Policy Program

Integrity & Compliance Office

VCU branded angle-motif letterhead [View Image]

Maintenance and Release of Employment and Personal Information

Responsible Office: Human Resources, Division of Administration
Current Approved Version: 09/10/2019
Policy Type: Administrative

Policy Statement and Purpose

Virginia Commonwealth University seeks to protect the privacy of every employee’s employment and personal information, including social security numbers, whether that data is maintained through paper or electronic means.

This policy clarifies which employee records do and do not require third-party disclosure under the Virginia Freedom of Information Act and the Virginia Personal Information Privacy Act.

Noncompliance with this policy may result in disciplinary action up to and including termination of employment. VCU supports an environment free from retaliation. Retaliation is prohibited against any employee who brings forth a good faith concern, asks a clarifying question or participates in an investigation.

Who Should Know This Policy

All employees are responsible for knowing this policy and familiarizing themselves with its contents and provisions.

Definitions

Personal Data

This term refers to any information relating to an identified, or identifiable, individual.

Third Parties

These are individuals outside of VCU, including other state agency representatives, who request information from the records maintained by VCU.

Contacts

VCU Human Resources officially interprets this policy and is responsible for obtaining approval for any revisions as required by the policy Creating and Maintaining Policies and Procedures through the appropriate governance structures. Please direct policy questions to VCU Human Resources Employee Relations.

Policy Specifics and Procedures

1. Collecting Employee Information

VCU will collect only employee data that is needed for valid business purposes or to comply with law, and any such data will be obtained only by lawful and fair means. All data will be used only for the purpose authorized by the employee, to comply with applicable laws, or in support of university business purposes.

VCU will strive to maintain the accuracy of the personal data held to include establishing, as appropriate, mechanisms allowing employees to have the opportunity to review and update or correct their personal information.

2. Data Protection

Employees should have a reasonable expectation of privacy in both electronic and paper-based environments. Human Resources will take reasonable steps, with technical assistance from VCU Technology Services, to protect personal data from unauthorized access, including developing other personal identification methods (e.g., eID – employee ID; Banner ID - “V” number) and limiting access to such data to those employees with a business need to know. All university departments maintaining paper or electronic personal data are required to adopt and implement similar protection procedures, including discontinuing the use or dissemination of the social security number as an identifier on documents and reports.

3. Use of Social Security Numbers

In accordance with Department of Human Resources Management (DHRM) Policy 6.10, Personnel Records Management, the use of the social security number within the university will be limited to:

comply with federal, state and local reporting requirements;
comply with subpoenas, court orders and other legal requests;
administer and evaluate the university’s hiring and benefits programs;
effect personnel transactions related to employment status changes;
comply with the Virginia Freedom of Information Act by verifying subject of data request; and
serve as an integral indexing key within university systems and databases when no other appropriate key is available or feasible to accomplish university business needs.

All university departments that may provide personnel records must take care to redact the social security number where it is not required or relevant to the record request.

In accordance with the Government Data Collection and Dissemination Practices Act, unless disclosure is required by federal or state law, the university will not require employees to provide their social security number for any purpose or in connection with any activity. Likewise, the university will not refuse or deny service or rights to employees who do not furnish their social security number.

4. Request for Information by Employees

Employees have access to the contents of their personnel file and other official records, except for letters of reference for employment and certain medical and/or mental health records that employees’ physicians have requested remain confidential.

Access to files is allowed during normal business hours and following the employee's proper release from their work area. The supervisor's approval or presence is not required in viewing such records; however, a Human Resources staff member will be present. Fees appropriate to the cost of reproduction will be charged for copies made of any information.

5. Request for Information by Third Parties

Requests for employee information should be referred to Human Resources for response to ensure compliance with the Virginia Personal Information Privacy Act and the Virginia Freedom of Information Act.

Vendors who are approved by Human Resources to access employee data will be required, upon request, to sign a confidentiality statement and to provide a copy of their data security plan and the result of their most recent information technology audit. Vendors also should certify their need for data when contracts are initiated and renewed. VCU’s policy on Business Associates and Contracted Sites details requirements for third-party access to personal information.

Requests regarding expense reimbursements to employees may be obtained from the Virginia Department of Accounts or the VCU Controller’s Office.

6. Records Requiring Third-Party Disclosure

In accordance with the Virginia Freedom of Information Act and the Government Data Collection and Dissemination Practices Act, the following information is considered public information and requires disclosure when requested by third parties:

job classification and/or position title;
dates of employment; and
annual salary or rate of pay (above $10,000);
contracts between VCU and its employees other than contracts settling public employee employment disputes held confidential as personnel records; and
records of allowances or reimbursements for expenses paid to any employee of a public body.

In addition to the data above, VCU will provide information required by subpoena or other court orders. Questions about what information may or may not be disclosed should be referred to the Office of University Counsel at VCU.

Forms

There are no forms associated with this policy and procedures.

Revision History

This policy supersedes the following archived policies:

Approval/Revision Date	Title
January 16, 2009	Maintenance and Release of Employment and Personal Information
August 21, 2012	Maintenance and Release of Employment and Personal Information
August 06, 2015	Maintenance and Release of Employment and Personal Information
July 29, 2016	Maintenance and Release of Employment and Personal Information

FAQ

There are no FAQ associated with this policy and procedures.