Employers collect data about their employees. It starts with employees’ salary data, resumes, and work hours. It continues with fingerprints and images from security cameras, followed by employee meals and business trip information. Employers also collect medical information, personal messages on company phones, and location data of the company car for private trips. It goes on and on and on.

Employees welcome this when it is for their own good. But when it is used to make decisions about them that may disadvantage them or reduce their salaries, they are less comfortable with it. In addition, in light of cyber events becoming very common, the possibility that this information will fall into malicious hands should worry employees just as much.

Awareness of Privacy Matters

Awareness of privacy matters is on the rise. While organizations have become more vigilant about the privacy of their customers, they still for the most part neglect the privacy of their employees. This stems primarily from the power imbalance between employee and employer, of which employers are all too aware. Another reason for the lack of attention to employee privacy is that fact that, until recently, collecting employee data centered on the core matters of employment, such as salary payments and human resources management.

In light of the technological developments and recent trends in employment, data collection has become more diverse. It intrudes into more distant contexts than the basic relationship between employer and employee. Processes once handled manually, such as personality assessments and hiring tests, employee evaluations, and training and enrichment programs for employees, are becoming more computer-based.

As data collection about employees becomes more widespread, an employer’s duty to protect them increases as well. The EUR 35 million fee imposed on fashion chain H&M in October 2020 signals to employers, too, to demonstrate vigilance in the matter of privacy. This is the second highest fine so far imposed under the GDPR, and it was imposed particularly for violation of employees’ privacy rights.

The fines that may be imposed under Israeli privacy laws are exceedingly low at this point. However, predictions are this will not last for long. Therefore, organizations would do well to begin ensuring the protection of their employees’ privacy.

For such purposes, and in order to avoid unpleasant situations with one’s employees, recommended rules for implementation and protection of employees’ privacy follow below:

Do’s and Don’ts:

Do: Be transparent with your employees as to the information you are collecting about them. Be transparent about the uses of such information you intend to make. The duty of transparency is the most basic of all duties imposed upon organizations that collect data. This is a general rule that applies to employers in particular.

Do Not: Do not collect data about your employees that you do not actually need, particularly not sensitive information. Examples of sensitive information include sexual orientation, political views, and information regarding a person’s race, ethnicity, or national origin.

Do: Develop a “code of ethics” of sorts that defines a clear boundary as to the permissible uses of data. This will enable you to make sure the duties imposed upon you trickle down to officers when implementing your policy.

Do Not: Do not expose employee information indiscriminately. Provide access to this information only to persons within the organization that need to know it in order to perform their roles. In addition, when you use an external provider’s services, make sure they protect employees’ privacy as well.

Do: Operate proper information security mechanisms in order to protect your employees’ information.

Do Not: Do not keep information for all eternity. For each type of information you keep, you must decide how long you require it. Delete more sensitive data after shorter periods.

Do: Manage your employees’ expectations as to use of electronic communications means at work. In the course of employment, employees are provided with electronic communication tools intended to ease communication between colleagues and to preserve corporate knowledge. These tools include the organizational email account, organizational chats, portals, and social media. It is important to clarify to employees the boundaries between their personal and professional spaces in the course of using such tools at work.

The Bottom Line

The landscape of data privacy and security laws is challenging in the best of times. This is especially true now, when data makes the world go round. As employers, you should make sure you protect the right to privacy of your clients, suppliers, and employees. Use the tips in this article for certainty about what you can or cannot do with information you have on your employees.

Adv. Karin Kashi is a lawyer in the Regulation Department. She provides clients with comprehensive legal advice about how their operations may be subject to privacy protection laws. As part of her services, she advises employers on all matters related to employee privacy. Karin and the team would be happy to provide you more information in this matter. Feel free to contact us for further guidance.