Employee privacy laws around the world
Employee privacy laws vary greatly between the United States, Canada, and member states of the European Union. Privacy laws around the world are complex, convoluted and ever-changing, with regular alterations and updates in legislation and case law, but here are some basic principles to keep in mind:
U.S. privacy law is actually a combination of laws and statutes, including federal legislation, state legislation, the U.S. Constitution, and common law.
Most U.S. laws regarding privacy, dating back to the Constitution itself, protect individuals from governmental invasion of privacy. Several acts in the U.S. strengthen these protections, including The Privacy Act of 1974 and the Privacy Protection Act of 1980.
Recently, however, there has been more of a focus on protecting individual privacy in the private sector.
One of the key acts affecting the employer/employee relationship is the Health Insurance Portability and Accountability Act (HIPAA), which provides protection of personal health information. Employers must be careful not to violate HIPAA when gathering, storing, and using medical information, but there are exceptions.
“The HIPAA Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes,” explained Paul Hilton, a human resources consultant based in Sumter, S.C.. “It gives you rights over your health information and sets rules and limits on who can look at and receive your health information.”
Hilton notes that employers in the U.S. should also be aware of the following:
- The Stored Communications Act (SCA), which prevents employers from listening in on employee’s phone calls or accessing unopened emails
- The Fair Credit Reporting Act (FCRA), which requires obtaining an applicant’s consent before using a third party to do background checks
- The Genetic Information Nondiscrimination Act (GINA), which prohibits interview or application questions that lead to a disclosure of a person’s genetic information.
Unlike the U.S., Canada centrally supervises the private sector’s use of personal data. Two main acts govern privacy in Canadian law: The Privacy Act, which regulates the federal government’s use of personal data, and the Personal Information Protection and Electronic Documents Act (PIPEDA), which regulates the private sector.
The Office of the Privacy Commissioner of Canada recommends the following guidelines in order to ensure compliance with the country’s laws:
- Tell employees what personal information you’re collecting, why you’re collecting it, and what you’ll be doing with it
- Obtain an employee’s consent when collecting, using, or disclosing any personal information
- Collect only the information needed for a stated purpose
- Keep information only as long as it is needed
- Make sure that the information you collect is accurate, complete, and up-to-date
- Allow employees to access any personal information, and to challenge or correct any errors
The European Union has tougher privacy laws than either the U.S. or Canada. The European Privacy Directive of 1998 imposes strict limitations on what personal information employers can collect about employees, how they can collect it, and what they can do with it.
In Europe, employers must obtain an employee’s consent before gathering just about any personal information at all, and employee monitoring must be kept to a minimum. In Europe, the safest practices are:
- Limit personal questions, both on applications and in interviews
- Always seek an employee’s consent before gathering data that could be considered personal or private
- Avoid monitoring employees’ emails, phone conversations, or other communications, even when they’re conducted using company computers, phones, or other equipment
For U.S. companies dealing with member state of the European Union, these rules can be particularly difficult, especially since the passage of the European Commission’s Directive on Data Protection in 1998, which prohibits the transfer of personal data from the EU to non-EU countries.
For U.S. companies doing business in Europe, a “Safe Harbor” certification can be obtained that allows for the transfer of data, if they ensure their privacy policies are up to EU standards.
Privacy law is complicated, both in the U.S. and around the world. With some care, however, as well as good legal advice, employers can ensure that they remain within the bounds of the law.
By Vivian Wagner, special to Workplace Tribes. Courtesy of TribeHR
1,095 total views, 1 today