In 2005 Michigan became the first state to pass a statute requiring employers to create an internal privacy policy that governs their ability to disclose some forms of highly sensitive information about their employees. Michigan’s Social Security Number Privacy Act expressly requires employers to create policies concerning the confidentiality of employees’ social security numbers (“SSN”) and to disseminate those policies to employees. New York adopted a similar statute. Several other states – Connecticut, Massachusetts, and Texas – have statutes mandating the establishment of privacy policies that could also apply in the employer-employee context.

Companies should check whether they have a written policy concerning the use and disclosure of protected employee personal information. If they do not, they should confirm that none of the states in which they operate currently require such a policy or are planning to do so through new legislation. 

What to think about when drafting or reviewing an employee privacy policy:

  1. Does the privacy policy capture the main ways in which your organization collects personal information from its employees?
  2. Does the privacy policy ensure the confidentiality of employee SSN and other personal information?
  3. Does the privacy policy explain how employee SSN and other personal information are protected?
  4. Does the privacy policy limit who has access to information or documents that contain employee SSN and other personal information?
  5. Does the privacy policy describe how to properly dispose of documents that contain employee SSN and other personal information?
  6. Does the privacy policy describe the disciplinary measures that may be taken for violations of the policy?
  7. Will the privacy policy be published in an employee handbook, procedures manual, or similar document?
  8. Can the average employee understand the privacy policy?
  9. Does the privacy policy use terms that might be misunderstood or misinterpreted by a regulator or a plaintiff’s attorney?
  10. Does the privacy policy comply with the laws in each jurisdiction in which your organization is subject?

The following provides snapshot information concerning employee privacy policies.

Click here to view the table.