When Personnel Gets Personal

The Annoyance:

My personnel file is a Pandora’s Box of personal information about me—background checks, drug tests, and psychological profiles—that I’d rather not share with the world. How do I know my employer isn’t sharing this information with the world—or that it will stay private after I leave the company?

The Fix:

You don’t. In fact, there are no legal limits on what a private firm can do with the information in your file, says HR Privacy Solutions’ Don Harris. In most cases you don’t have a legal right to see your file, let alone dispute inaccuracies inside it.

“For the most part, employers can pretty much do what they want with employees’ information, says Harris. “For example, it’s perfectly legal for an employer to sell its entire database of employees to a commercial party that wants to market products and services to them. I don’t know of any employer who would do such a thing, but there’s no law against it.”

Harris adds that common sense and a desire to not alienate employees keeps most companies in check. If your employer doesn’t already have a written privacy policy, ask it to create one that spells out what the company does with your personnel records while you’re employed and after you leave the company. The policy should also detail how your employer protects the security of its files—not only from unethical bosses, but also against hackers, internal spies, or simple carelessness. (See "Beware Employee ID Theft.”) If your company doesn’t have a security plan, your questions may spur it to create one.

You should also check your personnel file every six months or so, to make sure there’s nothing inaccurate in there, advises Tena Fiery of the PRC. Public sector employees are allowed access to their files by law; approximately 20 states have rules allowing private employees to see all or part of their HR files. In California, for example, employees have the right to see any documents in their files they’ve signed, but some states aren’t even that generous. As far as I can determine there is no central clearinghouse for state laws on the topic, so you’ll need to check with the appropriate hide-bound bureaucracy in your area.

Avoid Bad PR from HR

The Annoyance:

I just left a job under trying circumstances. Can negative reports in my HR file follow me around to my next job?

The Fix:

Yes, they could. However, employers tend to be fairly gun-shy about sharing too much information because they can be sued if a negative report causes someone to lose out on a job, says HR Privacy Solutions' Don Harris.

“A lot of employers have gotten burned in court, so they tend to give just name, rank and serial number—essentially dates of employment—and not give away sensitive information,” says Harris. “If the employer shares negative information about you, you can sue them under a privacy tort such as libel or defamation. But the burden of proof is on you, as well as the expense and the bad publicity.”

Harris says this is what leads many executives to resign instead of being fired. The advice here: If you fear a negative recommendation, strike a deal with your (soon-to-be-ex) boss. Agree to go quietly, as long as your employer agrees to not say bad things about you after you’re gone.

Beware Employee ID Theft

The Annoyance:

The admin who works in HR hates my guts. How do I know she’s not sabotaging my employment records?

The Fix:

You don’t. She very well may be doing nasty things to your records, including stealing your identity.

Professor Judith Collins of Michigan State’s Identity Theft Crime Lab investigated more than 1000 cases of ID theft, and found that up to 70 percent could be traced to employees or people posing as employees. A 2002 study by credit reporting giant TransUnion cited stolen employee records as the number one source of identity crimes.

Whether you’ll find out if your personal information has been compromised depends on where you live. As of 2002, California law requires companies doing business in California to notify employees when the security of their personal information has been breached. So if you live or work in the Golden State, your boss must tell you when its HR records have been exposed or pilfered—assuming it knows about the deed and that telling you won’t impede a criminal investigation. (For more information on California’s privacy protections, see

This is another situation where you may have to nag your employer to follow smart security precautions to protect your personal data. HR Privacy’s Don Harris suggests every business take a few simple steps:

  • Only allow authorized personnel to access HR records.

  • Password-protect and encrypt sensitive computer files.

  • Require hefty background checks for those with access to such records.

  • Discourage the use of temporary employees in HR.

  • Avoid using Social Security numbers on ID badges, timesheets, payment stubs, or any other document that circulates in public.

  • Shred sensitive materials once they’re no longer needed.

On a personal level, your best defense is to keep a close eye on your credit reports, so you can suss out if your ID has been swiped. (For more on how to do this, see Chapter 2, "Check Your Reports.”)

Get Computer Privacy Annoyances now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.