My daughter, Dazlin, asked this question on privacy..."Under what circumstances can or should my employer share my information?"
What a brilliant inquiry.
And I have no brilliant, quick responses, yet I am forcing her to wait for the answer on here even though I am currently comfortably ensconced in her apartment, sitting across from her.
First, for me, the easy answer is about medical information. Any information in the medical context, whether as part of disability accommodation, employment prescreening, genetic information, employer medical coverage, or workers' compensation must be kept confidential. This means, generally, in HR, there are two files for each employee or a bifurcated file where the health information is kept separated from discipline, hiring and firing, pay, etc.
Can they ever share it? Of course they can. They can share it with people and entities who have a need to know, such as benefit managers, health care professionals who are treating you, risk management, and so forth. But in general, the information should not be shared anywhere without a legitimate reason. Most of the protection here is federal - EEOC (disability, genetic information), OSHA (injuries on the job) - but there is also state law that applies (workers' comp, HR law, data breach law).
I am not going into a terrible amount of detail here if for no other reason than it is a blog and not a legal treatise. Some factors also depend on whether your employer is a public or private entity and/or what job you hold. But if anyone is curious, write me and let me know that you have questions. I'll see what I can do.
Now, for the sharing...in almost all laws, there are exceptions and privacy law is no exception to that. In general, the exceptions are around subpoenas, law enforcement, public health, emergencies, and business operations that require disclosures. Business operations could include mergers, account houses, and other entities that are contracted to perform some duty on your employer's behalf, like mailing 1099s. To do so, the other entity has your information. Do you also remember all the stories about how many subpoenas and requests for information are being served on internet service providers? If information is part of an investigation, your employer will likely give it up.
Other than medical information, employers are required to keep certain information secure - like your date of birth and social security number. In countries other than the U.S., who have data protection laws, certain information is considered sensitive information. Sensitive information includes ethnicity, political views, member of professional organizations, etc. Now here in the U.S., race, age, gender is also considered confidential, but mainly because an employer can be sued for discrimination if negative decisions are based on race, gender, being over 40, disabled - things that make you a member of a protected class. Also, credit reports and background checks must be performed and retained securely. In fact, after the financial troubles of 2008, several states placed background check laws in place - mainly either the employer could not ask certain questions in an application or could not do a background check before meeting the person.
Many states have laws protecting certain information, although Massachusetts with 17 CMR 201 is the strongest. In Massachusetts, if you have information on their residents, to include name (either first name/initial with last name) plus some other elements (SSN, driver license number, or financial account number), then you are required to have a security program in place and provide certain data protections.
Mainly states have data breach notification laws, meaning that if your data is breached somehow, your employer must let you know (these are general law not employment laws, but apply to entities that collect certain information). Thus, if your employer wants to be excluded in most of these states from notification provisions, then they need to encrypt and take precautions with your information. Not all states recognize encryption as an exception, but most do - and of course, this only applies to electronic information.
Speaking of electronic information: analyzing whether employers can access your electronic communications such as email, texts, and social media is a full blog on its own. Morality consideration is another - think of teachers fired for posting naked party pictures on their own facebook or sports figures who get into scandals and lose endorsements. And last, lifestyle (which includes morality) is also a very deep discussion of law.
So this is part of her answer. In reality, not all employers follow the laws - and certainly not all employees of your employer will follow the law. Training and awareness are huge for data protection and training is not generally a high budget item for many employers, especially towards protecting their employees' data.
So my advice point coming out of this is to be careful of your own information in the workplace. It is not necessarily a good idea to friend people on social media that you work with - you just may have information disclosed to your employer that you wish was not - and if a negative action is taken towards you based on this information, then you likely will have a very hard time proving it.
No comments:
Post a Comment