A Guide to Employee Data Privacy

There are many ways to keep your employees happy and satisfied with working for your business. Some are small—a well-stocked snack bar and complimentary Starbucks runs are almost universally appreciated. Some are meatier—robust paid leave, health benefits, and flexible working hours seriously help employees feel seen as whole people, not just worker bees. 

But among the litany of ways to improve your employee experience, there’s one consideration many employers don’t factor in: how you handle your employee data. 

No, it’s not the flashiest way to improve morale, but it’s an essential legal responsibility for business owners. And missteps here could generate significant fallout if you fail to meet your obligations. 

So how can you build a sustainable employee data privacy program that protects your employees and your business? Consider this your employee data privacy 101 class. Let’s get into it. 

What is employee data privacy?

Employee data privacy is grounded in the fact that employers gain access to a lot of personal data during an individual’s job application and subsequent employment, and they have a responsibility to store that information securely and ensure that information is protected and used in accordance with any applicable laws and industry regulations. 

Typically, a company will acquire a wide range of personal information. Some of it is standard stuff, like:

• Name
• Address
• Phone number
• Email
• Bank account details
• Social security number

But employee data often goes beyond that. It can include application materials, performance reviews, salary data, leave records, and even health information. 

How do businesses manage employee data?

Employee data can live all across your business ecosystem, from HR software and proprietary software to filing cabinets (both digital and physical). This information can get pretty dispersed and, all too often, lacks solid access controls. 

It’s a risky situation, but employers can take steps to corral this information by establishing a clear employee privacy policy. 

An employee privacy policy should document: 

• How employee data is collected, used, and shared by the company
• Employees’ individual rights regarding their data
• Expectations, processes, and practices that determine how employee personal information is stored and safeguarded

(Note that your employee privacy policy should be a separate document from your company privacy policy!) 

Regulations surrounding data privacy for employees

Data privacy laws aren’t just based on a business’s physical location; they also depend on where their employees and customers are located. And because of the recent shift to remote work, U.S. businesses may fall under the jurisdiction of multiple data protection laws. 

The U.S. has no comprehensive federal data privacy law, but several states have privacy laws with employee data provisions. Here are some examples.

California

The California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA) as of January 2023, includes provisions for employee data and grants certain rights to employees regarding the collection, use, and protection of their personal information.

New York

The New York SHIELD Act, enacted in 2019, includes provisions for employee data. It requires businesses to protect personal information, including that of employees.

Illinois

The Illinois Biometric Information Privacy Act (BIPA) is more specific than other privacy laws, as it deals solely with biometric data. That said, the law includes provisions for the biometric data of employees, such as fingerprints or facial recognition data.

Washington

While currently still a bill (not yet passed into law or enacted), the Washington Privacy Act (WPA) is expected to contain provisions for employee data and offer some privacy rights to employees.

And don’t forget GDPR…

Additionally, some companies, even if they are based in the United States, will still be liable for complying with the EU’s General Data Protection Regulation (GDPR)—and don’t forget our friends in the UK; thanks to Brexit, they have their own privacy regulation, the Data Protection Act 2018. This is because your business will fall under GDPR jurisdiction if any of your employees reside in the EU (they don’t have to be citizens).

What is protected under employee data privacy laws?

Under the GDPR and CCPA, employees have rights that are similar to those of consumers. Most data privacy laws are centered around the idea that individuals have the right to control who has access to their personal information and how that information is processed, used, shared, and stored. 

These rights, which are applicable depending on the specific law, include:

1. Right to access: An employee has the right to know what personal information has been collected, for what purpose, how long it’s stored, and if their employer has shared or sold that information in the last year.
2. Right to delete: If an employee wants their personal information deleted from their employer’s database, that company must comply, although this right can be limited by legitimate business functions.
3. Right to correct: An employee has the right to correct inaccurate or incomplete information in their employee record.
4. Right to opt-out: Employees have the right to opt out of the sale or sharing of their personal information with a third party.
5. Right to limit disclosure: Employees have additional protections for certain categories of sensitive personal information, such as gender, race, or sexual orientation.
6. Right to limit automated decision-making and profiling: Employees can opt out of having their personal information used for profiling in automated decision-making processes.
7. Right to non-discrimination: Employers cannot discriminate or retaliate against employees for exercising their privacy rights.

In addition to honoring these rights, companies should practice “data minimization.” Data minimization is about limiting data collection to what is relevant and necessary. (Notably, data minimization is more than a line item in privacy regulation requirements—it’s actually an important privacy best practice.)

Failure to comply with employee data privacy laws can have far-reaching consequences 

No matter how you look at it, violating employee data privacy regulations is bad for business. 

Fines and penalties

In the EU, violations can result in a fine of up to 20 million euros, or up to 4% of a business’s total global revenues in the preceding fiscal year, whichever is higher. In California, unintentional non-compliance can lead to fines of up to $2,500 per violation, while intentional violations can result in fines of $7,500 for each violation. 

Company productivity

Employee privacy protection is critical to building a positive, trusting relationship between your employees and your business. Teams that trust their employers are more engaged and productive, and employee turnover is usually lower. 

On the other hand, the improper use of personal information is a recipe for high turnover and poor employee satisfaction.

Company reputation

Without employee trust, your business risks losing its reputation, its workforce, and (potentially) its competitive edge. Consider the search for applicants. These individuals will likely look online for insights into your company culture and review employee feedback on websites like GlassDoor. 

People want to work for businesses with integrity. If your company fails to protect its employees, you may have fewer job applicants—and a harder time attracting your ideal employees.

How to build an effective employee data privacy policy

Building an employee privacy policy is a collaborative effort that should involve HR, IT, payroll, legal team members, management and leadership, and more. Securing participation from stakeholders at all levels not only increases the likelihood of buy-in but it also helps you secure a far more comprehensive picture of employee data collection practices. 

Once you’ve established your team for creating an employee data privacy policy, make sure you check the following boxes:

• Identify what regulations apply to your business or will apply in the near future
• Determine whether the policy will apply to all employees or solely those that fall within the scope of the law
• Conduct a data inventory to understand how your business is currently treating employee data
• Determine who will be accountable for your privacy program in the future
• Create a reasonable process for employees to exercise their rights
• Build a detailed employee privacy policy checklist to keep your team on track
• Make your employee data privacy policy accessible and easy to read 
• When in doubt, consult with a third-party expert who can help you navigate employee data rights

Build an employee data privacy policy that works

Red Clover Advisors can help you develop a sustainable privacy policy that works for your business’s unique needs. Contact us today for a free consultation.