Disclosure of Employee Personal Data: What Are an Employer's Legal Obligations?

The story is now well known. A data analyst for the U.S. Department of Veteran's Affairs took home a laptop and disks containing the names, social security numbers, dates of birth and disability ratings of nearly all active duty military personnel and virtually every person discharged from the United States military since 1975. When the employee's home was later burglarized in early May, the electronic data was among the items stolen. A department policy prohibiting employees from removing such data did not deter the employee from taking the data home and, as a result, the personal information of approximately 26.5 million persons may have been compromised.

While this incident did not involve employee data, it is only the latest in a series of high-profile data security breaches that have caused employers (and state legislatures) to focus more intensely on what should be done to protect the privacy of personal data, including employee data, in the hands of employers. Following the 2002 enactment of legislation in California requiring businesses to implement certain safeguards to protect personal information (and to make prompt disclosure in the event of certain security breaches), a number of other states have followed suit with similar legislation. These state efforts follow closely on the heels of federal statutory initiatives aimed at providing greater protection with respect to personal financial and medical information.

Given the current landscape, it is important for employers to focus anew on their legal obligations regarding the privacy of employee data, and to review whether they are taking sufficient steps internally to safeguard such data and respond appropriately to security breaches. Certainly the most important step that employers can take is to understand their legal obligations. Once those obligations are understood, employers can then audit their policies and procedures, and make necessary adjustments to ensure that private employee data is protected.

Defining Private Employee Data

While there is no single universal legal definition of private employee data, it generally includes employee addresses, photos, social security numbers, dates of birth, protected class information and medical records. It should also include information that employees or others—such as employee benefit plan administrators—have reasonable expectations will be kept confidential, and information that "belongs" to an employee benefit plan and cannot or should not be used as a commodity for others' financial gain.

Legal Requirements Imposing Privacy Rights with Respect to Employee Data

An employer's legal obligations with respect to maintaining the privacy of employee data are potentially wide-ranging and include the following:

Employee Medical Information. The federal Americans with Disabilities Act (ADA) and Family and Medical Leave Act (FMLA) as well as similar state disability discrimination and leave statutes require that any information obtained by an employer regarding the medical condition or history of an applicant or employee be collected and maintained on separate forms, kept in separate files, and treated in a confidential manner. Employers may only disclose such information to (1) supervisors and managers who need to be informed regarding necessary work restrictions and necessary accommodations; (2) first-aid and safety personnel who need to be informed about emergency treatment; and (3) government officials who are investigating compliance-related issues. Information may also be released for purposes mandated by local, state or federal law. Notably, an employee need not be a person with a disability within the meaning of the ADA to recover for an inappropriate gathering and disclosure of confidential medical information.

The Health Insurance Portability and Accountability Act (HIPAA) generally protects individually identifiable health information created or maintained by health plans and health care providers. Contrary to common misconceptions, HIPAA does not directly regulate employers or cover medical or disability information obtained by employers for employment purposes, such as leave programs. However, HIPAA does apply to employer-sponsored health plans and certain health care providers. In general, covered health plans and providers cannot use or disclose individually identifiable health information without a HIPAA-compliant authorization from the patient or health plan participant, except for purposes of treatment, payment for health care, and health care operations. HIPAA imposes a number of administrative responsibilities on health plan sponsors (particularly sponsors of self-funded health plans) which are designed to safeguard protected health information. For example, employers who sponsor such health plans must ensure that employees who do not work for the plans do not have access to private health information, and that those who do are adequately trained about their obligations.

Many state laws also prohibit employers from disclosing medical information to unauthorized persons. Such state laws are not preempted by HIPAA if and to the extent that they provide greater privacy protections than HIPAA.

Employee Benefit Records. There is a growing awareness that certain information regarding benefit plans and participants in plans constitutes an "asset" of the plan that is not to be given away or misused in a manner that is not in the best interests of the participants in that plan. Increasingly, vendors want to use this information in new and different ways to further their own marketing objectives. Arguably, employers have a fiduciary duty to know about (and control as necessary) the use of information regarding their plans and plan participants.

Criminal and Credit Background Checks and other Consumer Reports. Although the Fair Credit Reporting Act does not explicitly impose obligations on employers to maintain consumer reports in a private manner, such an obligation is implicitly set forth in the statute's narrow limitations on the circumstances in which an employer may use such reports. In addition, regulations promulgated in 2005 require employers to take "reasonable measures" to properly dispose of "consumer information" (defined as consumer reports and any records derived from consumer reports) in order to prevent "unauthorized access to or use of the information in connection with its disposal."

State Personal Information Protection Statutes. In 2004, California enacted legislation requiring businesses maintaining computerized data that includes personal information to notify the owner of such data of any breach of the security of the data immediately following discovery of the breach, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The statute defines "personal information" to include an individual's first name or first initial and last name in combination with that person's social security number, driver's license number, California identification card number, medical information, or credit card, account or debit card number (in combination with any security or access code). Proper notice of a security breach includes written notice, electronic notice or substitute notice (e.g., conspicuous notice on the employer's web site or notification to statewide media) in appropriate circumstances.

Within the last several years, many states, including Colorado, Delaware, Illinois, Kansas, Minnesota, North Dakota, New York, Nebraska and Wisconsin, have followed California's lead in enacting similar legislation. Although the statutes vary, the basic requirements are the same: generally, the employer must notify employees if personal information was, or is reasonably believed to have been, acquired by another person.

Some states have gone beyond imposing notice requirements on employers and either require or encourage employers to take certain actions to ensure the security of personal information. For example, Colorado law requires employers to develop a policy for the proper destruction or disposal of paper documents containing "personal identifying information."

Finally, some states have imposed restrictions on an employer's use of social security numbers in the workplace. Minnesota recently enacted a statute that prohibits businesses from: (1) intentionally communicating or otherwise making available to the general public a person's social security number; (2) printing an individual's social security number on any card required to access products or services provided by the business; (3) requiring an individual to transmit her social security number over an unsecured or unencrypted internet connection; (4) requiring the individual to use her social security number to access an internet web site, unless it is used in conjunction with a password or authentication device; and (5) printing a person's social security number on any materials mailed to the individual, unless required to do so by law. The statute, which does not become effective until July 1, 2007, provides exceptions for documents relating to application, enrollment, establishment, amendment or termination of an account, contract or policy, or to confirm the accuracy of a social security number. In addition, the statute has a prior use continuation exception provided that the prior use remains continuous and individuals are annually advised of the right to stop the use of their social security numbers in a manner otherwise prohibited by the statute.

What Employers Can Do

Employers can take the following steps to limit unlawful disclosure of private employee data:

• Review all service agreements with your employee benefit plan vendors for privacy/confidentiality provisions.
• Review your internal practices regarding the flow and protection of sensitive information.
• Implement a comprehensive privacy policy and identify an individual responsible for enforcing and maintaining the policy.
• Avoid using employee social security numbers as employee identification numbers and review existing data collection forms with an eye to eliminating requests for personal data if such data is not truly necessary.
• Ensure that employee medical information is maintained in separate, locked files. Identify those within the company with a need to know such information, and ensure that only they have access to such files.
• Store personnel documents containing private information (e.g., consumer reports, I-9 forms, wage garnishment documents, credit card information, mortgage application inquiries, reference check results and pre-employment or drug testing results) in confidential files separate from personnel files.
• If personal information of employees is kept in an electronic format, ensure that the data is stored in a secure computer system, limit access to such data, and take precautions to ensure that such data cannot generally be taken off-site.
• Establish meaningful document destruction policies that effectively preclude unauthorized access to personal information (e.g., shredding or burning of documents, destruction of electronic data devices), and implement steps to facilitate these policies (e.g., place shredders around the office).
• Ensure that information security and control are addressed in deals negotiated with vendors when appropriate.
• Prepare a response plan that can be implemented in the event of a security breach or disclosure of private data.
• Conduct regular training of all employees and train supervisors in particular about the need to refrain from discussing or disclosing information that could affect their employees' privacy interests.
• Regularly audit compliance with privacy policies and procedures.

Personnel Data Transferred from European Union nations. The European Union Directive on Data Protection, which took effect in October 1998, prohibits the transfer of "personal data" (defined as "any information relating to an identified or identifiable natural person") to non-European Union nations that do not meet the European "adequacy" standard for privacy protection. Because the European Parliament determined in July 2000, that U.S. privacy protections did not meet the "adequacy" standard, it therefore is illegal to transfer personal data from the European Union to companies in the United States unless the companies promise and deliver adequate protection either by joining the Federal Trade Commission's Safe Harbor program or by submitting individual contracts to European data protection authorities for review and approval. To qualify for the Safe Harbor, an organization can either join a self-regulatory privacy program that adheres to, or develop its own self-regulatory policy that conforms to, the Safe Harbor's seven principles. Those principles require that an organization (1) notify individuals about the purposes for which they collect and use information about them; (2) give individuals the opportunity to choose whether their personal information will be disclosed to a third party; (3) ensure that third parties to which they transfer information also comply with Safe Harbor principles; (4) provide individuals with access to personal information regarding them that is held by the organization; (5) take reasonable precautions to protect personal information; (6) take reasonable steps to ensure that data is reliable for its intended use; and (7) ensure compliance with Safe Harbor principles by establishing reporting and enforcement procedures.

Other Information to Which Employees Have Expectations of Privacy. In addition to legislatively imposed confidentiality requirements, employers also have court-imposed obligations not to invade their employees' privacy. Most states recognize common law invasion of privacy tort claims. In the context of employee data, such claims historically have fallen under one of two theories: "publication of private facts" (unreasonable publicity given to a person's private life in a manner that is highly offensive to a reasonable person and involving a disclosure or subject that is not of legitimate public concern) or "misappropriation" (misappropriating the name or likeness of another for one's own benefit, such as using an employee's photograph without the employee's permission). Plaintiff employees frequently prevail on invasion of privacy lawsuits where their employers have inappropriately disclosed medical information to others. Oftentimes, the outcome in such cases will depend upon whether the publication was made to more than just a single person or a small group of persons.

Conclusion

Increasingly, privacy has become a hot-button issue. Employers must recognize the importance of focusing on the need for a thorough and consistent approach to protection of personnel and benefit data as a risk management and compliance matter, as well as a public relations issue. As employers focus on confidentiality and privacy both internally and externally, all parts of the organization should be called to demonstrate what they are doing to protect private information.