Running Your Business

4 Tips to Ensure Sensitive Employment Documents Stay Private


  • Every company has sensitive employment documents, whether they are employee records, salaries, medical records or disciplinary records

  • To ensure the information is kept private, use individual logins and train your employees on what is and isn't appropriate for them to share

  • If an employee needs a medical leave of absence or an accommodation, only those people who have to know need to know

Posted by April 16, 2018

Every company has sensitive employment documents, whether they are employee records, salaries, medical records or disciplinary records. Of course, it’s critical that all of this information is kept private. Here are some steps to take to help keep your employment documents away from prying eyes.

1. Use Individual Logins and Equipment

Employees who need access to sensitive employee information as part of their job should have an individual login to the computer system. There should not be a department password. Additionally, employees should be forbidden from sharing their passwords, and those that do should be disciplined.

By keeping passwords confidential and unique to the individual employee, you can limit what each person can see. If Jane needs to see salary and time card information because she runs payroll, she doesn’t need to see disciplinary records. Having the information segmented (and password-protected) prevents accidental exposure or someone taking a quick peek out of curiosity.

Employees who work with confidential information should also have their own printers, or secure printers that don’t print until you insert a code. If the employee hits “print” and doesn’t get to the printer right away, you want to make sure the confidential document doesn’t sit in the tray where it’s available to others.

2. Follow the Law

While there is no law that requires the privacy of things like employee salaries (you could, technically, post them on a billboard if you’d like), there are laws governing medical records. If your business is subject to HIPAA, make sure you are in compliance. Businesses that are not involved in health care generally aren’t subject to medical privacy laws under HIPAA, but there are situations where you may be—for instance, if you’re self-insured.

3. Share Information on a Need-to-Know Basis

If an employee needs a medical leave of absence or requires an accommodation under the Americans with Disabilities Act (ADA), only those people who have to know need to know. A direct manager, of course, needs to know that Jane will be out of the office for six weeks and that her absence is approved under the Family Medical Leave Act (FMLA). Jane’s co-workers will need to be told that she will be out for “medical reasons,” but there is no reason to give out additional information. As long as Jane’s doctor has filled out the relevant paperwork and it’s on file with HR, the discussion is finished. If Jane wishes to tell people about her health issues, she’s welcome to do so.

For reasonable accommodations under the ADA, it still needs to be on a need-to-know basis. When John needs the closest parking spot because he’s on crutches, the reasoning is obvious. However, when Steve needs to leave early every Tuesday for a therapist appointment to help treat his mental illness, it’s not quite so obvious. Again, Steve gets to share the information if he so chooses. Otherwise, the correct response is, “Steve has management approval for this schedule.”

You may get push-back from employees, but it’s critical that you keep this information confidential.

4. Provide Regular Training

Many managers don’t receive any training on how to be a manager. They only know what they have seen. If they had great managers, this is fine, but otherwise, they may carry inappropriate ideas into their current managerial roles.

Make sure you provide regular training to managers around what is and isn’t appropriate for them to share. For instance, consider the following:

  • Information goes up, not down. If a manager is having a problem with a direct report, she can go to her boss but not to another direct report.
  • Company policy needs to be spelled out. If your policy is to keep salary information confidential, managers need to be careful to not overshare. But remember, you can’t ban employees from sharing their own salaries.
  • Importance of confidentiality. Sometimes people come to their manager with personal problems. For instance, an employee may come and say, “I’m sorry my work is suffering. I’m having marital problems and it’s affecting my work.” Even if the employee doesn’t ask for confidentiality, a manager should not share this information with those that don’t need to know. It may be necessary to bring in HR or a senior manager to help create a plan, but details should not be shared with the employee’s peers.

Providing clear and regular training will help keep your workplace in compliance legally and morally. Remember, gossip can be destructive—and sharing confidential information is considered gossip.

You may also like