Human Resource professionals believe in privacy. We don't share salaries or performance ratings (unless it’s part of our company policy to do so). When someone comes to complain about a perceived injustice, we conduct our investigations with the utmost care. When we coach a manager on how to handle a difficult employee, we do so behind closed doors so that only those that truly need to know, know. Privacy is a hallmark of good HR.
In an effort to be efficient, though, we've made everything electronic. Yes, this is convenient and makes it possible to review everything from an employee's pay history to their performance reviews with one click or toggle. However, it also means that employee privacy has become a lot harder.
In the old days, we did paper — and lots of it. Violating employee privacy was possible in only a few ways — if we left something at the copier, or accidentally set a file down in the office kitchen, for example. Now? Well, take the case of a poor former co-worker who accidentally sent a detailed rejection email to everyone in the building rather than just to the internal candidate. For hours, people were hitting reply-all saying, "Why am I getting this?" and then those responses started to morph into, "For all this embarrassment, you should just give the guy the job anyway."
The problem with this type of privacy breach is that no policy could stop it. The recruiter made a mistake. Email makes the exchange of information easy, but it also makes quick, inappropriate distribution easy, as well.
Privacy problems aren't limited to HR departments either. It's so easy to share information with the world today. What’s more, this sharing of information is a huge part of our current culture. Often people don't think twice before posting to Twitter. Take for instance the hospital employee who tweeted the name of a celebrity couple's new baby — before the couple had announced it. While most HR privacy issues are covered by custom and ethics alone, releasing patient information falls under federal law.
The reality is, you need policies and procedures in place for all of your company data and employee social media behavior. The National Labor Relations Board isn't making social media policies easy, though. In a recent case, the NLRB held that a social media policy which prohibited blogging or sharing "confidential or proprietary information about the Company, or ... inappropriate discussions about the company, management, and/or co-workers" in social media was invalid because that implies that employees couldn't engage in protected activity, such as discussing wages or working conditions.
See how complicated it can be to comply with the law when we're talking about keeping company information private? Remember to differentiate between company secrets, such as marketing plans and "secrets" like how much money people make and what they think of their bosses. Additionally, don't think that just because the NLRB was originally founded to deal with unions that it doesn't apply to your non-union company. They have jurisdiction over just about everyone — your business included.
The biggest mistake a company can make when it comes to privacy issues in the Internet age is to ignore it until something bad happens. Legal hassles can be a nightmare, but a public relations disaster can be worse. For instance, employees at a car dealership in Westport Massachusetts treated a pizza delivery person horribly, thought it was hilarious, and posted the security camera video on YouTube. The rest of the Internet did not find it funny, however, and came out strongly against the company. I doubt anyone ever thought to prohibit posting security camera footage on the Internet — but the backlash can be severe.
You need a good policy. You need to be extra aware of security controls on your internal data. Otherwise, you can have angry employees, an embarrassed company, or lawyers knocking at your door.