Employees and customers have a legal right to expect that a business will hold certain information in confidence. This expectation extends to internal and external third-party information requests. For this reason, policies and procedures that identify who may authorize the sharing of confidential information, what information a business can share and who may receive confidential information are critical protections for businesses of all sizes.
A release of information policy should define the types of employee information to which the policy refers. For most businesses, this includes unique identification information such as a Social Security or employee ID number, as well as payroll information, training records and protected health information, including information about an employee's past or present health or medical conditions, health-care treatments or insurance claims. Information sharing procedures can include a copy of a company-approved consent to share form and should outline the authorization process and identify acceptable data transfer methods.
Privacy Position Statement
A privacy statement should clearly describe the business’s position and intent to protect the privacy of every employee. Many outline the internal controls in place to prevent releasing confidential information inside the business. For example, a policy might state that employment information is available only to authorized internal users on a need-to-know basis. It should also state that employee information stored in an electronic database or a manual filing system will be retained in a secure manner.
Release of Information Requests
For most businesses, third-party information requests typically come from government and law enforcement agencies, financial institutions, credit bureaus and potential employers. Specific procedures for handling information differ according to the requester. For example, procedures might state that HR personnel should immediately honor a request for an employee's salary or dates of employment from a government agency but that nongovernmental requests for information must be in writing and will require a written authorization from the employee before the information is released.
Most policies and procedures address an employee’s right to review his personnel file, as the laws in most states allow an employee to view some or all of this information. However, policies and procedures must comply with state laws on whether a request can be oral or must be in writing, the time frame for providing this information and whether an employee can see everything or whether a business can withhold sensitive information such as third-party references, confidential management documents and information on an ongoing internal investigation.