Privacy May Trump Fed Data Demands

A judge’s early ruling in Google’s complex legal battle with the U.S. Department of Labor highlights a new argument that other companies may use in fighting regulators’ demands for HR data: The government can’t be trusted to keep it safe from hackers.

The ruling came after the DOL’s Office of Federal Contract Compliance Programs had been auditing the company’s compensation practices for much of 2017, according to a blog post by Google vice president for people operations Eileen Naughton. Federal officials first requested documents in September 2015.

The Labor Department has not publicly accused Google of any specific violation, but critics have claimed the company—and others in tech—pays men more than women for the same work. Naughton, however, maintains that company data disprove this claim. “Our own annual analysis shows no gender pay gap at Google,” she writes.

The company had been cooperating with the audit, providing the government more than 329,000 documents and “detailed compensation information,” Naughton writes. Included were records on more than 21,000 employees.

But the two sides reached an impasse over the summer after the Labor Department demanded more information in June, according to a summary of the case by San Francisco-based administrative law judge Steven B. Berlin accompanying his July 24 preliminary ruling in the case (posted here, thanks to the Washington Post). The agency and company found compromises on some requests but remained at odds over others, Berlin writes.

According to Naughton, Google balked after DOL auditors wanted “employees’ compensation and other job information dating back 15 years, as well as extensive personal employee data and contact information for more than 25,000 employees. We were concerned that these requests went beyond the scope of what was relevant to this specific audit, and posed unnecessary risks to employees’ privacy.”

In his July decision, which is not yet final, Berlin granted a portion of the DOL request, but ruled that the request for employee contact information was “over-broad, intrusive on employee privacy, unduly burdensome, and insufficiently focused on obtaining the relevant information.”

Noting that hackers have accessed the federal government’s own employee records in a well-publicized 2015 data breach at the U.S. Office of Personnel Management, the judge outlined his other main objection to the DOL requests: “My concern centers on [the] extent to which the employee contact information, once at OFCCP, will be secure from hacking, OFCCP employee misuse, and similar potential intrusions or disclosures. OFCCP has already collected for 21,114 employees information such as name, date of birth, place of birth, citizenship status, visa status, salary, and stock grants. That information, if hacked or misused, could subject tens of thousands of employees to risk of identity theft, other fraud, or the improper public disclosure of private facts. Adding contact data, such as personal phone numbers and email addresses, increases the risk of harm to Google’s employees. The contact information could ease the efforts of malicious hackers or misdirected government employees.”

What does this mean for HR?

One employment attorney says the lesson for employers is to respond cautiously to government demands for sensitive employee data.

“The July order demonstrates that employers can, and should, take steps to protect their employees’ confidential information—even when such information is demanded by the government,” writes Margaret C. Inomata of the Washington, D.C. office of Vedder Price, in a blog post. “By resisting the OFCCP’s overbroad requests, Google managed to significantly pare down the scope of the agency’s demand and forced the OFCCP to take additional steps to protect its employees’ contact information,” she writes “Like Google, other employers should consider creative solutions to defend against the unnecessary disclosure of sensitive employee data and maintain their employees’ trust.”