March 13, 2008

Workplace Privacy

This was a section that only a lawyer could love. This lesson focused on the privacy concerns that are encountered by human resource management and the legal framework surrounding employee screening, hiring, evaluation, and testing. While I know next to nothing about this area of law, I did pick up some valuable knowledge, such as what type of questions employers can and cannot ask.

The lesson starts by drawing a distinction between the US approach to employee privacy protection versus the European Union. Guess which one is more business friendly? It doesn’t take much to figure out that employee expectations of privacy in the United States are very limited. There have been several cases that have ruled in favor of employers and severely limited the privacy expectations of their employees. These have ranged from allowing employers to listen in on a phone conversation to giving employers access to employee’s web-based email accounts.

A large section of the lecture related to questions that can and cannot be asked during the interview process. Some of the questions were the epitome of lawyer sophistry. For example, you cannot ask an applicant whether or not they are a US citizen but you can ask them whether they are prevented from being lawfully employed in the US because of visa or immigration status? You may not ask questions about past addiction to drugs(legal or illegal) or alcoholism? However, you can ask question about past drug use or alcoholism as long as they are not likely to illicit information about a past addiction to drugs or alcohol.

Now, one of the reasons for this legal dance that is played by human resources is a response of legislation that protects employee rights, such as the Civil Rights Act of 1964 and the Americans with Disabilities Act of 1990. Companies have to try to balance their desire to know as a much as possible of an applicant in the pre-hiring phase without breaking the law. I am personally glad that such legislation is in place but sometimes I wonder whether it really does anything to protect the rights of employees.

The part of the lesson that I found most relevant related to disclosure laws. Since this is something that I know a little bit more about, I was more interested in this part of the lesson. HR has a large responsibility in the safe keeping of employee personal records. If a data breach occurs with compromised employee’s PII, the HR department will be involved in notifying them of the breach. Most states do not require a company to notify employees that are not residents of the state where the breach occurred. The lesson was correct in pointing out that business best practices would include notification of out-of-state employees. Even though an employee would not receive damages for a data breach unless specific harm arose (eg. identity theft), a business should have a policy beyond the legal threshold of liability.

Overall, this was probably the one lesson that interested me the least but it was relevant to many privacy issues that arise in corporate environments. Most of the information was targeted for HR specialists. I am just not sure how much of the information I will be able to retain beyond the test day unless I was involved in this profession.

About the Author Guest Blogger

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.