Ten things human resources professionals need to know about privacy

February 2012

As an HR professional, you have extraordinary access to an extraordinarily valuable asset: employees’ personal information. It is critical that you treat such information with care.

We know what can go wrong.

Our Office has seen all too often what can happen when personal information doesn’t get the respect it needs. These 10 tips, all based on real-life events, will help you treat all employees’ information with integrity and professionalism.

1. Avoid emailing sensitive information to groups.

What could go wrong? Information was sent to a large group of job applicants whose addresses were accidentally put in the cc field rather than the bcc field, which resulted in a violation of their privacy.

2. When you send documents by regular mail, make sure someone does a careful manual check before the envelope is posted.

What could go wrong? Confirmation of a salary increase was sent to the wrong manager. The information detailed the exact amount of the salary.

3. Avoid sending sensitive information electronically. If you have no choice, make sure the message is checked carefully before it is sent.

What could go wrong? A manager’s skills assessment was mistakenly sent electronically to 321 people in her organization.

4. When you are interviewing prospective staff, have applicants sign separate sheets to enter the building. Better yet, hold interviews in different buildings.

What could go wrong? When applicants signed in for an interview, they saw the names of all other applicants because everyone had signed the same form.

5. When you hold a disciplinary interview, do not include the reason for the interview in the subject line of the invitation.

What could go wrong? A senior manager invited an employee to discuss how she is to be disciplined, not realising that 17 other people have access to her electronic calendar.

6. For dispute resolution concerning an employee’s pay or rights, the organization should be represented by Human Resources and not by the employee’s supervisor.

What could go wrong? When an employee asked for a review of his pay for medical reasons, his supervisor unnecessarily received details about the employee’s medical condition.

7. When approving medical or family-related leave, ask only for the information absolutely necessary for accountability.

What could go wrong? Medical information about a family member was mistakenly requested to authorize an employee’s leave to care for that person. The organization was not entitled to such information.

8. Set up restrictions or logging mechanisms for people to access data banks.

What could go wrong? Hundreds of employees had access to others’ sensitive personal information.

9. Provide training to ensure that all employees know the importance of protecting HR information.

What could go wrong? A well-intentioned manager answered a third party’s email by quoting from an employee’s performance evaluation.

10. Do not include an employee’s personal address on a form to be signed by the employee’s supervisor.

What could go wrong? Someone in power got access to an employee’s home address, which put the employee’s safety in danger.

For more information about protecting personal information, visit our website.