9.3 Data Privacy, Confidentiality, and Access

Privacy as an HR Operating Discipline

HR holds information employees rarely share with managers or coworkers: medical restrictions, benefit elections, Social Security numbers, pay data, complaints, investigation details, leave reasons, and family data. Privacy is not just an IT topic, it is an HR discipline shaping collection, access, reporting, storage, and disposal.

When a scenario asks whether HR should share employee information with a supervisor, executive, vendor, or coworker, start with business need and the minimum-necessary standard. HR shares only what the recipient needs to perform an authorized role. Curiosity, convenience, or organizational rank is never sufficient justification.

Role-Based Access and the Legal Backdrop

Role-based access control (RBAC) ties permissions to job duties. A recruiter needs applicant data but not employee medical records; a payroll specialist needs pay inputs but not investigation files; a supervisor may need a work restriction but not a diagnosis. The Americans with Disabilities Act (ADA) mandates confidential, separate handling of medical and accommodation data. The Health Insurance Portability and Accountability Act (HIPAA) can reach protected health information flowing through a group health plan.

Multi-state and global employers may also face the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and the EU General Data Protection Regulation (GDPR), which add notice, access, and deletion obligations.

Periodic access review matters because roles change. Employees transfer, managers move teams, projects end, and vendors lose their need for access. HR and IT must add, change, and remove access promptly when responsibilities shift, ideally on a defined recertification cycle. The greatest exposure window is at offboarding: a terminated employee or ended vendor whose credentials remain live is a standing breach risk, so the separation workflow must revoke access on the effective date, not weeks later.

State and global rules raise the bar for employers operating across jurisdictions. The CCPA/CPRA grants California employees rights to know what personal information is collected and to request deletion within statutory windows. The GDPR adds lawful-basis, data-minimization, and cross-border-transfer requirements for EU personnel data. Illinois' Biometric Information Privacy Act (BIPA) regulates fingerprint and facial timekeeping data with consent and notice duties. HR does not need to memorize every clause, but should recognize that more locations mean more obligations and route novel situations to legal.

Confidentiality in Everyday Workflows

Most breaches happen during ordinary tasks: attaching the wrong file, sending a spreadsheet with hidden columns, leaving a report on a shared printer, discussing a complaint in an open area, or over-provisioning a manager. The fix is not "tell people to be careful", it is to design workflows that reduce accidental disclosure.

• Use secure, approved channels for sensitive documents, not personal email or open shared folders.
• Redact unnecessary fields before any report leaves HR.
• Give managers functional information (restrictions, schedule limits) without the underlying diagnosis.
• Train HR users on confidentiality expectations and escalation steps.
• Revoke access promptly after transfers, separations, or vendor role changes.

Categories Needing Heightened Care

Not all employee data carries equal risk. The exam expects HR to treat certain categories with extra control regardless of who asks.

Worked Example

A recruiter asks for read access to the full employee module "to save time." Purpose limitation says no, the recruiter's role needs applicant and requisition data, not active-employee medical, pay history, or discipline. HR provisions a recruiter role scoped to the ATS and open requisitions, then recertifies it quarterly. When the recruiter later moves into an HRBP role, access is re-evaluated rather than simply stacked on top of the old permissions, avoiding privilege creep.

Privacy applies to analytics too. A dashboard with names removed can still identify a person through small cell sizes, a unique job title, or pinpoint location data; a survey result for a department of three can de-anonymize respondents. HR should suppress or aggregate metrics for very small groups, a common rule is to mask any cell below a minimum count such as five. PHR answer logic favors prevention and documentation: when a disclosure occurs, follow the incident process, preserve facts, notify the right owners, correct access, and record what happened.

Ignoring the issue, or blaming one user while leaving the control gap open, is rarely the best answer, the control, not just the person, must be fixed.