed. In addition, electronic data must be destroyed or erased by overwriting the information so it cannot be read or reconstructed as well. Beyond this, employers can seek out a document destruction contractor in due diligence to dispose of the material.
Employees have great protections concerning the privacy of their medical records and employer use of this type of information. Employers should become familiar with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which regulates the access, use and disclosure of protected health information (PHI). For instance, HIPAA includes nondiscrimination rules regarding charging employees more or denying coverage based on health factors, genetic information or wellness activities.
Drug testing is one of the more widely used forms of medical testing in the workforce. Alcohol testing may also be standard in your industry as well, to reduce the risk that employees will act negligently while under the influence on the job. However, there are several states that have regulations concerning the instances in which employers can conduct drug or alcohol screenings. In general, employers may test their employees for drugs under these circumstances:
- The job carries a large risk to the employee and others
- The potential or current employee has completed a drug rehabilitation program or is currently enrolled in one
- The employee was involved in a business-related accident in which drug or alcohol use was suspected as a factor
- The employer believes that the employee may use drugs or alcohol based on physical evidence, such as slurring speech or glassy eyes
If personal information about employees is transmitted electronically, the security of the information may be questioned. When individuals send personal information electronically outside of work, the security of the information is their own responsibility. At work, however, employees likely expect that the network is secure—if an individual sends an email to Human Resources verifying personal information, he or she does not anticipate that unauthorized parties will be able to access that information. As an employer, it is important to discuss electronic privacy with your employees. Having employees sign a statement acknowledging that the company can access any information sent or received on its network is a good place to start. It seems simple, but this acknowledgement could save you from litigation.
To protect your company against privacy infringement against your employees, learn about relevant laws and ensure your policies and procedures comply.