USA Law and Practice Contributed by: Christina Hynes Mesco, Chad Ayers, Kristen Prinz and Amit Bindra, The Prinz Law Firm
Biometric Information Privacy Act (BIPA) and similar statutes in Texas and other states), and information involving minors. Employers must also be mindful of evolving state privacy laws – such as those in California, Colorado, Connecticut, Texas, Utah and Virginia – that grant to employees workplace rights related to notice, purpose limitation and data security. Additionally, investigations involving third-party back - ground or investigative reports (FCRA), workplace injuries (OSHA) or recorded interviews must comply with applicable consent and wiretapping laws, includ - ing two-party consent requirements in certain states. Careful, trauma-informed handling is especially important when investigations involve allegations of harassment or violence. 7.2 Specific Rules When collecting and processing personal data in con - nection with an internal HR investigation, employers should maintain clear procedural safeguards to ensure the data is handled lawfully and appropriately. At the federal level, certain categories of information are sub - ject to heightened protections. For example, under the ADA, any medical or mental health information obtained during an investigation must be maintained in separate, confidential files and shared only on a strict need-to-know basis. Employers should also ensure that data collection is limited to what is relevant to the investigation, used only for legitimate investiga - tory purposes, and retained no longer than necessary to resolve the matter or meet legal obligations. In addition, a growing number of state privacy laws impose obligations that may apply, at least in part, to HR investigations. These laws can require employers to provide notice of data collection, respect employ - ees’ rights to understand or limit how their personal data is used, implement reasonable security meas - ures, and avoid secondary or unrelated uses of inves - tigation data. While many state statutes include par - tial exemptions for employment-related data, those exemptions are narrowing and often do not eliminate core duties such as transparency, purpose limitation and data security. Notably, California significantly cur - tailed its employer exemption in 2023, making compli -
ance with these principles increasingly important in internal investigations nationwide. 7.3 Access In the United States, parties to an internal HR investiga - tion generally have limited and context-specific rights to access personal data collected during the inves - tigation. There is no broad federal right for employ - ees to access investigation files in the private sector, but certain state laws provide targeted access. For example, under Illinois’s Personnel Record Review Act (PRRA), employees may request access to materials that were relied upon in making an employment deci - sion, which can include investigation summaries or findings, though not necessarily all underlying notes or witness statements. In addition, under emerging state privacy laws (such as California’s CPRA), employees may have a right to know which categories of personal data were collected and how they were used, subject to significant limitations in the investigatory context. Employers may invoke several important exceptions to limit access. Attorney–client privilege and attorney work product protections generally allow employers to withhold privileged investigation materials, including legal analyses, attorney-directed interviews and draft reports. Employers may also restrict access to protect confidentiality, witness privacy, trade secrets and the integrity of the investigation, particularly where dis - closure could chill participation, expose witnesses to retaliation, or compromise ongoing or future investiga - tions. Many state privacy statutes expressly recognise exceptions for internal investigations, legal compliance or anticipated litigation, even when employment-data exemptions are otherwise narrowed. As a result, while limited access rights may exist – particularly where an employment action is taken – employers retain sub - stantial discretion to withhold sensitive investigation materials when legally justified. 7.4 AI Artificial intelligence (AI) is increasingly used as a supporting tool, but not as a primary decision-maker, in internal HR investigations. Common uses include assisting investigators in developing or refining inter - view questions, organising timelines, summarising large volumes of documents or communications, and transcribing interviews (subject to applicable consent
433 CHAMBERS.COM
Powered by FlippingBook