All organizations have a wide variety of private information about employees that most would consider private and personal:

  • Personal information such as Social Security Number, birthdate, marital status, and mailing address
  • Resume, background check, and interview notes from a job application
  • Information on employment, including the employment agreement, salary scale, bonuses, and perks
  • Data about work performance, including performance evaluations, cautions, and disciplinary notes
  • Administrative data, including timesheets, pay stubs, direct deposit forms, and tax forms
  • Data related to job terminations, including the resignation letter of the employee, termination paperwork, and unemployment insurance claims.

Much of this sensitive information is protected by a variety of federal, state, and local laws, as well as some common law factors (laws formed by courts). Private companies must adhere to those laws and often face serious penalties if they disclose private information to anyone who has no need to know that information.

And, as a matter of professional courtesy, employees have the reasonable—and often legally protected—expectation that their private information will be kept private.

Laws that Protect Sensitive Information

As a general guideline, an employer should make sure that any information collected during the employment relationship serves an organization’s “need to know,” is collected using the least intrusive method possible, is maintained in a confidential manner to prevent unauthorized access, and is not used “unfairly” by the employer or a third party.

Although numerous federal laws govern aspects of an employee’s privacy that come up during employment, no one federal statute regulates privacy issues for private employers on a broad scale. Following are major federal laws that govern workplace privacy. Some states—most notably California—have passed tighter, more thorough privacy legislation.

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA Privacy Rule applies to health plans, healthcare clearinghouses, and healthcare providers that engage in specific, electronic healthcare transactions, and it establishes national standards to safeguard patient medical records and other individually identifiable health information (collectively referred to as “protected health information”).

The regulation establishes limitations and requirements on the uses and disclosures of protected health information that may be made without a person’s consent. It also mandates proper protections to preserve the privacy of such information. In addition, the regulation grants individuals control over their protected health information, including the ability to inspect and acquire a copy of their medical records, ask a covered entity to send their protected health information stored in an electronic health record to a third party, and more.

Americans with Disabilities Act (ADA)

The Americans with Disabilities Act has stringent guidelines for how information collected after making an offer to a disabled employee should be handled. Medical records and related paperwork must be kept confidential and distinct from other personnel records by employers covered by the ADA. Only first responders, the employee’s manager in cases that require a reasonable accommodation, public officials, and insurance providers that demand a medical exam should have access to these files.

Fair Credit Reporting Act (FCRA)

Consumer reports are another name for background checks on potential employees. These reports may contain details from numerous sources, such as credit reports and criminal histories. Organizations must adhere to the Fair Credit Reporting Act when using consumer reports to make employment decisions, such as hiring, retention, promotion, or reassignment. FCRA usually applies when companies hire a third party, such as a private investigation firm, to run background checks on candidates or employees. Keep in mind that if the investigation firm an organization uses violates FCRA, the organization may be liable as well.

Privacy, Interviews, and Managers

Following the above regulations about sensitive or private information doesn’t mean the organization is in the clear. Many interview questions about citizenship, age, marital status, religion, disabilities, pregnancy, and other subjects are also prohibited under federal, and often state and local, laws.

Subjects that employees bring up on their own can raise privacy issues as well. In general, when employees come to their managers and ask to speak to them in confidence, it is always wise to convey to the employee that they cannot promise that they will be able to keep it confidential. Information that may detrimentally affect the company or that is illegal in nature (such as something discriminatory) must be shared with others to potentially avoid liability or harm to the organization.

In addition, if an employee conveys information about themselves or another employee that suggests that they may be harming themselves or others in any way, such as expressing thoughts of suicide, the manager must share this information with others in HR or management to protect these individuals.

Information That May Be Shared

Some information may be personal, but it isn’t protected by law, such as:

  • Employees’ partial birth dates, such as the day and month, may be disclosed to department heads who choose to honor staff members on certain dates.
  • Department heads may receive employees’ personal phone numbers or email addresses to help with work scheduling or corporate operations.
  • Department heads may be given access to employee identification data used in compensation or budget planning, review procedures, and timekeeping.
  • Information about an employee’s company anniversary or service recognition will be periodically given to the appropriate department heads.

Information That Should Be Securely Filed

Most employee information should be kept in writing and organized into these files:

  • Confidential
  • General Personnel
  • Medical
  • Benefits
  • I-9 file

Here’s what information should be kept in each file:


  • Reference/Background check results
  • Drug test results
  • EEO self-identification of gender and race/ethnicity
  • Affirmative action self-identification of race, gender, and veteran status
  • Child support/garnishments
  • Litigation documents
  • Workplace investigation records (although relevant disciplinary action, counseling, or other direct communications belong in the employee’s personnel file)
  • Requests for employment/payroll verification

General Personnel

  • Recruiting and screening documents (e.g., application, resume, transcript)
  • Records relating to job offers, promotions, emotions, transfers, and layoffs
  • Pay and compensation information
  • Education and training records
  • Handbook and policy acknowledgments
  • Employment agreements (e.g., non-compete, confidentiality agreement)
  • Letters of recognition
  • Performance evaluations
  • Job performance data: performance reviews, warnings, disciplinary notes, and workplace investigation records
  • Termination notice and documentation


  • Medical records (medical questionnaires, benefit claims, doctor’s notes, accommodation requests, medical leave records, workers’ compensation claims)


  • Benefit enrollment forms and beneficiary designations


  • Completed I9 form and supporting documentation

Few people beyond the Human Resources department should have access to confidential employee information. If this kind of employee data becomes public, it could lead to discrimination and a potentially hostile working environment. It could also damage trust between employees and the company.

Federal, state, and local privacy laws change often. The Lindenberger Group can help organizations comply with all applicable laws, update policies when those regulations change, and avoid compliance issues. For more information or to discuss your HR needs, please contact us at 609-730-1049 or send us an email.