Human Resources emails Personal Information
May 31, 2016 10:28 AM Subscribe
HR (Human Resources) group at work used email to send personal information (in the form of screenshots). The screenshots don't answer my specific questions. It seems they were sent in more of a dismissive gesture. This violates my sense of privacy and trust. It seems every time I correspond with HR it's a negative experience.
I'm having trouble with a situation at work and I'd like to hear the advice and opinions of askmefi.
I work at a (software) organization of 500+ employees. In both my own opinion, and through constructive discussions with others, we've found the HR (Human Resources) group to be most often inept (eg, ignoring requests, immediately deferring and delegating inquiries, lacking follow through, etc.). Yet as corporate work culture requires, I continue to extend to them the benefit of the doubt and put on my grown up pants when working with them. Just recently however I had some questions regarding taxes, salary, and stock options that took the direction of HR -> Payroll -> Brokerage Firm -> HR -> Payroll -> finally to an individual assigned to the issue who spoke to me on the phone but then punted to another group in HR, "Benefits." All the while the only personal information which has been released was with the individual I spoke to on the phone. Never did I or anyone through this series request or provide personal information such as salary, stock details, date of birth, etc. Until...
The most recent exchange was an email from "Benefits" which noted "Sorry you're having so much trouble. All of the information you're requesting is on website" and what followed were screenshots which included my date of birth, home address, last 4 of SSN, and details of stock I had purchased through the company's stock plan (which could potentially be translated to salary info). The recipients of this email included not only myself, the last payroll person helping me, but also a distribution list for the "Benefits" group which I believe copies 7 other employees (unsure if all internal to company).
I'm disappointed enough by the initial inquiry of two weeks ago continuing to go unanswered. I asked "can someone help me understand the process" regarding stock purchasing and how it's taxed. But that now seems almost beside the point. What concerns me the most now is the release of personal information through an insecure medium, email.
Upon receiving these screenshots I responded with a request 'please do not distribute my personal info' What then followed was an explanation 'this list is limited and anyone copied already has access to this info and more.' Following this, the last salvo was me asking 'what is your name and who is your manager?' as the 'From:' header of the email reflects the list name and the individual responding does not sign in closing.
So I want to check-in here as I may be going overboard with my concerns. I'm a privacy nut, I've opted out of everything. I use a VPN, my browsers clear history and cookies on exit, I use encryption and yes, I'm a tech nerd well aware of mainstream and esoteric issues in digital privacy. So while I'm shocked at the release of my personal info via email I don't know if there's been any sort of company policy or compliancy laws violated here. And at last ditch argument I might point out that the screenshots show the uri of httpS://
This particular situation is an installment of a series of disappointing experiences with our HR group spanning nearly 5 years. Also, the last few months have been particularly grueling as I'm involved in some projects which have suffered improper technical support, mismanagement, awful and non-existent planning, and even suspected nepotism. I want to separate my dissatisfaction with these other experiences with this particular issue.
And while there might be some issues of 'not getting the help I need', the dismissive tone of many their responses, or even a case of unprofessionalism on their behalf --is there a violation of common policy here? That is, is anyone aware of other organizations who have rules about this? Or worse, is it unlawful for an organization to release this sort of info?
Thank you.
I'm having trouble with a situation at work and I'd like to hear the advice and opinions of askmefi.
I work at a (software) organization of 500+ employees. In both my own opinion, and through constructive discussions with others, we've found the HR (Human Resources) group to be most often inept (eg, ignoring requests, immediately deferring and delegating inquiries, lacking follow through, etc.). Yet as corporate work culture requires, I continue to extend to them the benefit of the doubt and put on my grown up pants when working with them. Just recently however I had some questions regarding taxes, salary, and stock options that took the direction of HR -> Payroll -> Brokerage Firm -> HR -> Payroll -> finally to an individual assigned to the issue who spoke to me on the phone but then punted to another group in HR, "Benefits." All the while the only personal information which has been released was with the individual I spoke to on the phone. Never did I or anyone through this series request or provide personal information such as salary, stock details, date of birth, etc. Until...
The most recent exchange was an email from "Benefits" which noted "Sorry you're having so much trouble. All of the information you're requesting is on
I'm disappointed enough by the initial inquiry of two weeks ago continuing to go unanswered. I asked "can someone help me understand the process" regarding stock purchasing and how it's taxed. But that now seems almost beside the point. What concerns me the most now is the release of personal information through an insecure medium, email.
Upon receiving these screenshots I responded with a request 'please do not distribute my personal info' What then followed was an explanation 'this list is limited and anyone copied already has access to this info and more.' Following this, the last salvo was me asking 'what is your name and who is your manager?' as the 'From:' header of the email reflects the list name and the individual responding does not sign in closing.
So I want to check-in here as I may be going overboard with my concerns. I'm a privacy nut, I've opted out of everything. I use a VPN, my browsers clear history and cookies on exit, I use encryption and yes, I'm a tech nerd well aware of mainstream and esoteric issues in digital privacy. So while I'm shocked at the release of my personal info via email I don't know if there's been any sort of company policy or compliancy laws violated here. And at last ditch argument I might point out that the screenshots show the uri of httpS://
This particular situation is an installment of a series of disappointing experiences with our HR group spanning nearly 5 years. Also, the last few months have been particularly grueling as I'm involved in some projects which have suffered improper technical support, mismanagement, awful and non-existent planning, and even suspected nepotism. I want to separate my dissatisfaction with these other experiences with this particular issue.
And while there might be some issues of 'not getting the help I need', the dismissive tone of many their responses, or even a case of unprofessionalism on their behalf --is there a violation of common policy here? That is, is anyone aware of other organizations who have rules about this? Or worse, is it unlawful for an organization to release this sort of info?
Thank you.
Another HR flunky here, coming in to add that I also have access to the salary, SSN, benefits choices, etc. for everyone here (and in most cases I was the one who typed the SSN into the computer in the first place). If your company uses a cloud-based system, generally anyone with the proper security clearance can access that info.
As to your question itself - I'll also add that where I work, it is actually company policy for us not to offer advice on taxes, because we have not been trained in tax law, and so our advice would be uneducated guessing rather than actual help. It's possible that this is why you haven't been getting an answer to your question - because they literally can't offer advice on your taxes. I will grant, however, that they could have been a HELL of a lot more clear about saying so if that's what the problem is. When we get questions about taxes, even "I have never filled out a W-4 in my life, how many deductions should I take", we always very clearly say that we can't offer advice on that, because we're not tax attorneys, and they are unfortunately going to have to seek outside counsel for that. Pretty much the only tax-form-related question I personally can answer is "where it says 'address' you have to write in your address".
I'm sorry this is such a hassle, but a) the personal info being in the email was kind of dumb, but not a huge violation, and b) they actually literally may not be able to help.
posted by EmpressCallipygos at 11:17 AM on May 31, 2016 [7 favorites]
As to your question itself - I'll also add that where I work, it is actually company policy for us not to offer advice on taxes, because we have not been trained in tax law, and so our advice would be uneducated guessing rather than actual help. It's possible that this is why you haven't been getting an answer to your question - because they literally can't offer advice on your taxes. I will grant, however, that they could have been a HELL of a lot more clear about saying so if that's what the problem is. When we get questions about taxes, even "I have never filled out a W-4 in my life, how many deductions should I take", we always very clearly say that we can't offer advice on that, because we're not tax attorneys, and they are unfortunately going to have to seek outside counsel for that. Pretty much the only tax-form-related question I personally can answer is "where it says 'address' you have to write in your address".
I'm sorry this is such a hassle, but a) the personal info being in the email was kind of dumb, but not a huge violation, and b) they actually literally may not be able to help.
posted by EmpressCallipygos at 11:17 AM on May 31, 2016 [7 favorites]
HR has a weird reputation. Many people think they are the be-all and end-all of explaining all the ins and outs of your personal situations for medical insurance, stock, pay, etc. They are not. As you've discovered. I think your expectations are not too high per se, I think you're looking for things from them that they were never intended to provide to you.
For example, they can't give you concrete tax advice about your stock options. They can tell you who the plan custodian is, they can tell you when they were granted. More than that, you should take your statements to an accountant who can offer professional advice about them.
I've heard that people get frustrated with HR when it comes to medical insurance. HR can tell you what plans are available, they can tell you what they cost and what the deductibles are, but if you have questions about a specific illness or treatment and coverage for it, you have to call the actual insurance provider.
A big one is thinking that HR is going to mediate interpersonal issues at work. Oh no, not even close. HR is there to ensure that the company is protected against lawsuits, not to settle issues between co-workers. (As a shop-steward, someone came to me with a complaint of this kind. I told them, "You need to solve this problem on your own, because the union is not going to make this person be nice to you."
As for the screen shots, I am sure it was kindly meant. If you're asking about something, and you've been told where to find it on the web, and you're still not picking up what HR is putting down, then the next step would be a screen shot of the web page, with a red box around what you're asking for.
And no, I don't think anyone broke any rules here.
It is what it is.
posted by Ruthless Bunny at 11:41 AM on May 31, 2016 [3 favorites]
For example, they can't give you concrete tax advice about your stock options. They can tell you who the plan custodian is, they can tell you when they were granted. More than that, you should take your statements to an accountant who can offer professional advice about them.
I've heard that people get frustrated with HR when it comes to medical insurance. HR can tell you what plans are available, they can tell you what they cost and what the deductibles are, but if you have questions about a specific illness or treatment and coverage for it, you have to call the actual insurance provider.
A big one is thinking that HR is going to mediate interpersonal issues at work. Oh no, not even close. HR is there to ensure that the company is protected against lawsuits, not to settle issues between co-workers. (As a shop-steward, someone came to me with a complaint of this kind. I told them, "You need to solve this problem on your own, because the union is not going to make this person be nice to you."
As for the screen shots, I am sure it was kindly meant. If you're asking about something, and you've been told where to find it on the web, and you're still not picking up what HR is putting down, then the next step would be a screen shot of the web page, with a red box around what you're asking for.
And no, I don't think anyone broke any rules here.
It is what it is.
posted by Ruthless Bunny at 11:41 AM on May 31, 2016 [3 favorites]
Given that no health-related information what involved here, I doubt that HIPAA applies, that doesn't mean that many organizations don't try to make it a policy to make sure that all sensitive information is treated to HIPAA PHI standards though.
That being said, I think you need to look at this from two fronts:
1.) Was the information intentionally released to more people than would otherwise have it? (The whole benefits department), and
2.) Was the information sent on a channel that was sufficiently insecure to allow unintended people to view it? (e-mail)
For 1.), from what you described, it doesn't sound like that information went out to anyone who didn't already have access - the benefits folks, and the payroll person all need to know your name, DOB, address, etc in order to do their jobs. Maybe, those people might not have bothered to look up that information (like your last 4 of social), but they probably had access regardless. I wouldn't worry about this.
For 2.), that depends on how your internal systems are set up. E-mail, by default, is fairly insecure, especially for messages sent between organizations. It is possible, however, that the internal email systems within your organization are set up so that internal email is pretty darn secure. Obviously perfect security is an illusion, but compare this email to your phone conversation with the payroll person -- how do you know that someone wasn't listening in? Or that the payroll person wasn't livestreaming it to the deep web?
If the email thing bothers you, it might be worth having a casual conversation with someone in IT about the security of internal email. If they aren't making any attempts to secure it, then maybe you should be worried (but then again, your whole organization should be, because I'm sure you guys are discussing trade secrets over email all the damn time).
Lastly, consider how "sensitive" this information really was. Worst case, the bad guys have your name and address (which can be found in a phone book or numerous other public databases), your date of birth (trickier, but still publically available), information that can be used to guess your salary (anyone who knows your job title and which organization you work for can probably make a decent estimate), and the last 4 of your social, which is the most troubling*, but depending on how much of a privacy nut you really are, you've probably given to god knows who at utility companies** over the years.
*I remember reading about privacy-attacks that involve guess a full social from a person's last 4 and information about where and when they were born (which gives you info about which SS office they were probably registered at and when)
**lots of companies that used to "require" a SS number now give you a option of choosing some other identifier/pin type code.
posted by sparklemotion at 12:01 PM on May 31, 2016 [4 favorites]
That being said, I think you need to look at this from two fronts:
1.) Was the information intentionally released to more people than would otherwise have it? (The whole benefits department), and
2.) Was the information sent on a channel that was sufficiently insecure to allow unintended people to view it? (e-mail)
For 1.), from what you described, it doesn't sound like that information went out to anyone who didn't already have access - the benefits folks, and the payroll person all need to know your name, DOB, address, etc in order to do their jobs. Maybe, those people might not have bothered to look up that information (like your last 4 of social), but they probably had access regardless. I wouldn't worry about this.
For 2.), that depends on how your internal systems are set up. E-mail, by default, is fairly insecure, especially for messages sent between organizations. It is possible, however, that the internal email systems within your organization are set up so that internal email is pretty darn secure. Obviously perfect security is an illusion, but compare this email to your phone conversation with the payroll person -- how do you know that someone wasn't listening in? Or that the payroll person wasn't livestreaming it to the deep web?
If the email thing bothers you, it might be worth having a casual conversation with someone in IT about the security of internal email. If they aren't making any attempts to secure it, then maybe you should be worried (but then again, your whole organization should be, because I'm sure you guys are discussing trade secrets over email all the damn time).
Lastly, consider how "sensitive" this information really was. Worst case, the bad guys have your name and address (which can be found in a phone book or numerous other public databases), your date of birth (trickier, but still publically available), information that can be used to guess your salary (anyone who knows your job title and which organization you work for can probably make a decent estimate), and the last 4 of your social, which is the most troubling*, but depending on how much of a privacy nut you really are, you've probably given to god knows who at utility companies** over the years.
*I remember reading about privacy-attacks that involve guess a full social from a person's last 4 and information about where and when they were born (which gives you info about which SS office they were probably registered at and when)
**lots of companies that used to "require" a SS number now give you a option of choosing some other identifier/pin type code.
posted by sparklemotion at 12:01 PM on May 31, 2016 [4 favorites]
sparklemotion nailed it, but I just wanted to add that I understand why you're kind of weirded out about it. Even if the whole 7-person department can access the information, it's kind of unsettling to see a screenshot with your personal information going out to a bunch of people. They probably didn't do anything strictly wrong, though.
posted by serenity_now at 2:10 PM on May 31, 2016 [1 favorite]
posted by serenity_now at 2:10 PM on May 31, 2016 [1 favorite]
This thread is closed to new comments.
The law you are looking for is HIPAA and emailing personal information does not necessarily violate HIPAA. Our rules internally are that personal information may be provided via email without otherwise securing it if sent to and from internal email addresses. Our Information Security team has assured us that our internal email security meets HIPAA compliance. If we are sending to an outside source we secure it another way.
I realize it doesn't make you feel better (and there was absolutely a less dickish way to say it) but all those people on the email probably DO have extremely easy and readily available access to all that information already and (if properly trained) have all attended HIPAA compliance training in some form or another.
We use an internal general benefits email address as well so that anyone on the team can answer benefits questions that come in, this is extremely common, and also does not violate HIPAA.
posted by magnetsphere at 10:42 AM on May 31, 2016 [6 favorites]