We live in a wonderful age in which information flows quickly and abundantly, giving savvy businesses a better chance to stay on top of things, effectively manage change, and anticipate future trends. Much of the improvement in the speed and availability of information is due to advances in computers and to the growth of the Internet. However, our information and technology resources have a dark side that many do not yet realize is there, an aspect that some are all too willing and able to exploit. That aspect is invasion of privacy, the potential for which has never been greater than now and can only grow in the future.

There are several areas of concern, some of which have to do with privacy issues in the workplace, some with privacy in our personal lives, and some with both our work and private lives. This article is meant to introduce you to some of the privacy issues that will be of increasing importance to employers and employees.

First, we make a few assumptions that we think are widely acknowledged. Employers are custodians of a great amount of personal and private information relating to their employees. A related fact is that like it or not, employees depend upon their employers to do the right thing with that information. Finally, there are many reasons why third parties want to get at that information, some bureaucratic, some financial, some nosy, and some even downright dangerous.

In dealing with these realities, employers should try their best to keep some important basic principles in mind:

  1. Good starting point: all information relating to an employee's personal characteristics or family matters is private and confidential.

  2. Information relating to an employee should be released only on a need-to-know basis, or if a law or court requires the release of the information.

  3. All information requests concerning employees should go through a central information release office within your organization.

Common Misconceptions

Many employers and employees share common misconceptions about privacy in the workplace. One widely-heard misconception is that either the "Freedom of Information Act" or the "Privacy Act" forbids a company from releasing an employee's personal information, including a Social Security number (SSN). In actuality, those federal laws generally do not apply to a private employer's actions. They either obligate federal government agencies to release, or forbid them from releasing, certain private information about citizens to outside parties. Without significant exception, employee information furnished by employers to federal agencies, such as with payroll information to the IRS, is exempt from public disclosure.

What about Texas state law? The Texas equivalent to the Freedom of Information Act is the Public Information Act (PIA - formerly known as the Open Records Act). It, like the FOIA, applies only to government agencies. Private employers are not covered. Now, it is well-known that employers must furnish payroll information to the TWC in the form of wage reports. The private information, i.e., information tied to specific employees, is exempt from disclosure under the PIA. That means, among other things, that TWC is not permitted to release sensitive employee (or company) information to the public.

Can private companies be forced to reveal private information concerning employees? Generally not, although under certain circumstances, a company could be ordered by a court to turn over certain employee information to either the court or to the other side in a lawsuit. Even with that, your attorney would still be able to argue for limitations on the release or use of such information.

Where's the Danger?

Most risk associated with invasion of privacy stems from loose, ill-advised practices on the part of an employer. Employers sometimes pay much more attention to protecting business secrets than they do to protecting their employees' privacy. In reality, employees are among the greatest assets of any company, and an employer should put as much care into protecting their privacy as it does into protecting its trade secrets from disclosure.

The worst type of invasion of privacy is probably "identity theft", in which someone else using a victim's personal information incurs obligations in the victim's name, leaving that person with a tangle of financial problems to sort out. In a recent incident, a dishonest former employee found a box full of employee personnel information lying completely open and unattended in an ordinary company warehouse. She took the information, mainly name, address, birth date, next-of-kin, and SSN records, and used it to apply for fake credit cards and other credit applications for herself and some like-minded cronies. The company's employees starting getting collection calls from various credit bureaus and stores, wanting to know why bills they had never heard of had not been paid. It took quite some time before the affected employees even realized they were all more or less in the same boat. After much investigation, time, and trouble, most of the credit problems were sorted out, and the former employee was arrested. However, many of the employees are still having to explain the situation to credit companies and banks.

A similar thing happened in the case of an employee whose personal information was given out over the phone to a caller who claimed to be checking on a credit report. That person sold the information to a network of fraudulent operators, and multiple bogus credit cards were issued in the employee's name to several different people. The resulting credit card bill avalanche is still being sorted out by civil and criminal investigators in two states.

Much worse was the case of a person who lost his driver's license, reported in the February, 2000 issue of "HR News", the journal of the Society for Human Resource Management. Apparently, a thief picked the license up and used it to establish a new identity. Somehow, it got associated with the victim's SSN, and after the thief racked up some other criminal acts, the victim's identity was thoroughly tainted. He first noticed problems when applying for another job - an employer that seemed very interested suddenly refused to return his calls. Persisting, he was finally told to never contact the company again, since he was an "unsavory character". Even after years of trying to set things straight, even with a letter from the police stating that he had committed no crime, he still could not get a job.

Texas employers need to be aware of a new statutory provision that became law in 2003 and took full effect on January 1, 2006, having to do with use of social security numbers as employee identifiers. Texas Business & Commerce Code § 501.001(a, b) are the most relevant provisions, generally prohibiting an employer from printing employee SSNs on any materials sent by mail, which of course includes paychecks sent by mail. There is a "safe harbor" for printing the SSN on paychecks if 1) that was the practice prior to January 1, 2005, and 2) the employer makes an annual disclosure to the employee that upon the employee's written request, the SSN will no longer be included on the paychecks. An exception also exists for the mailing of IRS- and TWC-related forms, such as W-2s and quarterly wage reports, and any other official government forms that require the employer to include SSNs.

Another Texas law, Business & Commerce Code § 521.053, requires a business that loses sensitive personal information of customers, employees, or others through hacking or other means of unauthorized acquisition by others to promptly notify the victims of such a breach of security, so that the victims can take steps to protect themselves from identity theft.

Finally, Business & Commerce Code § 503.001 governs the use of biometric identifiers for commercial purposes, which would include the use of identifiers such as fingerprints, voiceprint, retinal or iris scans, and facial recognition data for access, time-tracking, and other employment-related uses. That law requires prior notice to and consent from employees before employers obtain such information. Further, such information may not be sold or disclosed to another person unless the employee consents for identification purposes in the event of the employee's disappearance or death, or else the disclosure is required or permitted by law. The biometric information must be destroyed no later than one year after the need for the identifier ends (such as the separation from employment of that employee), or within one year of the last date that the particular record is required by law to be kept. Violations of this statute may be subject to a civil penalty of up to $25,000 for each occurrence.

Identity theft is a federal crime, regarded as a felony offense and punishable by a fine, time in prison, and/or restitution to the victim. Any suspected misuse of personal data should be reported to the Federal Trade Commission (FTC) at 1-877-438-4338 (toll-free call) for assistance.

Among the best ways to avoid such problems are the following:

  1. Using up-to-date digital and/or hardware-based methods, thoroughly wipe all data from the hard drive and removable magnetic media of any obsolete computers discarded or sold by the company, and physically destroy any data CDs or DVDs containing company and employee information. If necessary, hire an outside data security company to ensure that this gets done.
  2. Shred and securely dispose of any paper records containing sensitive company and employee information.
  3. Do not use social security numbers as employee identifiers. Rather, use random identifiers and keep the SSNs as narrowly-distributed as possible.

Job Reference and Employment Verification Calls

In general, it is not recommended that employers give out any information about current or former employees to callers seeking information about specific individuals, such as full name, date of birth, SSN, address, pay level, or work schedule, since there is no way for a business to know who the caller really is. The caller could be a prospective new employer genuinely seeking job reference information, or a bank seeking to verify employment for your employee's loan application, but could just as easily be a private investigator or a debt collector attempting to harness the business into making their own job easier, or else someone with ill intentions, such as a disgruntled neighbor or relative, or, even worse, a stalker or identity thief. For that reason, it is advisable to adopt as a general practice a three-pronged procedure:

  1. Have the person who receives the call route the call to a designated company official, such as the owner, a specific manager, or the HR department, i.e., someone who is presumably aware of the importance of safeguarding information about employees;
  2. Document the call as to time, date, identity of the caller, and purpose of the call; and
  3. In the event that the person handling the matter does not know with certainty who is calling and why, give the caller a standard response such as "I'm sorry - we don't give out information about our current or former employees over the phone, but if you forward to us a written authorization signed by your applicant that allows us to do so, we'll give you any information that the form authorizes us to release."

It goes without saying that the individual employees should be trained not to casually give out such information, as employees often do over the phone or in person (and as is well-known among identity thieves, private investigators, and debt collectors, among others). Rather, the company should stress point 1 listed above regarding proper routing of such calls or in-person inquiries.

Other Forms of Privacy Invasion

Employers must also be concerned with newer technology such as camera phones (also known as cell phone cameras), digital cameras, and digital movie recorders. In just a few seconds, offensive pictures of coworkers in private, embarrassing, or intimate situations can be taken and sent via e-mail or the Internet to other people and locations. Similarly, such technology can be used to quickly and efficiently conduct industrial espionage. Many employers are now banning the use of such devices in the workplace unless the company has given the employee express permission to use them. Prohibiting such devices and their use can be one tool in preventing harassment claims from employees who feel their privacy has been invaded. Employees should also be warned that they may face both civil and criminal liability for misuse of imaging devices against coworkers and the company. For an example of how such a policy might be worded, see the sample policy titled "Internet, E-Mail, and Computer Usage Policy" in the companion book "The A-Z of Personnel Policies."

Go to the Employer Commissioner's Page
Go to the TWC Home Page