Privacy of employee information

As a manager, you are responsible for securing your employees’ personal information – and a failure to protect that privacy could result in serious consequences for you and the university.

California law requires that employers establish appropriate procedures to keep all employee medical records and information confidential and protect them from unauthorized use and disclosure. Except in limited circumstances, an employer cannot use or disclose medical information pertaining to its employees without a written authorization from the affected employee. Those limited circumstances include:

  • When compelled by a court of law or by a lawsuit filed by an employee
  • When used for administering and maintaining employee benefit plans
  • In relation to a workers’ compensation claim or request for medical leave

Check your procedures, routines and habits to ensure you’re not compromising anyone’s privacy, particularly related to employee medical information and records:

  • Store all employee records in a secure electronic environment. Most records are kept in Workday, but if you have need of some other electronic storage, make sure it is a secure file/folder on a secure server. There is no need to maintain paper files; you should not be keeping personal information anywhere on paper!
  • Dispose of old paper documents and files by shredding – immediately. Don’t leave sensitive of confidential information where it could be seen or taken.
  • Documents and/or information related to employee medical issues/health must be kept in a confidential electronic file separate from an employee’s personnel file. Access to this confidential file should be restricted only to those people in your organization who have a legitimate need to know the information.
  • Don’t talk about employee medical information

This last bullet point is easier to violate that you might think. Although USC strictly prohibits discussing or otherwise sharing an employee’s private medical information with other employees or with individuals who do not have a need to know the information, otherwise good managers have gone wrong on this point, sometimes due to thoughtlessness, sometimes due to close and friendly relationships outside work, and sometimes with nothing but the best of intentions. Any way it happens – it’s wrong. Consider the following scenarios:



Read USC’s Privacy of Personal Information and Information Security policies for additional information. If you have questions about protecting the privacy of employee information, please contact your HR Partner or the HR Service Center.