Browse > Home / HIPAA Compliance News, HIPAA Security / Connecticut and Michigan Require Employer-Employee Privacy Policy

Connecticut and Michigan Require Employer-Employee Privacy Policy

Sunday, January 25th, 2009 at 11:58 pm
Font size: Decrease font Enlarge font
 
 
 
 
 
 

Over
the last year
Employer-Employee “Global” Privacy Policies are becoming more common
place (in-part)
due to recent legislation in Connecticut and Michigan.  Until
this recent
legislation, within the United States there were few situations where
an
employee had an independent right to access, inspect, or challenge
information
collected or held by the employer (unlike his/or her counterpart within
the
European Union).  Within the European Union employers have
been bound by EU
Directive 95/46/EC entitled the “European Data Protection Directive”.
 This directive applies to employment or employee data
collected by an employer
within the European Union or the European Economic Area regardless of
where processed
or stored.  Employers when creating an employer-employee
privacy policy should carefully
consider the implications of implementing an overly broad privacy
policy.  Data
security breaches, e-Discovery obligations, and the ability to
investigate criminal
or other non-productive activity may be hindered by an unnecessarily
broad
workplace privacy policy.

Connecticut

The
new Connecticut Law 2008
Conn. Pub. Act No. 08-167 (available at http://www.cga.ct.gov/2008/ACT/PA/2008PA-00167-R00HB-05658-PA.htm)
entitled An Act Concerning the Confidentiality of Social
Security Numbers
(which became effective October 1st, 2008)
requires that: “Any person
who collects Social Security numbers in the course of business shall
create a
privacy protection policy which shall be published or publicly
displayed.”

Under
the Statute “publicly
displayed” includes, but is not limited to, posting on an Internet web
page.   The Statute broadly applies to any person who
collect personal
information of another individual (including employees)
during the course
of business.  Personal information includes
SSNs, a driver’s license
number, a state identification card, an account number, a credit or
debit card
number, a passport number, a health insurance identification
number.  A person
who collects personal information must safeguard
the data, computer
files, and documents containing the information from misuse by third
parties,
and shall destroy, erase, or make unreadable such data, computer files
and
documents prior to disposal.

However,
subsection (c) of the
Statute excludes from the definition of personal information
publicly
available information that
is lawfully made available to the general public from federal, state or
local
government records or widely distributed media.

Under
2008 Conn. Pub. Act No. 08-167
employers (and other individuals who collect this information during
the course
of business) must create and publish or publicly display a privacy
protection
policy.  The policy must address how the
organization: 

  1. Protects the confidentiality of personal
    information     (including SSNs);
  2. Prevents the unlawful disclosure
    of personal information; and
  3. How the organization limits access
    to personal information.

The
new law requires that the
policy should be published or “publicly displayed” including posting
on an Internet webpage; this requirement will likely be satisfied by
following an
employer’s existing policy.

The
Act requires businesses (and
thus, employers) who have personal information
about a person (including
their employees) to safeguard the data and computer files and documents
so that
the information is not misused.  Employers (businesses) must
also destroy,
erase, or make unreadable any document, computer file, or data before
disposing
of it.

The
Department of Consumer
Protection (and, in some instances, other departments with limited
jurisdiction) has the power to enforce the statute.  But only
intentional
violations can result in a civil penalty of $500 per violation, with a
$500,000
cap on a single event.  There is no private right of action;
if an employer
violates the statute, the employer cannot be sued by the individual
whose
information has been released.  This Statute however does not
preclude other
claims that may exist.

Michigan

The
Connecticut law follows an
older Michigan law entitled Social Security Number Privacy Act,
Public Act
454 of 2004 (MCL 445.81, et seq.)(available at http://www.legislature.mi.gov/(S(3y5t0345lavsqlvfzg1ph4in))/printDocument.aspx?objName=mcl-act-454-of-2004&version=txt)
which took effect in March 2005.  This Act prohibits many uses
of an employee’s
Social Security numbers, and requires that policies be adopted to
ensure that all
uses are lawful and confidential.

The
Michigan Act (among other
things) specifically requires businesses who obtain SSNs in ordinary
course of
business to create a privacy policy that:

  • Ensures
    the SSN’s confidentiality;
  • Prohibits
    the unlawful disclosure of the SSN;
  • Limits
    who has access to the SSN;
  • Describes
    how to properly dispose of SSNs; and
  • Establishes
    penalties for violations of the privacy policy.  This privacy
    policy must be published in an employee handbook, procedure manual, or
    in another similar document.

Similar
to the Connecticut Act, the
Michigan Act also limits businesses from publicly display of all (more
than
four sequential digits of the SSN) or requiring an individual to use or
transmit all (more than four sequential digits of his or her SSN) to
gain
access to an Internet website or network unless the connection is
secure
(encrypted).