Skip to Main Content
March 10, 2009


From the BLR newsletter Best Practices in HR

Protecting individual and organizational privacy is an increasingly difficult and complex challenge. As local, federal, and international jurisdictions enact new privacy laws, employers must adjust their policies and procedures to balance employee expectations with myriad compliance responsibilities. The nature of the challenges is directly related to the organization's position in the marketplace. For example, employers that engage in interstate and/or international commerce face different challenges than a small business providing goods or services in a single U.S. town because they must be sure they comply with laws in various jurisdictions.

Legal considerations

Federal and state laws impose strict rules that apply to proper handling of employee medical information. Employers are also obligated to conduct thorough investigations whenever there is a complaint or evidence of inappropriate or illegal behavior by one or more employees.

In addition, many states have laws that allow current and former employees access to their personnel files. If a disgruntled employee finds any information (e.g., references to the individual's private life, political or religious beliefs, race, sex, grievances, etc.) that compromises their privacy, employers can expect unpleasant repercussions. That's why legal experts say you shouldn't put anything in a personnel file you wouldn't want a jury to see.

Employee privacy considerations

Terri Hoehne, director of human resources with Aurora University in Aurora, Illinois, says that employers should be particularly cautious about how they handle employee-specific information on sensitive issues such as medical information and grievances.
Many employers make the mistake of including medical records and non-job-related documents such as complaints and discrimination investigation material in employee personnel files. "This practice can easily lead to compromising an employee's privacy and increase the employer's potential liability," says Hoehne. For example, personnel files should be kept as confidential as possible. But there are times that various employees have a legitimate need to review a personnel file-such as supervisors or managers considering an employee for a promotion or transfer. Including information pertaining to an individual's medical history or a grievance in the personnel file could open the door for inappropriate use of that information (intentionally or unintentionally). So how do you strike a balance?

The balancing act

Hoehne says that the first step is for HR pros to understand the employer's legal obligations and employee privacy rights in all relevant jurisdictions. The second step is to establish policies and procedures to heighten security and limit access to sensitive information. For example keep all medical records and grievance documents separate from personnel files in a locked storage location and give authority to access the files to only one or two people.

Some employers argue that grievance documents belong in the personnel file because they often relate to an individual's job performance. Hoehne says there's a better approach and uses another HR pro's recent dilemma by way of example:
"Three employees working for a colleague's firm were experiencing problems with their supervisor and finally submitted written complaints about the supervisor constantly lying and trying to manipulate them. An investigation into the charges and discussions with the supervisor resulted in the supervisor being demoted. Copies of the written statements were put in each employee's personnel file [including the supervisor's]. Now, the demoted supervisor has asked to see the written complaints." Illinois state law (in this case) permits employees to "... inspect any personnel documents which are, have been or are intended to be used in determining that employee's qualifications for employment, promotion, transfer, additional compensation, discharge or other disciplinary action ...". Many states have similar laws but likely have variations that would impact employers within their jurisdiction.

The dilemma here is how to comply with the state's right to the access law and still protect the privacy of other individuals. Hoehne's solution is simple :"I always keep written statements as well as investigation notes and other source documents in a nonemployee file and only put the results of the investigation, stripped of individual names, in any employee file. In this case, the investigation summary might read: 'Three witnesses were questioned in light of the situation. Witness A was questioned first. In response to the question x, Witness A stated y ...' This approach satisfies the investigation and documentation requirements and lets the individual see the summary without jeopardizing anyone's privacy [or] confidentiality."

In addition to keeping privacy-sensitive documents out of an individual's personnel file, it's a good idea to periodically review each employee's file to be sure the appropriate documents in the file (e.g., records of raises, promotions, commendations, written performance evaluations, warnings and disciplinary actions, employment agreements, etc.) are accurate, up-to-date, and complete.


Filed Under: Workplace Issues