HR Professionals Must Keep Up with the Patchwork of Privacy Laws
As we have previously posted, privacy laws are popping up across the country. These laws are under the guise of “consumer protection,” so it may seem that they do not apply to employers or HR professionals. However, a closer look at these laws reveal that HR professionals must review and get comfortable with the requirements of these statutes, as employees are covered.
Patchwork of Laws
So let’s begin with where we are. To date, there are a handful of states that have passed privacy laws:
There is also the General Data Protection Regulation (GDPR) which covers countries in the European Union. All of these laws revolve around “Personally Identifiable Information” or “Personal Information.” (“PII”). PII is the type of information that is covered by the above-referenced privacy laws. Each of the above laws has its own definition of PII. Let’s compare…
California: Information that could reasonably be linked to an individual (ie- social security number, e-mail address, records of products purchased, internet browsing, fingerprints, internet search history.)
Combination of an individual’s first name/first initial and last name with any one of the following (that is NOT encrypted):
social security number
medical information (health insurance identification number)
driver’s license number
account number, credit card number, debit card number
user name, unique identifier with an e-mail address
Maine: (1) name, billing information, social security number, billing address AND (2) web browsing history, app-usage history, geolocation information, financial information, health information, information about an individual’s children, device identifier, communications and IP addresses.
Massachusetts: Any combination of a first name/first initial and last name with any one or more of the following: (1) social security number, (2) driver’s license, (3) financial account number, credit card number, debit card number, and the like.
Colorado: This is a broader definition. This is information that is “reasonably linkable to an identifiable individual.”
GDPR: Similar definition to Colorado.
As you can see, employers have a plethora of PII of employees. For example, if an employee has an employer-issued phone, or a work computer, employers can easily track the geolocation of an employee.
Now that we know the type of information that is covered by these laws, the question still remains of why employers should care.
Why Do HR Professionals Need to Care?
Here’s why…
What is a Data Subject? These laws cover “Data Subjects.” A Data Subject is an individual. A Data Subject can be an employee at a company.
These laws apply to both Data Controllers and Data Processors. At first glance, an employer may believe that they are not either a Controller or a Processor. However, it is abundantly clear that often times employers are both Controllers and Processors. Let’s look a bit closer…
What is a Data Controller?
This is the organization that has the authority to decide how and why the PII is processed. Upon hire, employers take in PII. Employers must determine what information they need from an employee and also what information, if any, will be processed.
What does it mean to “Process” data? Processing refers to the collection, recording, organization, structuring, storage, adaption, alteration, retrieval, consultation, use, disclosure or dissemination of information. As you can see, this includes almost any action with the data.
What is a Data Processor? This is an individual or entity who processes the data on behalf of the controller. This can be done “in-house” or by a third-party.
Many employers outsource accounting, HR, benefits, training and other services. Companies must ensure that any vendor contract protects employee PII. Even more employees must be afford proper notice, if some vendor contracts allow for the use or disclosure of employee PII.
How Does This Affect the Daily Life of the HR Professional?
HR Professionals needs to be nimble and aware of the ever changing landscape of privacy.
Employee Info Can be PII. HR pros must understand that some of the information collected and stored of employees can be considered PII under various privacy laws.
Third Parties Handling Employee PII. As mentioned above, businesses must know the terms of any third party contract that involves employee data. If an employer outsources any services that relate to employees, these contracts must be reviewed for the purposes of employee privacy.
We are here to assist HR teams as we navigate these ever-changing patchwork of privacy laws.