A MoFo Privacy Minute Q&A: California Employers: Get Ready for Requests from California Employees

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

Question:

The California bills that would have extended the California privacy law exception for employee data did not pass this summer. So, I have to get my company’s HR department ready to receive and process data access, deletion, and correction requests from present and former employees, job candidates, and independent contractors. These have different ramifications than consumer requests. What do I need to know?

Answer:

The California Privacy Rights Act (CPRA) will allow a business’s current and former employees, applicants, independent contractors, business owners, directors, officers, and their beneficiaries and emergency contacts who reside in California (“Requestors”) to make the following privacy requests (“Requests”) regarding their Personal Information (PI).

Requests to Know: This includes the right to request: (a) a portable copy of the Requestor’s PI and/or (b) information about the categories and sources of the Requestor’s PI and how the company uses and discloses it. This includes PI that the company has collected about the Requestor and not only PI it has collected from the Requestor. The CPRA’s requirements regarding such Requests apply to PI collected or accessed on or after January 1, 2022.

Requests to Delete: This is the right to request deletion of the Requestor’s PI that the company has collected from the Requestor.

Requests to Correct: This is the right to request correction of inaccuracies in the Requestor’s PI.

Here are some best practices for HR departments when processing Requests:

• Requests from employees and job candidates often follow an earlier informal employment dispute. Prepare to leverage the CPRA’s exception for records that are protected by an evidentiary privilege.

• Train personnel to be thoughtful and discreet about what they include in written communications regarding employees and applicants to reduce the volume and sensitivity of records that might have to be produced in response to a Request.

• Set automated retention periods on emails, other messaging applications, and document management systems, so there is less to review and produce following a Request.

• Do not delete PI that the company possesses at the time of the Request to avoid having to produce it to the Requestor. (Retention periods should be implemented proactively in advance of receiving Requests.)

• Involve HR and Legal as soon as a Request comes in. HR and other personnel can share whether the Requestor is disgruntled, persistent, and/or litigious. Legal can spot pre-litigation exposure that should be handled carefully.

• Do not take actions that may be perceived as retaliation against the Requestor following a Request, for example, firing, demoting, or disparaging the subject individual, or giving them less favorable employment terms.

• Determine whether the Requestor wants, or has the right to obtain, copies of actual records, or just a summary of PI extracted from records. The CPRA gives California residents the right to receive “specific pieces” of PI but not necessarily copies of entire documents.

• Regarding collecting unstructured data such as emails, look for emails that are about the Requestor, not merely to or from the Requestor. If the Requestor is merely the sender/recipient but is not referred to in the email, simply produce the Requestor’s name and email address as contained in the email header.

• Keep a record of Requests received and the process of responding to the Requests, such as the approach taken to search for PI, the rationale for the scope of the search, and efforts made to collect information in response to the Request, including the total volume of search results prior to tailoring the results to responsive PI. These records could be helpful in defending the thoroughness of a response.

• Deny or limit the response where appropriate, using the exceptions available under the CPRA.

• Assess whether parts of the requested information should be redacted because they impact another individual’s privacy (for example, a performance review could reveal the reviewer’s identity, even if the reviewer is not named). Redact privileged, confidential, and/or business-sensitive information (e.g., trade secrets) before providing the response to the Requestor.

• Respond in a timely manner. Confirmation of a Request must be provided within 10 business days of receipt. The full response must be provided within 45 calendar days of receipt, subject to a possible 45-day extension.

Visit our A MoFo Privacy Minute Series page to view our collection of Q&As. Explore our Privacy + Data Security page for additional information from our Privacy Library and Resource Centers on Cybersecurity, U.S. State Privacy Laws, and the GDPR + European Privacy.