You Can’t Un-ring the Bell
Protecting Employee Privacy and Confidentiality
By David Cox, SPHR, SHRM-SCP | September 15, 2016
It is an employer’s responsibility to keep employee files in a manner that protects the employee’s privacy and confidentiality from those who do not have a need-to-know. The reason employers should address this now is because once an employee’s privacy is violated, an employer can improve and update practices, but cannot “un-ring the bell.”
When we help businesses establish HR practices, we work with them on how to maintain employee medical and personnel files. Those responsible for this function usually feel a need to defend current practices. I submit that updating these procedures is a wise practice that will yield better results for the employer.
I worked with one administrator who staunchly defended the practice of including employee medical information in their personnel files. Her argument: “Nearly 25 years ago our attorney told us it was okay for us to do it this way.”
In another situation, I found that medical and personnel files were kept in file cabinets not only located in separate rooms, but in separate buildings. I initially thought that, though unnecessary, the company was taking protecting employees’ privacy very seriously. Later, I found that both rooms were in common employee access areas and the file cabinets where these records were stored did not even have locks. When I questioned this practice, I was told emphatically: “We’ve always done it this way and no one has ever complained.”
Obviously, neither the length of time you’ve been doing something, nor the fact that no one has ever complained, make your procedures defensible under current state and federal law. Whatever systems and procedures are adopted by your business, it is wise to keep the following goals in sight:
- All employee medical information is to be treated as private and protected,
- Access to employee information in a personnel file should be restricted on a need-to-know basis, and
- All medical and personnel information retained by the company must be kept safe and secure.
If employee information is not being maintained properly, ignoring this problem will not solve it.
Action should be taken to protect and secure this information immediately. The most cost-effective way to avoid liability for violating your employee’s privacy is to make certain such violations never happen.