Introduction

Human resource managers must manage aplethora of personnel activities associated withcompany employees: recruiting, training, pro-moting, demoting, and recordkeeping. Technol-ogy has made it easier and cheaper HR managersto gather and maintain an infinite amount of dataabout present and prospective employees. Dawes(1994) reports that today’s information systemsdemand a level of technical sophistication andmanagerial skill far beyond what was requiredby the simple recording of standardized transac-tions in stand-alone files.

An essential component in the success ofmanaging this data is the Human ResourceInformation System (HRIS), a database ofpersonal information about each employee.Because of the power to access and use HRISdata, HR managers must be aware of the ethicaland legal issues associated with both the creationand use of those data in the HRIS.

Ethical issues

“Privacy issues are maturing in the 1990s,” saysKurt Decker, an attorney with Stevens and Lee,a Reading, PA firm, “and employers are goingto have to act responsibly in order to preserve[employees’] rights” (Cooney, 1991). There is nogeneral federal or state law creating or protectingprivacy in the workplace. The U.S. Constitution’sFirst Amendment free-speech clause and theFourth Amendment protection against “unrea-sonable searches and seizures” apply only toaction by the government, not to private-sectoremployees. Employees are seen to have broad

moral rights to be treated fairly and with respectand to have moral rights to privacy (DeGeorge,1986). However, Webster (1994) concludes that,by and large, employees leave their constitutionalrights at the workplace door.

Relational databases

The purpose of any HRIS is to provide its userswith information. The purposes for which thisinformation is used vary, but for the most part,an HRIS uses a relational database to store andcatagorize all the separate data files, which arelinked by some common elements (e.g. name, IDnumber, or location). As a result, any desiredinformation can be accessed and merged via theemployees’ ID number. Relational technologyalso allows databases to be established in severaldifferent locations. For example, users in oneplant or division location can access data fromany other company location (Noe, Hollenbeck,Gerhart and Wright, 1994).

This relational database technology providesfor access to more detailed information than everbefore. According to Pasqualetto (1994), thesystem could be made into a perfect model ofelectronic efficiency and data quality if only thoseemployees in the human resources informationcenter (HRIC) used the system. However, thedays are gone when information sat in paper filesin departmental (or personal) file cabinets, avail-able only to those who could gain physical accessto them (Leonard, 1991). With the click of theleft mouse button, practically anyone can enterthe system and obtain data about current, former,or prospective employees. When you walkthrough the open plan offices of any large

Human Resource InformationSystems: An Overview ofCurrent Ethical and Legal Issues

Journal of Business Ethics 17: 1319–1323, 1998.© 1998 Kluwer Academic Publishers. Printed in the Netherlands.

Joan C. Hubbard,Karen A. Forcht

Daphyne S. Thomas

organization today, you will notice live computerterminals on every desk, but only half the deskshave people sitting at them (Richards-Carpenter,1993). As a result, any security measures that havebeen implemented to protect confidential dataare worthless.

Data access

Under the HRIS, some semi-private informa-tion, including employees’ addresses, phonenumbers, and certain medical data, can beaccessed online by anyone outside the HRDepartment, from corporate executives to linemanagers to recruitment directors. Data accessisn’t restricted only to HR personnel; people inall functional areas of HR can access the data inthe HRIS for their own purposes and in waysthat suit their needs (Leonard, 1991). In somecompanies, the database can be accessed byemployees who want or need to make changesto their own personal file, such as adding adependent or listing a new phone number oraddress.

Laabs (1994) reports that most employees favorthe access to the HRIS because it allows infor-mation to be available immediately in case ofemergencies. Other employees, however, chargethat this type of information should not bereadily available and feel their private lives are notbeing protected sufficiently. A frequently askedquestion about this issue is: What informationshould the data system contain?

Privacy concerns

According to Noe et al. (1994), major privacyconcerns include determinations about (1) whattypes of employee information should be storedon the system (e.g., salary and medical informa-tion), (2) who has access to computer hardwareand data, and (3) who can access and modifydatabases. An increasing number of firms arepressured to gather hordes of information aboutprospective employees in order to reduce long-term health costs. They do not want to hirehigh-risk individuals (i.e. smokers, alcoholics,

people with predispositions for serious illnesses)who might need expensive care in the future(“Workplace Privacy . . .”, 1994). With theseconcerns in mind, the following table compiledby Adams (1992) shows the steps that com-panies can take to secure an HRIS in a PCenvironment.

Steps that Companies Should Take to Secure anHRIS

1. Train all users how to securely use andhandle the equipment, data, and software.

2. Train employees to “sign off ” personalcomputers after they are through usingthem.

3. Do not allow passwords to be shared.Change passwords frequently.

4. Run software through a virus-detectionprogram before using it on the system.

5. Ensure that backup copies, data files,software, and printouts are used only byauthorized users.

6. Make backup copies of data files andprograms.

7. Ensure that all software and mainframeapplications include an audit train (a recordof the changes and transactions that occurin a system, including when and who per-formed the changes).

8. Use edit controls (such as passwords) tolimit employees’ access to data files and datafields.

Source: Raymond A. Noe, John R. Hollenbeck,Barry Gerhart, and Patrick M. Wright, HumanResource Management: Gaining a CompetitiveAdvantage, 1994. Burr Ridge, IL: Richard D. Irwin,Inc.

Legal issues

Property interests

The Fifth and Fourteenth Amendments of theU.S. Constitution state that individuals cannot bedeprived of life, liberty, or property without dueprocess of law. When applied to HRIS, thesestatements pertain to the liberty and propertyinterest issues in personnel records management.According to Shearer (1992), employees who are

1320 J. C. Hubbard et al.

terminated without due process can sue on thegrounds that their property interests in continuedemployment have been taken away. Even iftermination of employment does not infringe onproperty interest, the courts have ruled thatemployees have the right to be free fromemployer implications that might stigmatize ordefame their character. By proving they wereterminated for false reasons without notice of ahearing, employees can establish liberty interestviolations (invasion of privacy or defamation).They can also show violation of liberty interestdeprivation by proving that the stigmatizinginformation prevented them from gaining otheremployment. For employees to show bothemployment property and liberty interest, theymust be able to prove the following:

1. that a false and defamatory statement wasmade about him or her;

2. that the statement was disclosed to a thirdparty without his or her permission; and

3. that the person making the disclosurewas negligent in doing so (“WorkplacePrivacy”, 1994).

These emerging laws have made managingpersonnel records more complex because themanager must decide what type of informationshould be kept in an employee’s file. Issues to beconsidered include whether the information isconfidential or nonconfidential, whether theinformation stigmatizes the employee in anymanner, and whether the information should berestricted to HR personnel access. The HRmanager must balance the employer’s interestswith the employee’s interests and rights.

Public disclosure of information

Actual public disclosure of any adverse materialin a personnel file is essential to the validity of aliberty interest claim. The most common causeof defamation of character in employment casesrevolves around the accusation that the employercommunicated or “published” false informationto perspective employers, thus causing damage tothe employee by closing off the opportunity fornew employment. To avoid these charges,

Shearer (1992) recommends that employers inboth the public and the private sectors have apolicy of “no comment” when dealing withrequests for job references. Many employers willverify only basic information, such as hiringand termination dates. Managers must be veryspecific about the type of information that isput in an employee’s file. Key questions to beconsidered include:

1. Will this information create a property orliberty interest that opens up the possibilityof legal action if an employee is terminated?

2. Should any information be released forreference checks?

Robert Belair, an attorney with the Washington-based firm Mullenholz, Brinsek & Belair, advisesthat companies need to have a good solid businesspurpose for any information that is collected.“Many times, that’s [a solid business purpose] alegal defense,” says Belair. “But even when it’snot a legal defense, it puts the HR professionaland the company in a good posture to show that. . . there is a good business employment purposefor asking about this information” (“WorkplacePrivacy”, 1994).

Risk of liability

The most difficult questions relating to infor-mation disclosure involve information providedto other companies about former employees.Managers must be careful not to provide infor-mation that could be judged slanderous by thecourts (Noe et al., 1994).

The increasing risk of liability has resulted insome employers requiring written release fromemployees before any information is released.Shearer (1992) cautions that any release shouldbe conducted with counsel on both sides, shouldbe voluntary, and should include the employee’sagreement not to contest either his or her ter-mination or the contents of the personnel file.Attorney Robert Belair further suggests that therelease should be appropriately limited in timeand purpose (“Workplace Privacy”, 1994).

The HR manager must realize that thepresence of a release does not automatically

Human Resource Information Systems 1321

disallow the possibility of a liberty interest claim.Exposure to liability can be limited by deter-mining to what extent records are confidential ornonconfidential. Any information in the filesmust be a demonstrable, objective document ofevents, regardless of whether or not the infor-mation is likely to be communicated to any thirdparty (Shearer, 1992).

Employee access to records

As an access system, the central mission of theHRIS is the provision of quality information andmechanized processes to the full range of HRfunctions that might benefit from its data andservices (Pasqualetto, 1994). Determining whohas access to personnel records is an extremelyvital concern for the HR manager. The lawsregarding access to personnel records can varysignificantly from state to state, so it is criticalthat managers familiarize themselves with theindividual state laws within which they work.Hartstein (1992) reports that approximately 18states in the U.S. have passed legislation per-taining to access of personnel records. These lawsallow employees to inspect files that or used, orhave been used, to determine an employee’squalifications for promotion, termination, ordisciplinary action. Certain states allow theemployer the option to restrict the number oftimes the employee can have access to the filewithin a specified amount of time.

Individuals should have access to informationabout themselves, and most of the laws allow anemployee to challenge alleged incorrect infor-mation in the file. According to Moulton (1986),limits exist on the type of personal informationthat can be collected about an individual as wellas use and disclosure of this information. If theemployer and the employee cannot come to amutual agreement pertaining to the informationin personnel records, the employee has the rightto file a statement explaining his/her position onthe matter. Because the organization is account-able and liable for its information practices andprocedures, Moulton recommends that proce-dures and practices be adopted to insure thecollection, maintenance, use, and dissemination

of personal information is necessary, lawful,current, and accurate.

Conclusion

All human resource managers must be constantlyaware of the ever-changing laws and regulationsthat pertain to personnel files. The primaryobjective, of course, should be to limit anemployer’s exposure to possible problems andlawsuits and an employee’s right to privacy andprotection. Constant vigilance and ethical andlegal awareness are no longer a luxury – theypresent the key challenges to HR managers intoday’s high-tech, computer-oriented environ-ment.

Proper management and control of the HRISand of the people who use it should enable acompany to take advantage of the many advancesin the HRIS area. By remaining focused on thepurpose for and amount of data collected, HRmanagers will minimize privacy-based litigationin their companies while maintaining high ethicalstandards.

References

Adams, L. E.: February 1992, ‘Securing Your HRISin a Microcomputer Environment’, HR Magazine,56–61.

Cooney, C. M.: 1991, ‘Who’s Watching theWorkplace?’, Security Management 35(11), 26–35.

Dawes, S. S.: Spring 1994, ‘Human ResourceImplications of Information Technology in StateGovernment’, Public Personnel Management 23,31–46.

DeGeorge, R. T.: 1986, Business Ethics (2nd ed.)(Macmillan Publishing Company, New York).

Hartstein, B. A.: Spring 1992, ‘Rules of the Roadin Dealing with Personnel Records’, EmployeeRelations 14(4), 673–691.

Laabs, J. J.: July 1994, ‘Personnel File Database:Universal Access?’, Personnel Journal, 85–89.

Leonard, B.: July 1991, ‘Open and Shut HRIS’,Personnel Journal 70(7), 59–62.

Moulton, R. T.: 1986, Computer Security Hand-book: Strategies and Techniques for Preventing Data Lossor Theft (Prentice-Hall, Inc., Englewood Cliffs, NJ).

Noe, R. A., J. R. Hollenbeck, B. Gerhart and P. M.

1322 J. C. Hubbard et al.

Wright: 1994, Human Resource Management:Gaining a Competitive Advantage (Richard D. Irwin,Inc., Burr Ridge, IL).

Pasqualetto, J.: July 1994, ‘Personnel Computing:Staffing, Privacy and Security Measures’, PersonnelJournal (Supplement), 15–16.

Richards-Carpenter, C.: March 1993, ‘Keeping aSystem Safe and Secure’, Personnel Management,21–22.

Shearer, R. A.: Winter 1992, ‘Due Process Liabilityin Personnel Records Management: PreservingEmployee Liberty Interests’, Public PersonnelManagement 21, 523–532.

Webster, G. D.: 1994, ‘Respecting Employee Privacy’,Association Management 46(1), 142–143.

“Workplace Privacy: Setting Boundaries in theInformation Age”: December 1994, HR Focus 2,4–5.

Joan C. HubbardUniversity of West Georgia,Carrollton, Georgia 30118,

E-mail: jhubbard@westga.edu,770-836-6472.

Karen A. ForchtJames Madison University,

Harrisonburg, Virginia 22807,E-mail: forchtka@jmu.edu,

540-568-3057.

Daphyne S. ThomasJames Madison University,

Harrisonburg, Virginia 22807,E-mail: thomasds@jmu.edu,

540-568-3064.

Human Resource Information Systems 1323