Data Privacy & HR: Balancing employee data protection regulations


data privacy

By Bill Swan, Principal Consultant

Every employer has an obligation to keep employees’ employment-related information confidential and protected from unauthorized disclosure. In the US, federal laws and many state laws apply to data privacy. Such information includes payroll records and related employee information, social security numbers, addresses, wages, salary, overtime computation, collective bargaining agreements, employment contracts, and other data.

In the increasingly online world, with more online HRIS (human resources information system) systems and the global marketplace, operating across multiple jurisdictions adds an added layer of complexity the company must consider in order to manage employee private data.

Countries have different data protection laws, like the EU’s General Data Protection Information (GDPR) and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. The US Code of Federal Regulations covers federal details on the records employers are to keep on the employees and the length: which records to keep for three years and which to keep for two years. In the US, the Equal Employment Opportunity Commission (EEOC) has a privacy program related to information protection. The US Department of Labor and the Fair Labor Standards Act also covers which records are to be kept. State laws in the US have been enacted in 14 states, and more than a dozen more states have legislation in committee. Cities such as Seattle can have detailed requirements. Understanding the laws applicable to each jurisdiction where you collect, store, process, or transfer employee data is growing in importance. 

For employers, it is important to know the rights granted to employees under each law. This includes rights to access, correct, copy, erase, and restrict processing of their data. If your organization stretches to multiple jurisdictions, you will adapt your HR to comply with local regulatory and cultural norms and expectations.

Here are some high-level things for any employer to consider:

Consent and Transparency:

  • Obtain informed consent: Ensure employees are informed about their consent to data collection, processing, and transfer as applicable laws require. Seattle, for instance, requires “Written “Notice of Employment Information” provided at the time of hire and before any change in employment information.
  • Provide clear privacy notices: Inform employees about how their data is collected, used, shared, and secured. Explain their rights and how to exercise them. When applicable, provide translation services or have the information provided in their native language.

Data Security and Governance:

  • Security: Protect employee data with appropriate technical and organizational safeguards against unauthorized access, disclosure, alteration, or destruction. Work with your technology experts to ensure this is done legally and well.
  • Data minimization: Collect and process only the minimum data necessary for legitimate business purposes. Avoid collecting sensitive data unless required and have strong business justifications for collecting the information.
  • Data retention and disposal: Establish clear policies for data retention and disposal based on legal requirements and business needs. Securely dispose of data when no longer needed.

Organizational Structure and Processes:

  • Centralized vs. decentralized data management: Depending on your organization’s geographical size and jurisdictional spread, decide whether to manage HR data centrally or de-centrally and consider local regulatory requirements and operational efficiency.
  • Data breach notification: Understand and comply with data breach notification obligations in each jurisdiction. Different jurisdictions can have different requirements.  Prepare ahead of time by having a plan for identifying, reporting, and remediating data breaches promptly and compliantly.
  • Employee training: Train your HR team and employees on data protection laws, company policies, and proper data handling practices. (This is essential!)

Working with competent third parties and licensed attorneys in respective jurisdictions will help navigate complex compliance issues tremendously.  Specific considerations will vary on the company’s circumstances. FIT HR can help, and we work with many such experts. Contact us early in your multi-jurisdictional journey to help your organization succeed.