Articles

What is an employee privacy policy? Does my company need one?

Written by Matt Davis, CIPM (IAPP) | March 16, 2023

To date, 71% of the world’s countries feature some form of privacy legislation. More and more businesses are subject to data privacy regulations, and more and more businesses are working hard to ensure they’re respecting their customers’ data privacy rights. But these organizations may not realize they have a responsibility to respect the rights of another group: their employees. 

Data Protection and Data Privacy Legislation Worldwide (Source: United Nations Conference on Trade and Development) 

It can seem like employees ought to be exempt from data privacy regulations—after all, they’ve entered into a contract with your business. But the General Data Protection Regulation (GDPR), California Privacy Rights Act (CPRA), and other privacy laws have made it clear that employees also have privacy rights. If anything, it’s even more important to respect employees’ privacy because of the sensitive nature of the data businesses collect from them. All human resources data collected by an employer, regardless of its purpose, is now subject to the same requirements of the law as consumer data.  

The law gives consumers—and employees—control of their personal information and provides an avenue for them to exercise that control via a data subject access request (DSAR). Employees and consumers can request to access data, update it, delete it, restrict its use, and more.  

Because of these rights, it is a best practice to draft a privacy policy specific to your employees in addition to your organizations’ consumer privacy policy. Creating an employee privacy policy will help your company stay compliant with the law, provide required disclosures, and outline the DSAR process.  

A brief background on privacy laws   

The California Consumer Privacy Act (CCPA) created consumer rights surrounding data privacy similar to those established by the EU’s GDPR. But while the CCPA broadly matched the GDPR’s requirements, it departed from the GDPR by excluding data collected and used for employment-related actions for job applicants, along with current and past employees of a company.  

January 1, 2023 ushered in an amendment to the CCPA with the CPRA, and because employer exemptions weren’t extended, human resource data collected by an employer is now subject to the same requirements of the law as consumer data.  

The CPRA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with or linked with a particular consumer or household. Additionally, the CPRA includes a second category of sensitive personal information, which has tighter requirements and harsher penalties for violations. 

The CPRA also includes professional or employment-related information within the definition of personal information. What’s more, much of the personal information you collect in relation to an employee will be sensitive in nature, such as their social security number or other identification numbers, financial information, and more. 

Since employee data is covered by the CPRA, employers need to treat it the same way they treat consumer data. That includes disclosing all of the requisite information around collection, use, data subject rights, and so on. The most convenient way to meet the bulk of those disclos requirements is through a dedicated employee privacy policy. 

What is an employee privacy policy and why does it matter?  

The CPRA only applies to businesses who operate within California and meet certain threshold requirements. To date, it’s the only U.S. privacy law that allows for employee DSARs, but given the influence of California and the size of its market, its best for businesses to strive for compliance with employee data requirements regardless. That’s doubly true if you ever want to serve the Canadian or European markets, since PIPEDA and the GDPR also allow for employee DSARs. 

If you search “employee privacy policy examples,” online, you’ll find a myriad of companies that already have policies in place, from Nike to GitLab, Twilio, and many others.  

Similar to a consumer privacy policy, an employee privacy policy is a document that outlines the rights of employees related to their personal information. It specifies what and how information is collected as well as how it is used and disclosed.  

It’s important to note that an employee privacy policy applies to prospective, current, and former employees. The policy should include:  

  • What data is collected during the application, hiring, and onboarding process as well as throughout the course of employment with the company. 
  • Safety and security, including how data is collected, stored, and protected from unauthorized access, as well as how long information is retained. 
  • The intended business use of data collected. 
  • Procedures for handling requests, including limiting use, and opting out of data sales and cross-context behavioral advertising using personal data. 

Handling employee DSARs: How to future-proof your organization 

Responding to employee DSARs can quickly become a challenging, burdensome, and costly task. In part, this is because employee data is often spread across multiple data stores. An individual employee can also create a massive amount of data over the course of their tenure. And, as we’ve alluded to, this data is often highly sensitive in nature. 

One survey of companies with more than 250 employees found that it takes an average of 83 hours to complete a DSAR and half weren’t finished within the mandatory time limit. That’s for consumer DSARs, too, which aren’t as complex as employee DSARs. 

New laws going into effect, updated regulations, and a greater understanding of employee rights all are making DSARs more common, and knowing how to respond and what to include could feel like a moving target. Creating an employee privacy policy is one part of an overall approach to employee privacy matters.  

Once your policy is in place, the real challenge lies in operationalizing it. DSAR solutions, such as Osano Subject Rights Management, can keep your company compliant. Osano’s software manages the DSAR workflow, automatically searches data stores for employee data, and automates tedious DSAR actions like data summaries and deletion. 

If employee DSARs and privacy rights are a concern at your organization, check out our DSARs 101: Getting started webinar or schedule a demo of Osano today.