Okay - technology has done some wonderful things for all of us, including giving us the ability to store lots and lots of information. But, do you really want to do that?
Many employers are looking at ways to be more efficient by using technology to gather and store information about employees and applicants. Employers store everything from names to social security numbers to discipline data on electronic systems.
You may say, well that's just being efficient. I'm all for efficiency, but employers need to be aware that they have to balance their need for information with the employees rights relating to the personal information that is being gathered. We've all heard about companies that have been hacked and companies that inadvertently release protected information about employees or customers. Both federal and state governments have reacted to those events by enacting laws relating to how you may use and store certain types of information. Here are some of the restrictions employers gathering information need to think about:
- Under 325E.61of the Minnesota Statutes, if employers do not encrypt personal information (first name or initial together with last name and social security number, drivers license number or account numbers), they must notify all affected person of any unauthorized disclosure of the information.
- The Federal Fair Credit Report Act requires that information obtained from credit reporting agencies be managed and disposed of properly.
- The Federal Trade Commission (FTC) has entered into consent decrees with employers regarding their handling of employment records. In a matter involving the Rite Aid corporation, the FTC filed a complaint against Rite Aid for, among other things, improper disposal of employment applications. Rite Aids settlement with the FTC requires independent audits for twenty years, implementation of a comprehensive security program, and on site examinations by the FTC.
- Only acquire information you use. Don't acquire information simply because you always have. Focus on current business need.
- Restrict access to information so that only those with a documented business need can get it or pass it on.
- Adopt appropriate written policies regarding data security and retention, including:
- Assigning responsibility for security of records
- Training staff
- Defining appropriate uses of information
- Risk management
- Response programs in the event of a breach
The information contained in this post is provided to alert you to legal developments and should not be considered legal advice. It is not intended to and does not create an attorney-client relationship. Specific questions about how this information affects your particular situation should be addressed to one of the individuals listed. No representations or warranties are made with respect to this information, including, without limitation, as to its completeness, timeliness, or accuracy, and Lathrop GPM shall not be liable for any decision made in connection with the information. The choice of a lawyer is an important decision and should not be based solely on advertisements.
RSS Feed