Blog

What Employers Should Do to Insure Privacy of Employee Data.


October 30, 2006
Topic: Topic

What Employers Should Do to Insure Privacy of Employee Data.

Given the latest Pentagon problems with data, employers should heed certain privacy requirements. Employers can take the following steps to limit unlawful disclosure of private employee data:

  • Review all service agreements with your employee benefit plan vendors for privacy/confidentiality provisions;
  • Review your internal practices regarding the flow and protection of sensitive information;
  • Implement a comprehensive privacy policy and identify an individual responsible for enforcing and maintaining the policy;
  • Avoid using employee social security numbers as employee identification numbers and review existing data collection forms with an eye to eliminating requests for personal data if such data is not truly necessary;
  • Ensure that employee medical information is maintained in separate, locked files; identify those within the company with a need to know such information, and ensure that only they have access to such files;
  • Store personnel documents containing private information (e.g., consumer reports, I-9 forms, wage garnishment documents, credit card information, mortgage application inquiries, reference check results and pre-employment or drug testing results) in confidential files separate from personnel files;
  • If personal information of employees is kept in an electronic format, ensure that the data is stored in a secure computer system, limit access to such data, and take precautions to ensure that such data cannot generally be taken off-site;
  • Establish meaningful document destruction policies that effectively preclude unauthorized access to personal information (e.g., shredding or burning of documents, destruction of electronic data devices), and implement steps to facilitate these policies (e.g., place shredders around the office);
  • Ensure that information security and control are addressed in deals negotiated with vendors when appropriate;
  • Prepare a response plan that can be implemented in the event of a security breach or disclosure of private data;
  • Conduct regular training of all employees and train supervisors in particular about the need to refrain from discussing or disclosing information that could affect their employees' privacy interests; and
  • Regularly audit compliance with privacy policies and procedures.

Other Information to Which Employees Have Expectations of Privacy

In addition to legislatively imposed confidentiality requirements, employers also have court imposed obligations not to invade their employees' privacy. Most states recognize common law invasion of privacy tort claims.  Iowa recognizes the following four theories of invasion of privacy: "Intrusion upon plaintiff's seclusion or solitude, or into his private affairs[;] [p]ublic disclosure of embarrassing facts about the plaintiff[;] [p]ublicity which places plaintiff in a false light in the public eye[; and] [a]ppropriation, for defendant's advantage, of the plaintiff's name or likeness." Yoder v. Smith, 253 Iowa 505, 112 N.W.2d 862, 863-64 (Iowa 1962) (quoting PROSSER, LAW OF TORT 637-39 (2d ed.1955)).

In the context of employee data, such claims historically have fallen under one of two theories: "publication of private facts" (unreasonable publicity given to a person's private life in a manner that is highly offensive to a reasonable person and involving a disclosure or subject that is not of legitimate public concern) or "misappropriation" (misappropriating the name or likeness of another for one's own benefit, such as using an employee's photograph without the employee's permission). Plaintiff employees frequently prevail on invasion of privacy lawsuits where their employers have inappropriately disclosed medical information to others.  Oftentimes, the outcome in such cases will depend upon whether the publication was made to more than just a single person or a small group of persons.  However, an exception to this rule was created in a case handled by LaMarca & Landry P.C., in Peggy A. Hill v. MCI Worldcom Communications Inc., 141 F.Supp.2d 1205 (S.D. Iowa 2001), No. 4-00-CV-70496, "… under Iowa law disclosure of private facts about a plaintiff to a third party may state a claim for invasion of privacy under the theory of public disclosure of embarrassing facts if there is a confidential relationship between the plaintiff and the third party."  Id. at 1213.

Conclusion

Increasingly, privacy has become a hot button issue.  Employers must recognize the importance of focusing on the need for a thorough and consistent approach to protection of customer, personnel, and benefit data as a risk management and compliance matter, as well as a public relations issue.  As employers focus on confidentiality and privacy both internally and externally, all parts of the organization should be called to demonstrate what they are doing to protect private information.


LaMarca & Landry, P.C.

1820 N.W. 118th Street
Suite 200
Des Moines, Iowa 50325
Toll-Free: (877) 327-2600
Phone: (515) 225-2600
Fax: (515) 225-8581

www.lamarcalandry.com