A woman sits at a desk in a large office space. She is wearing a gray blouse, white blazer, glasses, and silver hoop earrings. She is smiling while typing on an open laptop. In the background, out of focus, is another desk, behind which one person sits and another person stands.
Your company's privacy policies should inform employees about when their data and activity will be protected, when it will be subject to oversight, and when it may be released. — Getty Images/Marko Geber

As an employer, you protect employee privacy and ensure your staff keeps confidential data secure. Businesses must follow federal, state, and local employee privacy laws. In addition, cybersecurity measures prevent malicious activities, resulting in data breaches of confidential information.

Avoid lawsuits for mishandling sensitive employee data by taking a multilayer approach to privacy and security. Follow these steps to strengthen your recordkeeping efforts and improve employee privacy in your business.

Learn what employee data is confidential

While most employers aren’t covered entities required to follow the Health Insurance Portability and Accountability Act (HIPAA), other regulations may apply. The Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA) require businesses to keep medical information separate from the employee’s personnel file.

The Electronic Communications Privacy Act (ECPA) regulates "email, telephone conversations, and data stored electronically." Consider the type of data you gather, your collection methods, how you store it, and who can access it.

Businesses may retain information such as:

  • Home address and phone numbers.
  • Spousal and family information.
  • Background check information.
  • Medical history and genetic conditions.
  • Social Security numbers.
  • Work history, performance reviews, and pay levels.
  • Any data related to age, race, sex, religion, or national origin.
  • Workplace injury reports and workers’ compensation claims.

[Read more: New Hires: What Is the Required Paperwork Documentation for New Employees?]

Develop clear recordkeeping policies and procedures

Company-wide privacy policies should explain how and why your business collects, uses, and discloses data about prospective, current, and former employees. Consult with legal experts to ensure your privacy policy covers all federal, state, and local regulations and will hold up in a court of law.

Periodically audit your processes and access logs to verify that your safeguards work well.

Employee privacy policies should include the following:

  • Define personal employee data: Typically, it includes all non-work communications and personally identifiable information (PII).
  • Tell workers when they shouldn’t expect privacy: This generally involves activities on company-owned hardware, like phone calls and email.
  • Explain reasons for data disclosures: Be clear about what you share with potential employees or what legal or emergency situations might require it.
  • Be upfront about employee monitoring: Disclose which video, telephone, GPS, and productivity tools track activities for security or other purposes.
  • Describe procedures after employment ends: Clarify what you do with records after a worker leaves your workplace, including how long you keep documents.

Provide a copy of your privacy policy to all staff and new hires. Have them sign a statement saying that they have read and understand it. Then, keep the signature pages in their personnel files.

Secure personnel records

If you maintain physical records, you should limit access to certain people and keep a log. Always use proper disposal methods when removing physical documents. Likewise, you should restrict access to digital files and monitor log-ins to ensure employees aren’t looking up information or using it for unauthorized purposes.

SHRM recommends that companies take these actions:

  • Periodically audit your processes and access logs to verify that your safeguards work well.
  • Create a records retention policy that lists how long you keep records and what information you keep.
  • Appoint an employee to manage requests for worker information and have staff sign a release form before disclosing data.
  • Develop an incident response plan for your company's actions after a data breach or theft.

[Read more: How to Protect Your Business From Being Hacked]

Strengthen your cybersecurity posture

Data breaches threaten employees' privacy, and inadequate security measures put confidential information at risk. Cybercriminals steal personnel data like Social Security numbers and other PII. They sell or use the data to commit other crimes, like opening fraudulent accounts. According to Verizon’s Data Breach Investigations Report

(DBIR), poor password practices are “one of the leading causes of data breaches dating back to 2009.”

Improve your cybersecurity stance by:

  • Protecting servers, networks, and hardware with a firewall and antivirus/antimalware tools.
  • Setting up virtual private networks for onsite and remote employees to encrypt all incoming and outgoing data.
  • Using password managers, passkeys, and multifactor authentication to prevent credential theft.
  • Providing cybersecurity training to employees, so they understand how to protect their personal and employee data.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.

A message from
Seamlessly hire and pay employees and contractors
Growing your business? Gusto’s all-in-one platform allows you to hire, pay, and manage your team—no matter where they work. We’ll help you every step of the way.
Learn more
Published