Personnel Records

Federal Agencies Federal Laws CA Agencies CA Laws HR Forms Minimum Wages
HR Quick Reference HR Audit Talent Acquisition HR Central Home

Personnel Records

Personnel Records: You can gather a variety of information about applicants for employment. After employed, additional information accumulates about the employee’s performance, health, family and other personal issues. Growing concern over the possession of this data has contributed to states and the federal government developing laws governing the privacy of employer records.

Keeping Personnel Records Private: Improperly releasing personnel information can result in liability. The right to privacy guaranteed by the California Constitution protects employee personnel files from improper disclosure to third parties. An employee can waive the privacy of his/her own personnel records by authorizing the release of personnel information to a third party, such as his/her union. When a former employee sues you for wrongful discharge, failure to promote, a disciplinary action or other employment decision, the court generally holds that the employee has placed his/her employment history at issue, thereby waiving the right to privacy for his/her personnel records for purposes of the lawsuit. You have a number of potential liabilities for improperly releasing personnel information. For example, you cannot make misrepresentations about a former employee to prevent or attempt to prevent him/her from obtaining employment. You can make a truthful statement about the reason for a former employee’s discharge or voluntary termination. However, exercise caution. If your statement is not in response to a request or is accompanied by marks or symbols that convey information contrary to the statement, that action is considered misrepresentation. Even when your response to a prospective employee’s appropriate request is truthful and accurate, liability can arise if that response is adverse and in reprisal for the employee’s exercise of the right to file a claim under employment laws. You can also be liable for inaccurate or misleading information about an employee on the basis of defamation or interference with prospective economic advantage. Defamation is an unlawful invasion of an individual’s interest in maintaining a favorable reputation. It encompasses communications that have a tendency to injure a person in his/her occupation. Unlawful interference with prospective economic advantage can occur when a prospective employer decides not to hire an employee based on false statements or inappropriate facts disclosed by a former employer.

Electronic Health Records: Electronic health records must be protected. If you keep electronic medical information, you must comply with these new requirements:

Protect and preserve the integrity of electronic medical information.
Automatically record and preserve any change or deletion of any electronically stored medical information. The record of any change or deletion must include the identity of the person who accessed or changed the medical information, the date and time the medical information was accessed and the change that was made to the medical information.

Genetic Information Nondiscrimination Act (GINA): GINA prohibits the use of genetic information, including family history, to make decisions about health insurance and employment, and restricts the acquisition and disclosure of genetic information. Title II of GINA represents the first legislative expansion of the EEOC’s jurisdiction since the Americans with Disabilities Act of 1990. Congress enacted GINA in response to concerns that individuals would decline to take advantage of the increasing availability of genetic testing out of concern that they could lose their jobs or health insurance if tests revealed adverse information. GINA covers private employers with 15 or more employees. GINA generally prohibits employers from requesting, requiring or purchasing an applicant’s or employees genetic information, even if the employer never uses that information. Title II of GINA prohibits employment discrimination based on genetic information and restricts the acquisition and disclosure of genetic information. The U.S. Equal Employment Opportunity Commission issued final regulations implementing the employment provisions (Title II) of the Genetic Information Nondiscrimination Act of 2008. According to the EEOC, “genetic information” includes:

Information on an individual’s genetic tests
Information on the genetic tests of a family member
Family medical history
Requests for and receipt of genetic services by an individual or a family member
Genetic information on a fetus carried by an individual or family member
Genetic information on an embryo legally held by the individual or family member using assisted reproductive technology

The EEOC published detailed information on GINA and its final regulations, including one question and answer document aimed at helping small businesses comply with the law. You will also find information on the interaction between GINA and employee wellness programs. For more information, visit the EEOC website.

California Protections for Genetic Information: California enacted legislation that clarifies the extent of the protection of genetic information in California. The legislation amends the Fair Employment and Housing Act to state that employers are prohibited from discriminating against employees on the basis of genetic information. The legislation further amends the Unruh Civil Rights Act, which generally prohibits business establishments from discriminating on specified bases to include genetic information as one of the protected basis. The legislation also expands the bases upon which a health facility may not discriminate in the provision of emergency services.
The anti-discrimination provisions of FEHA apply to employers who employ five or more persons, compared with the federal scope that is limited to employers with 15 or more employees.Under the state law, genetic information means information about any of the following:

The individual’s genetic tests
The genetic tests of family members of the individual
The manifestation of a disease or disorder in family members of the individual.
Genetic information includes: any request for, or receipt of, genetic services, or participation in clinical research that includes genetic services, by an individual or any family member of the individual.

Genetic information does not include information about the sex or age of any individual.

Keeping Social Security Numbers Private: California law on the use and publication of SSNs prohibits:

Posting or publicly displaying an individual’s SSN in any manner. “Publicly posting” or “publicly displaying” means to intentionally communicate or otherwise make available to the general public
Printing an individual’s SSN on any card required for the individual to access products or services. This can include your employee identification cards and badges
Requiring an individual to transmit his/her SSN over the Internet, unless the connection is secure or the SSN is encrypted
Requiring an individual to use his/her SSN to access a website, unless a password or unique PIN or other authentication device is also required to access the website. This restriction may require a change in systems used to access or transmit personnel, business, human resources or payroll information over the Internet or intranet
Printing an individual’s SSN on any materials mailed to the individual, unless state or federal law requires the SSN to be on the document. Applications and forms sent by mail can include SSNs
Printing a SSN on a postcard or other mailer not requiring an envelope or visible on the envelope or without the envelope being opened if the SSN can be mailed in an otherwise permissible manner
Encoding or embedding an SSN in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip or other technology, in place of removing the SSN, as required by law.

All employers must print no more than the last four digits of an employee’s SSN on check stubs or similar documents or substitute some other identifying number. If you have used an individual’s SSN in any of these ways prior to July 1, 2002, you can continue using that individual’s SSN in that manner, if you meet the following conditions:

You use the SSN continuously. If you stop using the SSN for any reason, you cannot resume its use
You provide the individual with an annual disclosure, beginning immediately, that he/she has the right to make a written request to stop the use of his/her SSN in a prohibited manner. You must perform all of the following actions:
Implement the request within 30 days of receipt
Do not charge a fee for implementing the request
Do not deny services to an individual because the individual makes a request

The law does not prevent the collection, use or release of an SSN as required by state or federal law or the use of an SSN for internal verification or administrative purposes. If you maintain computer personnel files or customer files that include names and SSNs, driver’s license numbers or account numbers and security codes that permit access to financial information, you must maintain the security of those data files. If a breach of security results in unauthorized acquisition of unencrypted data, you must give timely notification of the breach to any affected California resident. You must give this notice as quickly as possible, delayed only by the reasonable time necessary to discover the scope of the breach and to allow steps to restore the integrity of the data, consistent with the needs of law enforcement to investigate the breach.You must give notice in written form or by electronic means that complies with the law. In cases requiring notice to more than 50,000 people or where the expense of actual notice exceeds $250,000, you can use other authorized means of giving notice, including the use of email, website postings and statewide media. You can maintain your own notification procedures as part of an overall information security policy, if it meets the timeliness requirements of the law. You must comply with your policies. To ensure a uniform, statewide approach to this issue, this state law supersedes all local laws, rules and regulations.

Keeping Employee Information Private: You can gather a variety of information about applicants for employment. Once employed, additional information accumulates about the employee’s performance, health, family and other personal issues. Growing concern over the possession of this data has contributed to development of laws governing the privacy of employer records. For privacy reasons, files related to employee financial matters, such as wage assignments, garnishments, credit inquiries and so forth, must be kept in a confidential file separate from an employee’s personnel file. Access to this confidential file should be granted only to those people in your organization who have a legitimate need to know the information.

Keeping Medical Information Private: California law mandates that you establish appropriate procedures to keep all employee medical records and information confidential and protect them from unauthorized use and disclosure. Failing to establish these procedures is a misdemeanor and allows an employee to collect monetary damages, attorneys' fees and the costs of litigation. Under state statutes, you cannot use or disclose medical information pertaining to your employees without a written authorization from the affected employee. This prohibition includes knowingly permitting an employee to use or disclose another employee’s medical information. Discussing an employee’s private medical information with other employees who do not have a need to know the information can also lead to claims of invasion of privacy. For instance, in one case a California court of appeal clarified that an employee may bring a lawsuit against an employer who publicized a private medical condition by discussing it with employees who did not need to know the information. The employee, Melissa Ignat, worked for Yum! Brands (Yum), the corporate parent of various fast food franchises, from 2005-2008. During that time, Ignat suffered from bipolar disorder. She took medication to control the disorder, but the side effects of that medication occasionally caused her to miss work. In 2008, Ignat went on a disability leave. While on leave, Ignat’s supervisor told everyone in the department that Ignat was bipolar. Ignat claimed she was subsequently avoided by and shunned by her co-workers. One co-worker allegedly asked the supervisor if Ignat was likely to "go postal." Yum terminated Ignat in September 2008. Ignat filed suit against Yum and her supervisor, alleging, among other things, invasion of privacy by public disclosure of private facts.The court allowed Ignat to proceed with her lawsuit, holding that private facts can be just as widely disclosed verbally as they can be through writings, if not more so.This case highlights the need to limit the disclosure of sensitive medical information. However, medical information can be disclosed in limited circumstances:

When compelled by a court of law or by a lawsuit filed by an employee
When used for administering and maintaining employee benefit plans
In relation to a workers’ compensation claim or request for medical leave
You are not liable for any unauthorized use of the medical information by the person or entity to which you disclosed the information if you have attempted, in good faith, to comply with these medical privacy laws.
You cannot discriminate against an employee who refuses to sign an authorization releasing medical records. However, the law does not prohibit you from taking necessary action in the absence of medical information due to the employee’s refusal to sign a medical release authorization.

For example, if you are unable to ascertain an employee’s physical ability to perform a job function due to the employee’s refusal to sign an authorization, including a test to evaluate alcohol or drug usage based on reasonable suspicion, you have the right to discipline an employee based on the information available. Authorization for an employer to disclose medical information is valid if it meets all of the following criteria:

Handwritten by the employee/patient who signs it or is in typeface no smaller than 14-point type
Clearly separate from any other language on the same page
Signed only to authorize release of medical information and for no other purpose
Signed and dated by the employee/patient or a legal representative if the employee/patient is a minor or the representative of a deceased employee/patient.
An employee who signs an authorization to release medical information is entitled to a copy of the release at his/her request. The release can be canceled or modified at any time, effective upon written notice to you.

Keeping Other Protected Medical Records Private: Records protected under state and federal privacy laws encompass more than a physician’s report or the lab results from a drug test. Medical records can include:

Family and medical leave request forms if an employee voluntarily discloses the nature of his/her illness on this form
Return to work releases
Workers’ compensation records
Information on disabilities being accommodated under the ADA or California’s Fair Employment and Housing Act
Other records that relate in any way to an employee’s medical history

The ADA and FEHA also require that you maintain an applicant’s or employee’s medical history information on separate forms, treated as confidential and kept in separate files from the employee’s general personnel information. You can disclose information only if:

Supervisors need information about necessary restrictions or accommodations for work duties.
First aid personnel might require the information to administer emergency treatment.
Government officials, investigating ADA or FEHA compliance, request the information.