As an employer, you hold more private, sensitive data about people than nearly anyone else, anywhere. The government doesn't have health records, the insurance company doesn't have income information, the doctor doesn't know checking account numbers nor the bank how your top sales rep is fighting with a cube-mate. Employers, on the other hand, have to gather and retain it all.
And many small business owners feel that "we're all a big family here" which is a nice feeling but doesn't release them from some very serious legal requirements.
-Did you know that you must keep medical information separated from all other forms of data on an employee?
-Do you know how to "lock the filing cabinet" if everything is electronic? And is email considered a "file?"
-Do you know that when you keep performance records or complaints separated you're protecting yourself, as well as the employee?
I interviewed Doug Dexter, partner and chair of the employment practice group at Farella Braun + Martel, LLP, in San Francisco for an extended interview, here are some highlights:
Q: Employers hold basic financial information but are there HR records beyond that that need protecting?
DD: The employee has a right to privacy. What is my performance rating; what is my home address? What things have I been warned about or criticized for? All of that is highly confidential. Let alone the medical information that has to explicitly segregated. The law requires that you segregate info into two files 1) any medical related information re: disability leaves and insurance claims, separate from 2) employment records. It comes under the Disability and Leave Act.
Q: I understand that there's also protection for the employer that's provided by secure record-keeping. Can you outline that for us?
DD: It's in the self-interest of the employer to shield supervisors from information that can't be used for employment decisions. If I'm an employer, I don't want supervisors to know things so that they can't be used in any improper way. Or if I've had complaints about an employee regarding harassment, that type of thing. If I'm an employer, and there's an adverse decision made, I need to be able to say that the decision maker was ignorant of the other decisions.
Q: In this age of electronic data, what does all this mean?
DD: In addition to the hard copies, you need an electronic system and decide who has access to what levels of information. So the question arises: how you're going to track access? You want to have information on who has accessed it; and so you may as well have info on when. That might matter to a decision as to whether it was obtained before or after a decision that's being challenged.
JW: How would you say the typical owner of a small business is doing in this security scenario?
Q: Awfully challenging because they have limited resources. They're not going to be investing in a lot of infrastructure. It's also that in an organization that size, they don't have a lot of advice. The good news though is that they don't also have the volume that a large organization has to deal with. So they can, theoretically, do it on an ad hoc or individualized basis. A lot of organizations like this don't even have HR functions. The whole veil of privacy might not be there.
Q: I would imagine that sometimes the size of the operation gives the owner a false sense of security, that it's a family.
DD: There's an expectation that the employer is going to have unfettered access. That there aren't going to be any secrets from them. There's the belief that it's like a family, there aren't any secrets here. But that's an intimacy that is actually illusory because it's all fine until somebody is no longer part of the family. Then all of a sudden, it's perceived that the employer or manager they knew too much. And there's even, you might say, a sense of paternalism.