Over the course of a year, employers collect and store a vast amount of private, personal information. This may include dates of birth, driver’s license and social security numbers for employees and their dependents, private medical information, bank account numbers, and even biometric identifiers such as fingerprints or retina scans. Employers are then required to be custodians of this data, maintaining confidentiality while still using it for its intended purpose. Just what are the requirements for Texas employers with regards to employee data privacy?
Protecting Personal Information
Various statutes in the Texas Business and Commerce Code protect employees’ personally identifiable information, regulate how employers must use and dispose of this information when it is no longer needed, and specify how employers must notify employees or former employees of a breach that may affect the security of their data. There are additional statutes that criminalize the misuse or theft of this information, restrict employers from using social security numbers for administrative purposes, and address the legal remedies the Texas Attorney General may use to pursue those in violation of any of these statutes. Penalties for violations include fines, restraining orders, injunctions, recovery of attorney’s fees and court costs.
The information protected by these statutes includes the following:
- Social security number or other government issued ID number
- Date of birth
- Biometric identifiers (fingerprints, retina or iris scans, voice prints)
- Mother’s maiden name
- Financial account numbers
Certain federal laws require employers to protect the confidentiality of health-related information. The relevant laws here include:
- Americans with Disabilities Act (ADA)
- Family and Medical Leave Act (FMLA)
- Genetic Information Nondiscrimination Act (GINA)
- Health Insurance Portability and Accountability Act (HIPAA)
Information protected by these laws includes:
- ADA related paperwork concerning accommodations
- Doctor’s notes
- Drug Test Results
- FMLA documentation
- Insurance/benefit enrollment forms and claim forms
- Workers’ compensation records
Additional Information to Safeguard
While there may not be laws requiring the protection of these types of data listed below, it should be kept confidential nonetheless.
- Hiring/Screening records (resumes, applications, references, background checks, I-9s)
- Onboarding Documents (offer letter, contracts, policy acknowledgements)
- Compensation & Benefits Data
- Payroll Records
- Attendance Records
- Performance Data (reviews, promotions, transfers, disciplinary records)
- Investigation-Related Records (complaints, rule violations, misconduct, safety issues)
- Termination Documents (resignation letter, severance agreement, unemployment claims)
Record Retention Requirements
EEOC rules require that payroll records be kept for three years. I-9 forms should be kept for three years after an employee’s hire or one year after termination, whichever is later. Records should be securely destroyed to prevent them from being recovered.
Employee data privacy should not be an afterthought. It is best to create documented procedures for collecting, storing, and securely destroying confidential employee information when it is no longer needed. If you have questions about employee data privacy in the workplace or would like assistance designing legally compliant employee data privacy procedures, give the friendly employment law attorneys at Simon | Paschal PLLC a call at (972) 893-9340.