Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

On June 18, Philip Gordon will present at the International Association of Privacy Professionals (IAPP) Practical Privacy Series on the topic "On the Cutting Edge: The Top Five Developments for 2009" (You may register for the event here). Below, Mr. Gordon answers questions about some of the top HR privacy concerns that every organization is confronting.

IAPP: With so much focus on safeguarding customer information, why is HR privacy even an issue?

Gordon: HR privacy should be a major concern of every organization for several reasons. Virtually all class-action litigation involving the compromise of customers’ personal data has been unsuccessful because of the absence of any actual damages. By contrast, privacy violations involving employee personal data often do result in cognizable injuries, including loss of employment and emotional distress. The risk of significant damages is particularly high in the employment context because employers maintain not only the full range of personal identifiers but also financial information and very sensitive health information. In addition, security breaches involving employee personal data can have a negative impact on employee morale, and employees, unlike consumers, can easily express their disgruntlement to senior management. While the potential exposure is high, developments in technology and recently enacted legislation have complicated employer’s compliance obligations, further increasing their exposure to liability.

IAPP: Could you provide some examples of recent developments that have a significant impact on HR privacy compliance and employers’ exposure to liability for privacy violations?

Gordon: Employers are struggling to find the right approach for addressing text messaging in the workplace and the variety of Web 2.0 communications platforms. Unlike e-mail, text messaging almost always is transmitted through, and stored at, a third-party service provider. The laws governing access to electronic communications stored at a service provider impose substantial restrictions on employers. These restrictions do not apply when accessing communications stored on the corporate network. Social networking is particularly challenging for employers, especially as employees form their own networks, because personal profiles often blur the line between “private” and work life while, at the same time, permitting employees to communicate messages that senior management views as contrary to the organization’s interests.

On the legal side, we have the passage in February 2009 of significant amendments to HIPAA, which will have an impact on every employer that sponsors a HIPAA-covered benefit plan. In November, the Genetic Information Non-Discrimination Act of 2009 (GINA) will become effective. GINA will raise significant compliance challenges because the Act defines “genetic information” to include several categories of information that most privacy and HR professionals might not think of as “genetic” in nature, such as certain FMLA certifications. I will cover these technological and legal developments at the Practical Privacy Series in a presentation entitled, “On the Cutting Edge: The Top Five Developments For 2009.”

• Email This
• Print
• Trackbacks
• Share Link

Philip Gordon will present at the International Association of Privacy Professionals' (IAPP) human resources event on June 17 on the topics "Sex Offenders, Terrorists, And Video Resumes: How Far Can You Go To Get Information About Prospective, Current, And Former Employees?" and "It's 10:00 AM: Do You Know Where Your Employees Are And What They Are Doing?" Below, Mr. Gordon answers questions about workplace privacy.
 
IAPP: The IAPP is sponsoring its first ever Practical Privacy Series on Human Resources (HR) privacy. Why should privacy professionals be concerned about HR privacy?

Philip Gordon: There are many reasons. Here are just a few: First, privacy breaches involving employees are becoming a much more significant risk to organizations. Virtually every security breach involving employees triggers a notice obligation because of the prevalence of Social Security numbers, driver’s license numbers and financial account information in corporate HR departments. Also, sensitive health and disciplinary information can be much more easily disseminated through social networking sites or Web postings, raising the risks of litigation and substantial damages awards.

Second, employees are more likely to respect consumer privacy in an organization that is concerned about employee privacy. Demonstrating a commitment to addressing HR privacy issues establishes a culture that will enhance protection of consumer data.

Third, an employer’s commitment to HR privacy can provide an edge in recruiting and retaining employees, especially younger employees. In April 2007, Littler Mendelson and the Ponemon Institute published a study entitled “Workplace Survey on the Privacy Age Gap.” The study revealed that 85 percent of respondents under the age of 30 believed that their employer’s commitment to employee privacy was important, but only 20 percent believed that their employer was committed to protecting their privacy. Perhaps more to the point, 27 percent of respondents under age 30 said that they would find another job if their employer committed what they perceived to be a privacy violation.

Finally, HR privacy tends to fall into the gap between the chief privacy officer’s and the human resources director’s areas of responsibility. By way of illustration, in the Littler/Ponemon study, two-thirds of respondents said that their employer had a consumer privacy policy, but only 22 percent stated that their employer had an employee privacy policy. Along the same lines, only 6 percent of respondents said that they would contact a privacy professional in their organization if they had a question about workplace privacy.

IAPP: What do you see as some of the cutting-edge issues in the area of HR privacy?

Philip Gordon: Ironically, some of the most cutting-edge issues arise out of relatively public conduct on the Internet, such as social networking and blogging. Many employees perceive their off-duty blogging and social networking as private, but their postings often can have a significant impact on the workplace, for example, when they post photos of themselves with guns or in sexually provocative poses. Another example of this somewhat ironic twist on “privacy” can be seen when employers attempt to introduce location tracking devices into the workplace. The privacy implications of electronic monitoring also are becoming increasingly complex as employees rely more heavily on personal cell phones, PDAs, and Web-based e-mail accounts to conduct company business. Gary Clayton, founder of the Privacy Compliance Group, and I are going to delve into these issues in our presentations at the Practical Privacy Series, respectively entitled “It’s 10 AM: Do You Know Where Your Employees Are and What They Are Doing?” and “Sex Offenders, Terrorists and Video Résumés: How Far Can You Go to Get Information About Employees?”

IAPP: So much of the focus on consumer privacy revolves around data protection. How is data protection implicated in the area of HR Privacy?

Philip Gordon: Organizations tend to have more sensitive information about their employees than about their customers. State notice and data security laws have forced employers to focus more attention on safeguarding employee data. Global employers accustomed to the greater emphasis on employee data protection in the European Union also are turning their attention to employee data protection. Two of the presentations at the HR Practical Privacy Series will focus on these issues. Peter Rabinowitz, Privacy, Governance & Risk Compliance Consultant at PricewaterhouseCoopers, LLP and Lydia Payne-Johnson, CIPP, Financial Services Privacy Consultant at PricewaterhouseCoopers and former CPO at Morgan Stanley, will explain how to conduct an HR privacy risk assessment. Brian O’Conner, former CPO at Eastman Kodak, and Rick Dakin, founder of Coalfire Systems, will present on security incident response when a breach involves employee data.

IAPP: Congress recently put the spotlight on the privacy of employee health information by enacting the Genetic Information Non-Discrimination Act (GINA). What is the current regulatory environment in the area of employee health information privacy and why is it important for privacy professionals to understand that environment?

Philip Gordon: Employee health information is subject to a very complex regulatory environment involving a variety of federal and state laws in addition to GINA. Employers are being inundated with employee health information as the American workforce ages. Employers also are increasingly relying upon drug and alcohol tests to weed out applicants and employees who might pose a threat to sensitive customer and employee data. Understanding the interplay of these health privacy laws and the web of restrictions on drug and alcohol testing is particularly important for employers because breaches of privacy in this area often result in litigation. Nancy Delogu, a partner at Littler Mendelson and a national expert on drug and alcohol testing, will be addressing this complex area of privacy at the Practical Privacy Series in a presentation entitled, “HIPAA, FMLA, ADA, CMIA: How to Handle Employee Health Information and Drug and Alcohol Testing in Compliance with Confidentiality Requirements.”
 

• Email This
• Print
• Trackbacks
• Share Link

Workplace privacy obligations continue to grow more burdensome for employers. As more information about workers becomes readily available, employers are often caught between a sense that failing to use that information may lead to negligent hiring and retention claims, and a fear that using or disseminating information that is private or protected will lead to litigation in its own right.

Littler Mendelson is a member of the International Association of Privacy Professionals, and a Gold Sponsor of the IAPP's "Practical Privacy Series Human Resources 2008" conference. The conference, which will take place in New York City on June 17, will cover a range of topics, including:

• "What to Do When a Human Resources Security Breach Inevitably Occurs":  A security breach involving human resources data is high-stakes for organizations. This presentation focuses on the most common causes of HR security breaches and explains from the trenches how to respond in compliance with applicable notice laws, and without a disgruntled workforce when the dust clears;
• "It's 10:00 A.M. -- Do You Know Where Your Employees Are and What They Are Doing?": New technology offers employers ever more sophisticated tools to keep tabs on their employees, but to what extent does this monitoring expose them to liability? This session examines the evolving U.S. law on these issues and discusses the challenges for global employers confronting data protection regimes modeled on the EU Data Protection Directive;
• "H.R. Risk Assessments": Safeguarding HR information often plays second fiddle to seemingly more imperative privacy data, such as patient or customer information. Yet it can be among the most sensitive at an organization. This presentation highlights key lessons learned from HR privacy risk assessments across industries, and from helping organizations remediate weaknesses in their control environments. This session looks into the logistics of operationalizing a response program and handling specific recurring incidents; 
• Littler's own Phil Gordon will speak on "Sex Offenders, Terrorists, And Video Resumes: How Far Can You Go To Get Information About Prospective, Current, And Former Employees?": With ready access to sensitive personal information, employers are under increasing scrutiny to maintain a workforce that is beyond reproach. Social networking sites, blogs and other resources offer a wealth of information on candidates and employees. How deeply should employers tap these new information sources? This presentation will help frame the debate for your own organization; and
• I'll be talking about how--and when--an employer can use sensitive medical information in the employment context in a presentation called "How To Handle Employee Health Information And Drug And Alcohol Testing In Compliance With The Alphabet Soup Of State And Federal Confidentiality Requirements": Managing employees’ health is a critical business imperative. Employers confront a maze of laws and regulations governing the confidentiality of employee health information, and dire consequences for mishandling such information. This session addresses questions on collecting, using, storing, documenting and disclosing employee health information, among other concerns.

If you are interested in these topics, or know someone who is, go to International Association of Privacy Professionals and click on the box titled "Practical Privacy Series." We'd love to see you there!

• Email This
• Print
• Trackbacks
• Share Link