Employers collect a substantial amount of personal information about their employees. Companies need to be aware of their obligations under the profusion of data protection laws and regulations that govern the collection, use and transfer of personal information. This is an especially daunting task for companies that have operations subject to the laws of multiple jurisdictions, as requirements vary widely from country to country and even from state to state. This Advisory summarizes some basic concepts to consider under current data privacy laws that relate to human resources matters.
Companies use employees' personal information for a variety of purposes—from evaluating applicants during the hiring process to administering payroll and employee benefit plans to managing separation and other post-employment benefits. And as more employers adopt enterprise-level information management systems and outsource certain human resources administration functions, increasing amounts of personal data is being transferred and shared within and between organizations. Maintaining compliance with applicable data privacy laws is a responsibility employers cannot afford to overlook.
As a rule, only personally identifiable information ("Personal Data") is afforded special protection by data privacy laws. This usually includes one or more types of data that identifies or is linked to an identifiable living individual (e.g., name or Social Security Number). In some cases, it includes a combination of such information that could potentially identify an individual (e.g., birth date, gender and postal code taken together). Many (but not all) data privacy laws exempt Personal Data that has been encrypted. Certain types of "Sensitive Data" are often given enhanced protection under comprehensive data protection regimes. Sensitive Data may include, for example, race, ethnicity or national origin, political opinions or associations, union membership, sexual orientation, marital status, health-related information and criminal history. It should be noted that data privacy laws are not restricted to protecting active employee information, so companies' obligations extend to any non-employee groups whose Personal Data they may acquire, such as clients and customers, but also job applicants, consultants, independent contractors and terminated or retired employees.
Data Privacy Laws Around the World
United States. A few U.S. federal statutes protect specific types of Personal Data. The most important of these for employers are the Health Insurance Portability and Accountability Act ("HIPAA"),1 covering certain health related information; the Genetic Information Nondiscrimination Act ("GINA"), which applies specifically to genetic information; and the Fair and Accurate Credit Transactions Act ("FACTA"), designed to protect consumer credit information. In addition, most U.S. states have laws concerning data security and security breach notification.2 Many of these laws are identity-theft protection measures that generally impose an obligation to protect Social Security Numbers and similar Personal Data against unauthorized use or disclosure and require secure destruction of such data. One state has gone a step further: since March 1, 2010, Massachusetts requires most companies to adopt a written security policy that meets certain standards to protect a broad range of Personal Data collected from customers and employees who reside in the state. A compliant plan requires not only security measures, such as encryption of Personal Data stored on portable devices, but also training and oversight of vendors who have access to the data.
Although U.S. law is trending toward stricter protection of Personal Data, the laws in other countries are often much more extensive that even the strictest U.S. standards. Many U.S. companies that do business globally will need to go beyond the requirements of U.S. law to facilitate the lawful flow of Personal Data into the U.S. from countries with more restrictive rules, as further discussed below.
European Economic Area. The European Union's data protection Directive 95/46/EC (the "EU Directive") recognizes Personal Data privacy as a fundamental right and establishes a comprehensive scheme to protect such information, as implemented by the enacting legislation of the nations comprising the European Economic Area ("EEA"). These extensive rules cover the collection, processing (including storage) and transfer of Personal Data in any form. Among other things, requirements include the adoption of reasonable security measures, an obligation to notify (and in some cases obtain consent from) individuals about the collection, protection, use and disclosure of their Personal Data, and may include notice filings with local data protection authorities. Because the EU Directive merely sets forth minimum standards, there is considerable variability in the specific restrictions imposed and degree of flexibility allowed under the laws of individual EEA countries.
The EU Directive also generally prohibits transferring Personal Data, without consent of the individual, to countries whose laws do not ensure an "adequate" level of protection, unless the receiving entity agrees to model contractual provisions providing for such protection. U.S. laws are not deemed sufficient in this regard, but the EU and U.S. Department of Commerce created a self-certification safe harbor program whereby U.S. companies can pledge to adhere to seven principles to become eligible to receive Personal Data from EEA nations.3 These safe harbor principles relate to (1) notification requirements as to Personal Data collected, how it will be used and who will have access, (2) opt-out opportunities for the use of Personal Data and opt-in requirements (i.e., obtaining prior consent) to use Sensitive Data, (3) restrictions on transfers to third parties (e.g., benefit plan administrators) to ensure the third party maintains security measures consistent with the safe harbor principles, (4) taking reasonable security precautions against loss, misuse and unauthorized access, (5) limiting use to necessary or consented-to purposes, (6) allowing individuals to access and correct their Personal Data and (7) implementing an enforcement mechanism meeting certain standards (e.g., submitting to the dispute resolution body of the applicable EEA nation).
Non-EEA Countries. Legislation concerning data protection varies greatly in other countries. Some have comprehensive data protection laws in the manner of the EU Directive, including Argentina, Australia, Canada, China and Japan. Mexico and India also recently enacted broad data privacy legislation. Some countries have laws of limited applicability, focusing on specific types of information or processes, while others have little or no legislation in this area.
- Employers should consider all legal requirements (whether local, state or provincial or nationwide) that may impact their data privacy policies and procedures. These may include, for example, employee record retention rules, "whistleblower" statutes and restrictions on monitoring or surveillance of employee activities and communications.
- Certain processing or handling of Personal Data, and changes to a company's privacy policies, may require disclosure to and/or consultation with unions or works councils representing affected employees, particularly in the EEA.
Penalties and Compliance. Many data privacy laws explicitly provide affected parties with personal rights of action for statutory violations. Civil fines are also common, and some laws permit criminal prosecution for egregious cases. For example, fines for a HIPAA privacy violation range from $100 to over $50,000 per violation (up to an annual cap as high as $1.5 million) depending on the level of culpability, but offenses committed knowingly can result in criminal prosecution.4 Further, employers whose employees' identities are stolen due to knowing violations of FACTA may be held responsible for minimum statutory damages of up to $1,000 per employee plus punitive damages and attorney's fees and can be subject to civil fines of up to $2,500 per employee in enforcement actions brought by the Federal Trade Commission and additional amounts from state authorities. The EU Directive grants data subjects a private right of action for data privacy law violations, and local data protection authorities have enforcement powers that include the imposition of fines, which can be severe. Agencies in France, Spain and Germany have levied fines of €1 million or more. In Spain, where enforcement has been particularly aggressive, a recent law change lowered the minimum and maximum penalties for various violations and provides for non-monetary resolution of minor infractions. Criminal penalties also exist in some EEA countries for certain offenses. Outside of the statutory penalties and claims, companies need to be concerned about civil suits for damages and the adverse effects of Personal Data security breaches on public and employee relations.
Data protection laws tend to be complex and, in part because they are relatively new, there is not a great deal of interpretive guidance on compliance matters. Companies seeking to minimize their exposure from legal violations and security breaches involving employee Personal Data should consider adopting data privacy and protection best practices that aim to limit the amount of Personal Data they collect, process, transfer and store; secure Personal Data collected (in all formats in which it is kept); limit access to Personal Data to the extent practicable and provide training to staff who handle Personal Data; ensure third parties receiving Personal Data are subject to and apply appropriate security measures; prepare for security breaches involving Personal Data; maintain accuracy of the Personal Data collected and processed; and monitor compliance with all applicable data protection laws and regulations as well as any safe harbor and contractual requirements adopted by the company.