Privacy and Employee Phone Numbers

Managing Employee Phone Numbers

When managing employee phone numbers, there are number of privacy related considerations.

Personal Information

Phone numbers are considered Personal Information (sometimes called Personally Identifiable Information, or PII) by almost all privacy regulations around the world, including:

• The California Consumer Privacy Act (CCPA) defines Personal Information as "information that identifies, relates to, or could reasonably be linked with you or your household". Employee records have been excluded from the CCPA prior to 1st January 2023, but they are no longer excluded.
• The UK's General Data Protection Regulation (GDPR) defines Personal Information to include any information that allows a person to be "identifiable, directly from the information in question".
• The Australian Privacy Act explicitly includes phone numbers in its list of examples of Personal Information. While there is an Employee Records Exemption, it remains the fact that employees may consider their phone numbers personal.

While there is certainly a legitimate need for employers to include phone numbers in their employee records, so employees can be contacted, the fact that they are considered Personal Information means that you need to appropriately protect employee phone numbers.

Data Minimization

As a general principle, privacy regulations around the world require you to minimize the information you hold and to restrict it to only the information you need to conduct your business. For example:

• The California Consumer Privacy Act (CCPA) requires businesses to "collect, use, retain and share consumer personal information only to the extent reasonably necessary and proportionate to achieve the purpose for which it was collected".
• The UK's General Data Protection Regulation (GDPR) says that personal data needs to be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.

Consider for example whether you really need to store each employee's date of birth - if you only need this to complete a tax form, do you need to continue to store it once this has been done?

Holding information you do not need, holding it longer than you need it for, or holding it in multiple systems, all increase your risk that this information will be exposed in a data breach. This data minimization lens needs to be applied to all Personal Information, including employee phone numbers.

Using Employee Phone Numbers

Even if employees provide you with their personal phone numbers, there is legislation that limits how you can use them. In the US, the Telephone Consumer Protection Act (TCPA) is particularly demanding, and violations of the TCPA can result in substantial fines.

Consent

Across all jurisdictions, you should have consent before calling or SMSing employees. This consent may be either:

• Express. That is, employees acknowledge in their employment agreement and/or through an online form that you can call or send SMSs to their phone number for specific purposes.
• Implied. That is, because of the existence an employment relationship (and the fact that the employee provided their phone number to you), it may be reasonable to initiate certain phone calls or SMSs (see Transactional vs. Promotional Messages below).

In the US, under the TCPA, almost all communications require express / written consent, and even in jurisdictions where implied consent may be permissible, it is better to err on the side of caution and always obtain express / written consent. This may involve modifying employment agreements (to capture consent) and/or ensuring your systems are configured and used in such a way as to obtain express consent before sending SMSs.

Transactional vs. Promotional Messages

When sending SMSs, you should consider the distinction between:

• Promotional Messages such as special 'employee only' deals for products and services your company offers.
• ‍Transactional Messages such as shift changes, registration passcodes, two-factor authentication codes, password resets, etc.

Under no circumstances should you send Promotional Messages to employees without their express / written consent. And as above, in some jurisdictions, including in the US under the TCPA, express consent is required even for Transactional Messages.

Phone Numbers in NoahFace

NoahFace includes a number of features to help you responsibly manage, protect, and use employee phone numbers. This includes providing you with control over:

• Whether phone numbers are synchronised from your payroll system or not.
• Whether registration passcodes, activation links, and one-time passcodes are sent via SMS or Email.
• Whether one-time registration codes are only sent to employees after express consent.

To learn more, see the Tech Note: Employee Communications.

‍