What actions should employers take to protect employees' privacy?

Employers should consider the following actions to ensure that employees' privacy rights are protected.

Restrict the amount of information collected. Make sure all information has a business purpose. Periodically review information to determine that it is still relevant. Destroy all nonessential information when an employee terminates.

Give employees access to their information. One of the quickest and least expensive quality checks available to an employer is to have the employee review his or her personnel files and related material. Errors, such as transposed numbers in social security numbers, can be eliminated as well as employees given a sense of control and trust. When files are computerized, it is relatively inexpensive and efficient to provide an electronic copy of the employee's file to the employee for his or her review and sign-off. After all, who has a greater desire for accuracy than the employee?

Publicize the use of information. Employers should advise all parties what the use of the file will be and how access to the information is controlled. It is in the employer's self-interest to control this information. Since the employer may be liable for the information's misuse, make sure there are adequate security measures to protect existing information.

Separate records that are not available to the employee. There may be records that the employer does not want the employee to have access to; and for those records, the employer should maintain that record separately. There should be a business purpose for denying employee access.

Correct records that are wrong. When an employer is advised that a record is incorrect or incomplete, the employer should quickly correct the record. Confirm that the record has been corrected and invite the employee to "double-check" the file. Determine if there are procedures that should be instituted to prevent the same type of error from occurring in the future or to ensure that the error has not occurred in other files.

Limit release of information without employee's consent. Specify to whom records will be released without employee consent, for example government agencies with valid access requirements. In the exit interview process, advise the employee what information will be released to other employers. Consider providing a copy of the information that will be released to the employee.

Control internal access to information. Control access on a need-to-know basis. Caution managers and supervisors concerning liability for improper release of information. Provide written guidelines to managers and supervisors to ensure that confidential information in their possession, such as salary and performance appraisals, is maintained properly. Audit recordkeeping practices. Provide the same level of information security for all staff.

Protect information. Maintain information, especially computer-based files, with appropriate safeguards and security. Periodically review existing procedures, support and software against what is new in the marketplace. Aim for total protection. As a routine matter, destroy information no longer needed or required by law.

Ensure periodic review. Have policies and procedures reviewed by senior management and counsel on a periodic basis. Consider asking for employee input. Establish accountability for policy conformance. Commit the company to a written policy and distribute the policy widely. Benchmark other company's practices.

Train staff. Interviewers, human resources staff, managers and others who routinely handle confidential information must be periodically trained on procedures and ethics of managing sensitive data. When sensitive information is handled on a daily basis, without reminders, staff may become lax. For example, inappropriate questions by supervisors and managers in interviews can undermine a company's efforts. The basic building block for a sound policy must be respect for all employees' right to privacy. All levels of managers in an organization are employees subject to the same policy.