If you like today’s post or any of my other series please “Subscribe” to this blawg to receive e-mail updates. In addition, follow me on Twitter and “Like” me on Facebook. If you need to contact me directly, please e-mail me at Ryankhew@hawaiiesquire.com.
For the past two Draw the Law posts I have focused on workplace privacy protections, which have included the following topics:
- Credit and background Checks and Surveillance and Electronic Monitoring
- Searching Personal Property and HIPAA Privacy
Today is the final day for the subject of dealing with sensitive or private information in the workplace. I will be focusing on Job References, Social Security Numbers, and other kinds of Personal Information. Note that the last two types of information require businesses to protect them for not only employees, but people in general. This includes customers/clients/patients. This is good because next week I will focus on legal issues with customers, and this is a nice segue into that series of posts.
Job References Immunity (HRS 663-1.95)
Suppose you let an employee go and a couple of weeks later another company calls you up asking about this former employee. If the former employee was decent or good you may consider giving them a reference or providing information to put them in a positive light. However, if they were terrible you may be inclined to be honest, as you do not want another employer to go through the headaches you did.
While, this is not privacy matter per se, it is a sharing of information about someone and in the State of Hawaii we give employers a “qualified immunity” for providing this information. If you provide a job reference about a current or former employee to a prospective employer you just need to act in good faith when you give this information (even if it may be negative.
For job reference calls, Employer A is immune from a suit from former employee so long as what he is saying to Employer B are not lies.
Many times a former employee cannot get employed, and find out that a old boss is telling things that are brutal to their career. However, the employee has to prove in a court of law that what the former boss knows they saying false things or trying to mislead the asking employer.
While, you may have a defense against a former angry employee you might not want to say whatever you want, no matter how true the matter may be. The best strategy here is to develop a termination process, tell the employee (or wait for them to ask) that you can be used as a reference, and prepare a list of things to tell a prospective employer about them and keep it with the employees file.
Social Security Numbers (HRS 487J)
In the State of Hawaii we protect Social Security Numbers (SSN) . More specifically, we prevent businesses from doing the following:
- printing an individual’s entire SSN on anything mailed to the individual, except in 2 situations: (a)what is being mailed is between employer-to-employee; or (b) the person requests that their entire SSN is sent;
- requiring people to give their SSN over the Internet, unless the connection is secure or the SSN is encrypted (thus job application forms on websites have those secure login protocols);
- requiring people to use their SSN to access an Internet website, except in the situation where a PIN or password is also required to access the website.
Prohibited uses of Social Security Numbers.
In general, if you do not have the sophisticated job application systems you probably want to avoid using SSNs and trying to gain more information through interviewing. SSN is sensitive information and the State takes it seriously. So much so for every violation the penalty is $2,500.
Personal Information (HRS 487R)
In addition to SSNs, other types of personal information are protected against unauthorized access and businesses that collect this information either for employment purposes or a customer database need to avoid disclosing this information. Basically, we have given people the right to be protected and safe knowing this information is being safeguarded by the entities we give them to.
What is Personal Information?
So “personal information” is a very specific set of information. Most of it you have memorized as you routinely use it to verify who you are whether it is for employment, getting benefit from the government or other instiutions, and for records purposes.
Personal information = person’s name + any of the following:
- Driver’s License Number;
- Financial Account number;
- a code that allows access to financial information.
"Personal Information" is a person's name + their SSN, or License #, or their Bank Account #, or PIN.
How can a Business Take Reasonable Measures to Protect this Information?
The main goal is so that information cannot be read or reconstructed based on the medium it was recorded so any of the following methods is appropriate depending on the situation:
- Shredding papers;
- Destroying electronic media;
- Erasing electronic media;
- Or finally a catch-all, a procedure relating to the adequate destruction of personal records as official policy in the writing of the business entity.
A business cannot simply just throw away personal information it must assure that it is properly destroyed using one of the above methods.
If you are a one-person shop, like I am. Invest in a good shredder. If you are a larger business consider outsourcing to a professional information destruction service. However, before you sign that agreement with them make sure you review their policies and procedures, and insure that they are thorough because you are still responsible for any leaked information.
Similar, to the SSN situation you may be fined up to $2,500 per violation by the government. If you have a lot of workers and customers in your database and a fraction of that is leaked you could have a very expensive lawsuit. In addition, to the government coming after you the person who’s information that you released by accident can also sue you.
Final Word: Record Retention and Destruction
In this age where we get an ID or number for everything we do we set-up databases to contain all that information and make it easy to sort through. However, those numbers represent people and the law has decided to protect that information. Therefore, a business needs to have a thorough record retention and destruction policy. In addition, it becomes key that the people who access this information (no matter how routine or mundane it may seem) are responsible. If you need to figure out how to handle sensitive information or need an update/review your procedures in this area contact a HR specialist or attorney to help your compliance steps.
Remember that next week we will move out of human resource problems and move on to legal issues with customers. Also stay tuned a poll determining what the next subject of my talk at The Box Jelly, Hawaii’s first coworking space, will be going up soon.
Have an Aloha Friday!
*Disclaimer: This post discusses general legal issues, but does not constitute legal advice in any respect. No reader should act or refrain from acting based on information contained herein without seeking the advice of counsel in the relevant jurisdiction. Ryan K. Hew, Attorney At Law, LLLC expressly disclaims all liability in respect to any actions taken or not taken based on the contents of this post.