Data Privacy (HR)

The principles, regulations, and practices governing how employers collect, store, process, and share employees' personal information, including sensitive data like Social Security numbers, medical records, salary details, and background check results.

TABLE OF CONTENT

What Is Data Privacy in HR?
Types of Employee Data HR Collects
US Legal Framework for HR Data Privacy
HR Data Protection Best Practices
Employee Data Breach Response
Third-Party Vendor Data Privacy for HR
AI and Employee Data Privacy
HR Data Privacy Statistics [2026]
Frequently Asked Questions About HR Data Privacy

What Is Data Privacy in HR?

Key Takeaways

✓HR data privacy covers the collection, storage, processing, sharing, and deletion of all personal information employers hold about employees, applicants, and former staff.
✓HR departments handle some of the most sensitive data in any organization: Social Security numbers, bank account details, medical records, background check results, disciplinary actions, and salary information.
✓The US has no single federal employee data privacy law. Instead, protections come from a patchwork of federal laws (HIPAA, FCRA, ADA), state laws (CCPA/CPRA, Illinois BIPA, NYDFS), and industry regulations.
✓The EU's General Data Protection Regulation (GDPR) applies to any US employer with EU-based employees, creating extraterritorial compliance obligations with penalties up to 4% of global annual revenue.
✓Data breaches involving employee records cost an average of $1.3 million per incident and take an average of 287 days to identify and contain (IBM, 2023).

HR teams sit on a goldmine of sensitive personal data. From the moment a candidate submits a resume to years after an employee leaves, HR collects, processes, and stores information that can cause serious harm if mishandled. Social Security numbers. Bank account numbers for direct deposit. Medical information from FMLA requests. Drug test results. Background check reports. Salary history. Performance reviews. Disciplinary records. Immigration documents. For most of business history, this data lived in locked filing cabinets. Now it lives in cloud-based HRIS platforms, email systems, shared drives, and spreadsheets scattered across laptops. The attack surface is massive, and the regulatory environment is catching up fast. The challenge for HR professionals: understanding which data you can collect, how long you can keep it, who you can share it with, and what happens when it gets exposed. Each question has different answers depending on the type of data, the employee's location, and which laws apply.

15+US states that have enacted or are actively pursuing employee data privacy legislation as of 2024 (IAPP)

$1.3MAverage cost of a data breach involving employee records in the US (IBM Cost of a Data Breach Report, 2023)

71%Of employees who say they're concerned about how their employer uses their personal data (PwC, 2023)

GDPREU General Data Protection Regulation: the global standard that influenced US state privacy laws, with fines up to 4% of global revenue

Types of Employee Data HR Collects

Not all employee data carries the same risk. Understanding data sensitivity categories helps HR teams apply the right protections.

Data Category	Examples	Sensitivity Level	Primary Regulations
Personal identifiers	SSN, date of birth, driver's license number, passport number	High	State breach notification laws, FCRA, state privacy laws
Financial data	Bank accounts, salary, tax withholding, garnishment orders	High	State privacy laws, IRS regulations
Medical and health data	FMLA certifications, ADA accommodations, drug test results, health insurance enrollment	High	HIPAA (limited), ADA, GINA, state laws
Biometric data	Fingerprints, facial recognition scans, retina scans, voiceprints	High	Illinois BIPA, TX CUBI, WA HB 1493, state biometric laws
Background check data	Criminal history, credit reports, employment verification, education verification	High	FCRA, state ban-the-box laws, EEOC guidance
Employment records	Performance reviews, disciplinary actions, termination reasons, complaints	Medium	State personnel file access laws, litigation hold requirements
Contact and demographic data	Address, phone number, emergency contacts, race/ethnicity (for EEO reporting)	Medium	Title VII, EEO-1 reporting rules, state laws
Digital activity data	Email content, internet browsing, badge swipe logs, GPS tracking, keystroke logs	Medium-High	ECPA, state monitoring laws, NLRA (union organizing protections)

US Legal Framework for HR Data Privacy

The US lacks a single federal employee privacy law. Instead, a patchwork of sector-specific federal laws and expanding state legislation creates a complex compliance environment.

Federal laws affecting HR data

HIPAA applies to employer-sponsored group health plans but not to employment records generally. The ADA restricts how employers collect and store medical information and requires keeping medical records separate from personnel files. GINA (Genetic Information Nondiscrimination Act) prohibits collecting genetic information and restricts health plan use of genetic data. The FCRA regulates background checks conducted through consumer reporting agencies, requiring disclosure, consent, and adverse action procedures. The ECPA (Electronic Communications Privacy Act) provides limited protections against workplace monitoring of electronic communications.

State privacy laws reshaping HR compliance

California's CPRA (effective 2023) gives employees the right to know what data is collected, request deletion, opt out of data sales, and limit use of sensitive personal information. Colorado, Virginia, Connecticut, Utah, and several other states have enacted similar consumer privacy laws that include employee data provisions. Illinois BIPA requires informed consent before collecting biometric data and has produced over $1.5 billion in class action settlements. New York's SHIELD Act mandates reasonable data security safeguards for private data of New York residents. More states are enacting privacy legislation each year, with 15+ states having passed or actively pursuing employee-specific privacy rules.

GDPR for US employers with EU employees

Any US company with employees located in the EU must comply with GDPR for those employees' data. Requirements include: lawful basis for processing (legitimate interest or consent), data minimization (collect only what's necessary), purpose limitation (use data only for stated purposes), storage limitation (don't keep data longer than needed), data subject rights (access, correction, deletion, portability), Data Protection Impact Assessments for high-risk processing, and appointment of a Data Protection Officer if processing is large-scale. Fines reach up to 4% of global annual revenue or 20 million euros, whichever is higher.

HR Data Protection Best Practices

Technical and organizational measures that reduce breach risk and demonstrate compliance with privacy obligations.

Classify all employee data by sensitivity level and apply access controls accordingly. Not every HR team member needs access to Social Security numbers, salary details, or medical records.
Encrypt employee data at rest and in transit. HRIS platforms should use AES-256 encryption, and any employee data transmitted via email should use encrypted attachments or secure portals.
Implement role-based access controls (RBAC) in your HRIS. Recruiters see applicant data. Benefits administrators see enrollment data. Payroll sees compensation data. No one sees everything unless absolutely necessary.
Create a data retention schedule that specifies how long each type of employee data is kept and when it's destroyed. I-9 forms: 3 years after hire or 1 year after termination. Medical records: duration of employment plus 30 years (OSHA). Tax records: 4 years after filing. General personnel files: 7 years after termination.
Train all HR staff on data handling procedures at least annually. Include phishing awareness, secure document disposal, and incident reporting procedures.
Conduct Data Protection Impact Assessments before implementing new HR technology systems, especially AI-powered tools that process sensitive employee data.
Establish a data breach response plan specific to employee data. Include notification timelines (most state breach notification laws require notification within 30-60 days), contact information for relevant agencies, and template notification letters.

Employee Data Breach Response

When employee data is compromised, speed and process matter. Most state breach notification laws impose strict timelines.

Breach detection and assessment

The average breach takes 287 days to detect (IBM, 2023). For employee data, common breach vectors include phishing attacks targeting HR email accounts (W-2 scams are particularly common during tax season), unauthorized access to HRIS platforms, lost or stolen devices containing unencrypted employee data, third-party vendor breaches (payroll providers, benefits administrators), and accidental exposure (sending spreadsheets with SSNs to the wrong recipient). Once detected, immediately assess: what data was compromised, how many employees are affected, and whether the breach is ongoing.

Notification requirements

All 50 states, DC, and US territories have data breach notification laws. Requirements vary, but most mandate notification to affected individuals within 30 to 60 days. Some require notification to the state attorney general or consumer protection office. California requires notification 'in the most expedient time possible without unreasonable delay.' If the breach involves more than a threshold number of individuals (500 to 1,000 depending on the state), notification to the state AG is typically mandatory. Breaches affecting EU employees trigger GDPR's 72-hour notification requirement to the supervisory authority.

Third-Party Vendor Data Privacy for HR

HR depends on dozens of third-party vendors: HRIS, payroll providers, background check companies, benefits administrators, and recruiting platforms. Each one holds employee data.

Data processing agreements

Every vendor that processes employee data should have a data processing agreement (DPA) that specifies: what data they can access, how they can use it, their security obligations, breach notification requirements, data return/deletion upon contract termination, and audit rights. Under GDPR, DPAs are legally required for any data processor. Even without GDPR applicability, DPAs are a best practice that creates contractual liability for vendor data handling.

Vendor security assessments

Before selecting any vendor that will handle employee data, evaluate their security posture: SOC 2 Type II certification, encryption standards, access controls, incident response procedures, and insurance coverage. For higher-risk vendors (those handling SSNs, financial data, or medical information), request a security questionnaire and review their most recent penetration test results. Conduct periodic reassessments, especially when renewing contracts.

AI and Employee Data Privacy

AI tools in HR (resume screening, performance prediction, sentiment analysis) create new privacy challenges that existing laws are still catching up to address.

AI-specific concerns

AI systems in HR process large volumes of employee data, often in ways that employees don't expect or understand. Key concerns include: algorithmic bias that disproportionately affects protected groups, opaque decision-making ('black box' algorithms that can't explain their recommendations), data used for training AI models beyond the original collection purpose, employee monitoring through AI-powered productivity tracking, and automated decision-making without human oversight.

Emerging AI regulation for employment

New York City's Local Law 144 (effective 2023) requires bias audits for automated employment decision tools used in hiring and promotion. Illinois' AI Video Interview Act requires consent before using AI to analyze video interviews. The EU AI Act classifies AI systems used in employment decisions as 'high-risk,' requiring conformity assessments, transparency, and human oversight. Several other states and cities are developing similar legislation. HR teams adopting AI tools should build compliance processes now rather than waiting for enforcement.

HR Data Privacy Statistics [2026]

Data showing the scale and cost of employee data protection challenges.

$1.3M

Average cost of a data breach involving employee records in the USIBM, 2023

287 days

Average time to identify and contain a data breachIBM, 2023

71%

Of employees concerned about how employers use their personal dataPwC, 2023

15+

US states with enacted or pending employee data privacy legislationIAPP, 2024

Frequently Asked Questions

What employee data should be kept separate from personnel files?

Medical information (ADA requires a separate, locked file), I-9 forms (ICE may inspect these without accessing personnel files), background check reports and FCRA-related documents, EEO demographic data, workers' compensation records, and drug/alcohol test results. Keeping these files separate protects against inadvertent disclosure during manager access, litigation discovery, or regulatory audits where only specific records are relevant.

Can employees request to see what data the company holds about them?

In states with privacy laws (California CPRA, Colorado Privacy Act, etc.), yes. Employees can request access to their personal information, know what categories of data are collected and why, and in some cases request deletion. Even in states without specific privacy laws, many have personnel file access statutes that require employers to provide copies of personnel records upon request. Under GDPR, EU-based employees have an absolute right to access all their personal data.

How long should employee data be retained after termination?

There's no single answer because different data types have different retention requirements. General personnel files: 7 years after termination is the common standard. Tax and payroll records: 4 years (IRS) to 6 years (some states). I-9 forms: 3 years after hire date or 1 year after termination, whichever is later. Medical records: duration of employment plus 30 years (OSHA). FMLA records: 3 years. EEOC records: 1 year after termination (or until resolution of any charge). Benefits records: 6 years (ERISA). Create a data retention schedule and apply it consistently.

Does HIPAA protect all employee health information?

No. HIPAA applies to 'covered entities' (health plans, healthcare providers, clearinghouses) and their 'business associates.' An employer's group health plan is a covered entity, but the employer itself usually isn't. Employee health information in personnel files (sick leave requests, FMLA certifications, ADA accommodation records) is generally not protected by HIPAA. It's protected by the ADA (which requires separate medical files), state privacy laws, and common-law privacy torts. The distinction matters because HIPAA violations carry different penalties than ADA violations.

What should employers do about employee data stored on personal devices?

If employees use personal devices for work (BYOD), create a BYOD policy that addresses: what company data can be accessed on personal devices, minimum security requirements (passcode, encryption, remote wipe capability), the company's right to access and wipe company data on the device upon termination, separation of personal and company data (use containerization apps), and what happens when the device is lost or stolen. In states with monitoring disclosure requirements, the policy must clearly state what the company can and can't access on the personal device.

Written by Adithyan RK

Fact-checked by Surya N

Published on: 25 Mar 2026|Last updated: