Policy Title Policy # Functional Area Statement Philosophy Procedures HR Privacy Policy Effective Date: 6/1/2011 7.3 All Staff HR Employees Revised Date(s) Human Resources is committed to safeguarding the privacy of personal information that is collected concerning our prospective, current, and former employees for management, human resources, and payroll purposes. Eastern Michigan University is committed to protecting the privacy of personally identifiable information of its students, faculty, staff and other individuals associated with the University and will take appropriate measures, implement necessary technology and/or establish operating procedures to ensure data privacy is maintained. This Human Resources Privacy Policy applies to applicant and employee personal information and to the management of that personal information in any form – whether oral, electronic or written. Human Resources secures personal information from unauthorized access, use or disclosure. Employee and applicant information are confidential business records of the University. Authorized University employees may have access to such records only on a “need to know” basis. Employees are expected to maintain all the information in the personal files in confidence and to access only the minimum amount necessary to perform their job. Human Resources considers confidential information to include, but is not limited to: date of birth marital status social security or other taxpayer identification numbers, banking details, compensation and pay changes, sick pay, pensions, insurance and other benefits information (including the gender, age, nationality for any spouse, minor children or other eligible dependants and beneficiaries) refer to HIPAA technical skills, educational background, professional certifications and registrations, language capabilities, training courses attended records of work absences, vacation entitlement and requests, salary history and expectations, performance appraisals, letters of appreciation and commendation, and disciplinary and grievance procedures results of credit and criminal background checks, the results of drug and alcohol testing, screening, health certifications, driving license number, vehicle registration and driving history information required to comply with laws, the requests and directions of law enforcement authorities or court orders (e.g. child support and debt payment information) reason for resignation or termination, information relating to administering Page 1 of 2 termination of employment (e.g. references) Responsibility Resources Internal Control Procedures 1. Provide secure storage for personal and confidential documents. No information is to be left in open or unattended work stations. 2. Computer information is secured by limiting access based on each employee’s role and responsibility. 3. Documents will be destroyed or deleted by shredding based on the records retention requirements. 4. Ensure that only secures means of data transmittal are utilized by utilizing data encryption. 5. Require signed employee releases from third party information requests. Information will not be provided over the phone. 6. Annually review these procedures will all employees who are involved in handling or security personal and confidential information. 7. Violation of this policy will be considered sufficient cause for disciplinary action up to and including termination. External Control Procedures: Service Providers In certain situations, Human Resources outsources the processing of certain functions and/or information to third parties and consults with organizations on specific projects. Service providers are required to sign business confidentiality agreements prior to engagement. Online vendors are also required to provide encrypted websites and to secure data behind firewalls to prevent external intrusions. University Privacy Policy Records Retention Procedure Personnel File Access Policy Human Resources Confidentiality Agreement Page 2 of 2