One of the most concerning challenges faced by human resource professionals today is balancing confidential employee data with the ever-growing requirements subject to Office of Federal Contract Compliance Programs (OFCCP) enforcement. This struggle grew more cloudy with the enactment of the additional obligations of companies to solicit disability information from individuals applying for jobs, additional data required by the revised scheduling letter, and the OFCCP’s determination to obtain detailed pay information. As human resource professionals transition to systems where they request very personal information an uncomfortable amount of times from prospective and current employees, it is important to understand what the obligations are in not only soliciting this information, but in safeguarding it as well. It is important to be familiar with the rules so that as a human resource professional, you understand the nuances of compliance and when that seems to conflict with keeping data confidential.
As a practitioner in a field where confidential data changes hands frequently, it is important to understand what the obligations are to safeguard your company’s data and where the responsibility ends. When the data is in one’s office, the line is clearer; but when required to release the data or obtaining assistance to prepare materials, the waters become much more murky. There is little one can do when releasing data to the OFCCP. Due to human error, there have been breaches of protocols within the federal government and personal data has been compromised. However, for the amount of data to which the government has access, breaches do not happen often. This is because it does, in fact, have protocols in place, encryption methods and frequent training of its personnel. This is important and must be in place at every company that might have access to your company’s sensitive data.
For those of you that have a discomfort with soliciting and releasing self-identification information, particularly medical information, whether it is disability information, accommodation needs or disabled veteran status, as required by OFCCP, particularly from applicants, it is justified. Language in the Americans with Disabilities Act (ADA) of 1990 states that solicitation of this information is generally not permitted. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) generally states that medical information may not be shared. These are both generalizations from lengthy and complex laws, but together they have taught human resources professionals to not inquire about medical and other confidential information, and when you do, to hold such confidential information extremely closely. Conversely, OFCCP regulations require that human resources professionals ask potential employees several times about their disability status before determining whether to give them a job, and then turning that information into an annual report (an AAP) and releasing it to the government. It appears to go against everything else you have been taught about soliciting medical information and confidentiality.
It is extremely important to understand that the regulation requirement from the OFCCP is an exception to how medical information has typically been treated within our employment system and it is a very narrow exception. In order for the OFCCP to determine whether individuals with disabilities and disabled veterans are being treated fairly as applicants and in the workplace, it needs data on which to base its analyses. Thus, the OFCCP requirement to solicit self-identification information was expanded to the application phase, and the exception to asking about one’s medical status is permitted for affirmative action and equal employment purposes only. There is really no other way to determine whether there is disparate impact (i.e. unintentional discrimination) against individuals with disabilities and disabled veterans without collecting the self-identification data. It is a very narrow exception and it is extremely important to follow the requirement precisely. Written within the law itself is a provision noting that there has been no change to a human resource professional’s duty to maintain the confidentiality of this very personal information. In other words, it remains the human resource professional’s obligation to maintain the confidentiality of any medical data.
The regulations at § 60-741 reiterate the importance of keeping medical records confidential in at least three separate sections.
§ 60-741.42 Invitation to self-identify. (e) The contractor shall keep all information on self-identification confidential, and shall maintain it in a data analysis file (rather than in the medical files of individual employees). See§ 60-741.23(d). The contractor shall provide self-identification information to OFCCP upon request. Self-identification information may be used only in accordance with this part.
12. Confidentiality. The contractor's reasonable accommodation procedures should indicate that all requests for reasonable accommodation, related documentation (such as request confirmation receipts, requests for additional information, and decisions regarding accommodation requests), and any medical or disability-related information provided to the contractor will be treated as confidential medical records…
Just as using an employment service does not relieve your company from its recordkeeping obligations, using a third-party service does not automatically protect your company from privacy violations, so it is prudent to properly vet any service, contractor or temporary help your company uses that accesses your company’s confidential data. As you would with hiring an employee, it is a good idea to interview any individual or company you might use to ensure that their practices are consistent with your company’s practices. With a few simple questions, it is easy to determine how the employees are trained in human resources confidentiality obligations and better protect yourself and your company from potential liability when releasing confidential information.
Some important factors might be, what type of training in confidentiality or human resources management has the staff had? Are the computers provided by the company or are personal computers used? Are they running background checks on employees, contractors or those that have access? Has anyone that can access the data been convicted of a relevant felony? Convictions such as fraud or violent crimes may certainly be relevant when considering to whom you should release sensitive employee data. Is company data transmitted over personal (and inherently unsecure) email? Who exactly at the company will be accessing your data? If there are protocols in place, it is far less likely that there will be a breach of your data and this very sensitive and personal information will not be compromised.
It is important to note that there is a legal difference between “privilege,” such as attorney client privilege, and “confidentiality.” Privilege is held by the client. A lawyer could face ethical charges and potentially lose his or her license to practice law if he or she were to release data provided by a client, whether the data was confidential in nature or not. Privilege exists to encourage clients to speak freely with their attorneys. It has nothing to do with the nature of the data or information. Except in very limited circumstances, an attorney cannot be compelled to release privileged information, even by a court of law.
“Confidential” does not have this same legal protection. There may be an obligation to keep records confidential based on the nature of a position, such as private employee records that are accessible by a human resource professional. This may further be protected by internal company policies. In other situations, the word “confidential” has no legal meaning and is merely an unenforceable statement. Consider the example of a human resource professional who uses an outside source to assist with determining pay raises without proper vetting. The person states that he or she is an expert and will keep the data confidential or will return a confidential report as he or she does “for every client.” These promises of confidentiality are likely not legally enforceable and the professional may have released sensitive information in violation of privacy laws and confidential requirements. There is a very good chance that nothing may happen, but there have been cases where such releases have led to identity theft and other such problems for employees.
Data that is confidential, i.e., not privileged, can be compelled to be released, such as in an OFCCP audit, simply by a data request or on site. The obligation to keep data confidential does not travel with the information when it is not protected by privilege. It is the obligation of the holder, i.e. the human resource professional, to keep the confidence. If the information is released to a third party, the official has lost control over the records unless there is also an obligation over the holder of the record, such as an OFCCP compliance officer. For example, in the Pay Transparency amendment to Executive Order 11246, a human resource professional could be in violation of the regulations and company policy if he or she releases pay information, whether intentionally, accidentally or unwittingly, but can do little to stop the individual or third party to whom it was released from discussing it openly with anyone, including other employees, competitors, family members or anyone he or she feels like. Additional measures must be taken to ensure that confidential records remain so, if released outside your company.
In a perfect world, we have time to tackle compliance obligations, ensure confidentiality obligations are met and deal with all other responsibilities. As we all know, however, that audit letter comes at the worst possible time and there are typically other things to do, and perhaps there is not enough time to prepare as one would have hoped. However, being on the defensive end of a complaint of this nature is relatively easy to avoid so long as the rules are understood ahead of time. It is likely that your instincts are correct in protecting the sensitive data that you are required to collect, just make sure that you are not inadvertently releasing it inappropriately in an effort to comply with OFCCP regulations. Only unlock that box when you are sure that you know the data is being adequately protected.
This article is intended for information only. It is not legal advice and should not be relied upon as such. For more information, please contact Lisa Kaiser at Lisa.Kaiser@Kaiser-Law-Group.com