Employee Data Privacy: What Employers Need to Know

27 Jul


With the increase in cyber security threats, it’s more important than ever to ensure valuable data is kept secure. Businesses everywhere are taking additional precautions when handling sensitive customer data. But what about internally with employee data? Organizations have an obligation to protect their employees’ personal data from being shared or stolen. In addition to federal regulations, states have their own mandates as it relates to data protection that extends to your employees. Let’s discuss the employer obligations and compliance best practices regarding employee data privacy.

What is Personal Data?

First, let’s define personal data. Personal data—or personally identifiable information (PII)—is any information related to a person that can be identified as a reference to that person. This includes name, birthdate, address, social security number, tax information, and so on. In the U.S., there are federal laws that protect certain types of personal data, such as the Health Insurance Portability and Accountability Act (HIPAA), Americans with Disabilities Act (ADA), Fair Credit Reporting Act (FCRA), and Fair and Accurate Credit Transactions Act (FACT Act).

In regard to the workplace, PII employee data includes: resumes, references, job applications, employee personnel files (contracts, performance reviews, compensation information), payroll data (including tax forms, W-2s, W-4s), and benefits files. This extends to include, “physical, physiological, genetic, mental, economic, cultural or social identity of that person,” under Europe’s General Data Privacy Regulation (GDPR). If you are a global organization, you may be subject to additional privacy and security obligations of other nations.

What Are the Employer Obligations?

Employers have several obligations in protecting PII of their employees.

  • Know the privacy laws that apply to you

Employers should know the specific privacy laws and regulations that apply to them at the federal and state levels. Staying on top of the latest regulation changes ensures your security controls and privacy practices are always up to date. If you have locations or employees globally, you’ll need to stay updated on data and privacy regulations of the countries you’re operating in.

  • Justify the collection and processing of employee data

Employers should only be collecting and storing data on employees that is relevant and necessary to their job. This includes resumes, payroll data, contracts, benefits enrollment forms, compensation agreements, and performance reviews.

  • Notify employees of data breaches

If employee data becomes accessed, acquired, or compromised through cyber security issues—such as phishing, hacking, ransomware, etc.—employers need to notify the impacted employees and regulatory authorities in certain time frames.

  • Control access to PII

Not everyone in the organization should, or needs, to have access to employee PII. Ensure only authorized users (for example, human resources managers) have access to employee files and data. You can even customize the level of access authorized users have to ensure they are only able to see the information they specifically need. For example, managers may need access to their employees’ performance reviews, but do not need access to their benefits and tax documents.

  • Understand your state’s data subject rights

In some states, like California, employees have the right to request their own information. This includes access to view, request corrections of, and stay informed of changes to their PII. Failure to do so in a timely manner may result in fines if reported, depending on your specific state’s regulations.

  • Implement consent policies

Employers should disclose how they collect, process, and share employee data. You can have employees sign a consent form outlining this process either with their employment contract or within your employee handbook. Make sure that any updates to the policy are shared with team members .

Learn more about compliance

Schedule a call to learn more about our compliance solutions for your business.

Contact VensureHR

What Are Some Best Practices for Managing Employee PII?

Now that you know your obligations as an employer, here are some tips on how to best protect your employees’ personal data.

Work with IT

Your IT department is best equipped to help you manage, store, and access data. They’re the most up to date on the latest cyber crimes and the best ways to mitigate the risk of cyber attacks. When creating a data policy, be sure to include your IT staff.

Train employees and management

Once you have a data security policy in place, train your employees and management on ways to mitigate risk. This includes training employees on how to share data, identify phishing scams, and the process for alerting the team when they encounter a potential threat.

Always encrypt data

Most email software will have the option to send encrypted data, making it harder for hackers to access sensitive information. It’s best practice to encrypt any information that contains any type of PII data.

Create an incident plan

Every company needs to have an incident plan in the event of a security breach. This plan includes the action steps taken from identifying where the breach started, what information was compromised, and when/how to alert those affected.

Cybercrime is not going away, and more and more companies are needing to keep their data as safe as possible. As an employer, you have an obligation to maintain the integrity of your client and employee data. If you’re needing to add a data security policy, employee consent form, or update your employee handbook with data privacy information, VensureHR’s team of human resource professionals is here for you. Our experienced HR team will guide you on the best policies and communication plans to ensure your employee data is protected against any potential threats. Schedule a call with us today to learn more.


Forbes- Top Seven Obligations Concerning Employee Data Privacy

Fractorial HR- Employee Data Privacy Laws US – Are you up to speed?

SHRM- How Can I Ensure My Company Protects Personal Employee Information?

Subscribe to
The Vensure Voice

Subscribe to
The Vensure Voice


You're all set.

Thanks for subscribing. Be on the look out for The Vensure Voice, our newsletter full of helpful resources, up-to-date info and more!