Employee data privacy
Office of Financial Management State Human Resources Division (State HR) is dedicated to privacy practices for safeguarding confidential information. We use OFM’s privacy principles to guide the actions taken by State HR when collecting and using confidential information.
OFM privacy principles are built on the following pillars in alignment with the State Office of Privacy and Data Protection principles:
- Security
- Purpose driven access
- Data minimization
- Transparency
- Accountability
- Due diligence
- Lawful, fair, responsible use of data
OFM State HR manages the states central HR and payroll application and other enterprise applications that contain state government employee data. The data in these systems are used for operational HR and payroll daily transactions and for monitoring and reporting functions. We are committed to the security and the privacy of the data contained in these applications. We recognize the importance of safeguarding employee personally identifying information (PII) and follow certain protocols to protect this sensitive information.
Here are some common practices consistent with our OFM Privacy Principles that we do at State HR:
- Collection and storage: When employees are hired, employing agencies collect necessary PII such as names, addresses, social security numbers, and other relevant details. This information is entered into the appropriate HR & Payroll system that securely stores the data in databases or information systems designed to protect against unauthorized access.
- Data security: Various security measures are in place to ensure the confidentiality and integrity of employee PII. This includes the use of firewalls, encryption, access controls, and regular system updates to prevent data breaches and unauthorized access.
- Privacy policies: There are privacy policies, principles and practices in place that govern the collection, use, retention, and disposal of employee PII. These policies comply with applicable laws and regulations, such as the Washington State Privacy Act.
- Access controls and training: State HR ensures access to employee PII is limited to authorized personnel who have a legitimate need to access such information for official purposes. Employees handling PII receive appropriate training on data privacy and security to maintain the confidentiality of the information.
- Incident response and notification: In the event of a data breach or unauthorized access that may compromise employee PII, incident response protocols are followed. This typically involves investigating the breach, mitigating any potential harm, and notifying affected individuals as required by law.
It's important to note this is not an all-inclusive list and that there are additional policies and practices specific to different agencies or departments that collect the data in the systems that we manage.
While privacy laws protect some personal information, the information we receive from other agencies may become a government record that others can ask to see through public records requests. Therefore, it is important for you to know when we will release or redact data in our possession.
Release of employee data
State HR will share employee data under specific conditions:
- In response to public records request in compliance with the Public Records Act (PRA) – RCW Chapter 42.56.
- As described in an executed data sharing agreement as required by RCW 39.26.340 or RCW 39.34.240.
- In response to a labor union data request for their represented employees per their bargaining agreement.
Redaction of employee data
Prior to release of any information by State HR for a public disclosure request, a review of employee data by the OFM Public Disclosure Officer is conducted to identify employee information that we may need to redact..
Possible reasons for redactions
- Exempted from disclosure under the Public Records Act, RCW 42.56.250:
- Employee personal and demographics information such as SSN, residential address, personal phone number, ethnicity, sexual orientation, etc.
- Certain information of agency employees if they or their dependents are survivors of domestic violence, sexual assault, harassment, or stalking if certain conditions are met.
- Employees should contact the agency HR Office to discuss the requirements for exempting their PII.
- The exemption does not apply to news media per RCW 5.68.010(5).
- In compliance with the Address Confidentiality Program (ACP) – RCW 20.24
- Employees must provide proof of registration in the program to their agency HR Office.
- Employee is in a position that falls under Sensitive Security Information as defined in 49 C.F.R. 1520 (Washington State Department of Transportation Marine Division).
- Additional redactions may be done if the employing agency has identified the employee as being at risk due to stalking, harassment, or domestic violence or the employee is an undercover law enforcement officer.