When Employer Disclosure of Personal Information Becomes a Legal Issue
Maintaining employee privacy is a cornerstone of appropriate human resources management. Under California law, workplace privacy statutes, HIPAA, California’s Confidentiality of Medical Information Act (CMIA), employment agreements, and other common-law privacy protections, employees are granted a reasonable expectation of privacy. As such, employers are required to handle sensitive employee information, including medical information and personal identifying information, with care in compliance with security protocols in order to maintain employee privacy.
Likewise in most situations, confidentiality and privacy laws prohibit employers from sharing employees’ personal information without explicit consent. There are a few specific situations in which employers may be legally permitted or required to disclose personal information, but any such disclosures are tightly regulated by federal and California state law.
If an employer mishandles personal information, either by failing to securely handle the information or by sharing information inappropriately, employers may be legally liable for violating privacy laws. If you believe that your employer has violated your privacy, understanding privacy rights is the first step toward determining whether you can sue your employer for sharing your personal information.
Confidentiality Obligations in the California Workplace
Federal and state laws, employee handbooks, confidentiality agreements, and employment contracts make clear an employer’s duty to safeguard sensitive data, including medical details, HR records, financial information, and personal contact details. In California, the California Privacy Rights Act (CPRA) requires employers to implement reasonable security measures, provide privacy notices, and give employees the right to access, correct, and delete personal data.
Unauthorized unlawful disclosures of personal information may be purposeful or accidental, and often occurs through email, file sharing, verbal communication of personal details, or lack of proper security measures surrounding employee data. Violations of confidentiality, whether intentional or not, can lead to legal claims for damages.
Medical Records, Sensitive Data & Privacy Protections
Employers are legally required to maintain employee privacy with regards to employee medical information. Employers may have access to medical information if an employee requires a medical leave or a workplace accommodation, or if the employer collects physical information for any reason. Under HIPAA, the ADA, and California’s CMIA, California employers face strict legal requirements when handling medical documentation, workers’ compensation files, or accommodation-related records.
The Federal Health Insurance Portability and Accountability Act (HIPAA) and Americans with Disability Act (ADA) set strict federal standards for maintaining employee medical privacy, requiring employers to keep all medical information confidential, stored in separate and protected files, and only shared with those who have a need-to-know.
Under California’s Confidentiality of Medical Information Act (CMIA) employers must get consent to share any information, keep medical records separate from personnel files, train staff to handle medical information, and follow strict protocols for handling information related to medical conditions. The CMIA imposes strict penalties for violations and gives employees in California an additional avenue to sue in court.
When Disclosure Happens During Legal Proceedings or HR Investigations
Employers may be legally required to disclose personal information during legal proceedings or human resources investigations, however employers must always balance their duty to disclose information with their obligations to protect employee privacy. In the case that employers are required to disclose personal information, only relevant information should be shared, and it should only be shared with those who have a legitimate need to know.
Employees can pursue legal action if any disclosure of personal information was excessive, unjustified, retaliatory, or outside the scope of the legal or HR investigation requirements.
Co-Workers, Managers & Unauthorized Information Sharing
As the keeper of employee information, the responsibility to maintain employee privacy primarily falls upon human resources departments. However, all employees have a legal obligation to respect workplace confidentiality standards and avoid sharing their colleagues private information internally or externally without consent. Managers, supervisors, and co-workers, are all accountable for respecting employee privacy.
Examples of common privacy breaches by co-workers include gossiping about medical issues and other personal details, sharing addresses or phone numbers, disclosing disciplinary records. In order to avoid privacy breaches, employers should make a point to have clear policies regarding employee privacy, implement training protocols regarding the handling of sensitive information, and enforce disciplinary consequences when employer policies are violated.
California Privacy Laws That Allow Employees to Sue for Disclosure
There are several laws and statues that give California employees the right to sue their employers for privacy violations:
- California Constitutional Right to Privacy
- Confidentiality of Medical Information Act (CMIA)
- California Consumer Privacy Act (CCPA)
- Common-law invasion of privacy
- Negligence and breach of contract claims
These laws, among others, protect sensitive information, including personal identifying information and medical information, and restrict unauthorized sharing in the workplace. Under these laws, employees can bring claims for damages in state court when employers violate an employees right to privacy by failing to protect, or sharing without authorization, an employees private information. Under California law, employees may recover statutory damages, emotional distress damages, punitive damages, and attorney’s fees in cases of workplace privacy violation.
How to Sue Your Employer for Disclosing Personal Information
If you are experiencing a privacy violation at work, you may be entitled to compensation, including emotional distress damages and punitive damages under federal and state laws. Take the following steps to support your case:
- Save Evidence: Keep a record of the unlawful information disclosures and privacy violations in writing. Save related evidence, notes, and documents, including emails, texts, and other communications with coworkers. Additionally, record proof of harm due to the privacy violation, including emotional distress and other negative consequences at (or outside of) work. It is advantageous to reach out to an employment attorney as soon as possible regarding potential privacy violation claims you may have so that they can provide advice. In order to hold your employer accountable, you will need to prove that they have harmed you by violating your privacy. An employment lawyer can help you compile the evidence that you will need to present a legally compelling case.
- Find an Attorney: Employment law attorneys specializing in privacy issues will be able to help you answer the question “Can I sue my employer for sharing my personal information?” Privacy cases can be very complex and evidence heavy; an employment law attorney can help you make legal sense of what you are experiencing, and help you decide what your options are based on the facts of your situation.
- Report the Violation: Report the privacy violation directly to your employer. If your employer does not correct their behavior, you may file a complaint with the Federal Equal Employment Opportunity Commission (EEOC) (if your employer has more than 15 employees) or with the California Department of Fair Employment and Housing (DFEH) (if your employer has more than 5 employees). After filing with an appropriate agency, you may chose to bring claims in court. Employment law claims are subject to statutes of limitations. If you miss the deadline to bring a case, you risk losing your right to pursue that particular claim. Contact an attorney promptly so that they can advise you of any pending deadlines that might impact your ability to pursue justice.
Protecting Employee Privacy & Understanding Legal Options
Under federal and California state law, employees have strong legal rights when employers disclose confidential personal information without authorization. If you believe your privacy has been violated at work, you may be entitled to compensation under state laws in the form of emotional distress damages, and putative damages. An employment attorney will be able to help you understand your legal options and build a strong case.
Navruz Avloni is an employment attorney dedicated to fighting for your rights in the workplace. Schedule a consultation with Navruz Avloni today to get started.