An employee asks for a complete copy of the personnel file. The request sounds routine until the folder includes performance reviews, payroll changes, leave paperwork, and medical notes tied to an accommodation. Someone has to decide what can be released, what must stay segregated, who approves the response, and which system holds the official record.
That's where many companies discover a dangerous gap in their HR confidentiality laws process. The employer assumes the PEO handles privacy because payroll and benefits run through the PEO platform. The PEO assumes the employer controls day-to-day file access because supervisors created some of the records. Both parties may be partly right, and still exposed.
The financial downside is easy to underestimate. IBM reports that the average cost of a data breach involving stolen employee personally identifiable information reached $180 per record in 2025, and for a company with 500 employees, a single breach could exceed $90,000 before legal fees according to IBM's data breach reporting. The legal cost is only part of the damage. Leadership also has to absorb the brand impact of privacy breaches, which often starts long before a regulator gets involved.
For companies in a PEO relationship, confidentiality risk usually isn't a single dramatic failure. It's a chain of ordinary decisions made by HR staff, managers, payroll contacts, benefit administrators, and vendor support teams. If the contract doesn't spell out ownership, access, segregation, response duties, and indemnity, co-employment can turn a manageable compliance issue into a shared-liability mess.
Table of Contents
- The Hidden Risks in Everyday HR Requests
- Decoding the Legal Landscape of HR Confidentiality
- What HR Data Is Actually Considered Confidential
- Defining Roles in a PEO Co-Employment Relationship
- Common and Costly Compliance Pitfalls
- Building Your Internal Confidentiality Playbook
- PEO Contract Clauses That Protect Your Business
The Hidden Risks in Everyday HR Requests
A file request often exposes the whole confidentiality model.
An HR manager gets an email from an employee asking for “everything in my file.” The manager opens the HRIS and sees onboarding forms, compensation history, discipline notes, manager emails saved as attachments, and leave paperwork that includes medical details. Another part of the file sits with the PEO because benefits administration and payroll records are stored there. A paper accommodation note may still be in a locked cabinet in the employer's office.
That request triggers several practical questions at once.
- What counts as the personnel file: Some records belong in a standard employment file. Others should never have been stored there in the first place.
- Who controls the record set: The employer may create records locally while the PEO stores official payroll or benefits data.
- Who answers the employee: If the service agreement is vague, each side may assume the other owns the response timeline.
- What must be withheld or segregated: Medical and investigation materials often need tighter handling than routine employment records.
The co-employment trap is assumption. Employers assume the PEO is the compliance engine because it has the platform, templates, and service team. PEOs often assume the worksite employer controls daily access, manager conduct, and local document collection. Both assumptions fail when an employee asks for a record, a regulator asks for proof, or a breach occurs.
Practical rule: If a company can't identify the system of record, the data owner, and the response owner for a routine HR request, it doesn't yet have a defensible confidentiality process.
For a CFO, this isn't abstract legal hygiene. It affects outside counsel spend, incident response time, employee relations, and vendor bargaining power. The cost shows up when a simple request turns into a dispute over missing files, over-disclosure, or a rushed disclosure pulled from the wrong repository.
Decoding the Legal Landscape of HR Confidentiality
HR confidentiality laws don't sit in one statute. They come from overlapping federal rules, state privacy laws, labor law, and record-handling duties. That's why a process that seems “mostly fine” can still fail under a specific record type or a specific employee request.
Why the law feels fragmented
One rule may govern how an employer stores medical information. Another governs how background check information is handled. A different state rule may control data destruction. California added a major pressure point when the employee-information exemption under the CCPA expired at the end of 2022, and Jackson Lewis also notes that over 30 states now have data-destruction laws, which raises the stakes for multi-state employers using shared HR systems and vendors, as explained in Jackson Lewis's privacy and cybersecurity analysis.
That patchwork matters more in a PEO arrangement because employee data often moves across systems. Applicant data may enter through one workflow, payroll through another, benefits through another, and manager notes through local files or email. Every handoff creates another point where responsibility can blur.
A related employment-law issue shows up in terminations and discipline. Confidential records often become exhibits in disputes, which is one reason it helps to understand the broader context of fair and unfair dismissal law when reviewing how sensitive HR records are created and preserved.
What employers actually have to do
The legal map is easier to manage when it's translated into operational tasks.
- Segregate protected data: Medical and disability-related records should not sit in a general personnel file.
- Limit access by role: A manager who can approve time off doesn't automatically need visibility into accommodation documents or investigative materials.
- Control retention and destruction: Deleting a document from a desktop folder isn't the same as following a defensible destruction process.
- Coordinate notices and disclosures: Privacy notices, applicant communications, and employee-facing policies have to match actual practice.
- Track system boundaries: The company and the PEO need a clear record of which platform holds which category of information.
A company usually gets into trouble not because it lacked a confidentiality policy, but because its actual workflow didn't match the policy.
For buyers evaluating a PEO, contract review and process review must converge. A provider may describe “compliance support” broadly, but a key question is whether the co-employment structure clearly assigns record custody, disclosure authority, and security responsibility. A useful starting point is understanding the PEO co-employment legal structure before negotiating operational duties.
What HR Data Is Actually Considered Confidential
Not all HR information carries the same legal risk. Companies get into trouble when they treat every file as either fully open to HR and managers or fully locked down. The better approach is to classify records by sensitivity, legal trigger, and business use.
The files that need the most discipline
Medical information sits at the top of the list because the handling rule is stricter than many managers realize. Under ADA rules, employee medical data must be kept in separate, confidential files with restricted access, and a mixed file containing medical notes next to performance reviews can create an avoidable compliance violation even without an improper disclosure, as explained in this HR confidentiality guidance on file segregation.
That principle extends beyond obvious doctor notes. Accommodation requests, leave certifications, workers' compensation documentation, and drug test results can all trigger special handling concerns. In a PEO environment, the practical question is whether those records are segregated in the HRIS or whether they've been uploaded into a general employee profile visible to too many users.
Other categories deserve strong access controls even when the legal framework is less obvious day to day. Compensation history, background check reports, disciplinary records, grievance files, and investigation notes can all create risk if they circulate informally through email, shared drives, or manager folders.
Sensitive HR Data Handling Guide
| Data Category | Examples | Key Governing Laws | Required Action |
|---|---|---|---|
| Medical and accommodation data | Leave certifications, accommodation notes, workers' compensation documents | ADA and related confidentiality duties | Keep in separate confidential files. Restrict access to a small set of trained users. |
| Background screening records | Consumer reports, authorization forms, adverse action paperwork | FCRA and related hiring procedures | Limit distribution. Store apart from routine manager notes. Release only on a need-to-know basis. |
| Payroll and tax identifiers | Social Security numbers, direct deposit details, withholding forms | Privacy and data security obligations | Limit access to payroll and finance roles. Control exports and file transfers. |
| Benefits enrollment data | Dependent information, beneficiary forms, coverage elections | Privacy and plan administration obligations | Confirm whether the employer or PEO is system owner. Define who may view and update records. |
| Discipline and investigation records | Written warnings, witness statements, complaint files | Employment and labor law risk management | Restrict access. Separate active investigation materials from general performance files. |
| Compensation records | Salary history, bonus decisions, equity documents | Employment risk and internal confidentiality controls | Give access only to roles involved in pay decisions, payroll, and executive oversight. |
A quick audit usually reveals where the weak points are. The common failures are mixed files, broad manager permissions, and uncertainty over who owns data once it enters the PEO system. Companies reviewing those issues should also examine PEO data ownership clauses before assuming the service agreement answers them.
Defining Roles in a PEO Co-Employment Relationship
Co-employment doesn't remove confidentiality duties. It redistributes them.
The employer still manages people, supervisors, local practices, and many record-creation moments. The PEO often manages payroll processing, benefits administration, parts of the HRIS, and compliance guidance. If the agreement doesn't turn that reality into a clear responsibility matrix, each side can point at the other after a breach, a records dispute, or an over-sharing incident.
Where responsibility usually splits
A workable model separates custody, access, security, and response.
- Custody of records: The PEO may host the data, but the employer should retain clear ownership of employee records and related business information.
- User access management: The employer usually controls which supervisors and HR staff should have day-to-day visibility.
- Platform security: The PEO usually has primary responsibility for securing its systems, integrations, and vendor stack.
- Physical records and local practices: The employer usually remains responsible for paper files, manager-created notes, local scans, and office-level handling.
- Employee-facing responses: Both parties need a rule for who answers requests involving payroll, benefits, investigations, or file access.
The cleanest arrangements document those duties in a shared matrix instead of a paragraph buried in boilerplate. That's especially important when an employee issue spans systems. A leave request may involve manager communications on the employer side, payroll coding inside the PEO platform, and benefits data with another administrator.
What a weak arrangement looks like
Weak arrangements have familiar signs:
- The service agreement says the PEO uses reasonable safeguards but doesn't define standards, audit rights, or response timing.
- The employer gives broad HRIS access to convenience users because permission design was never reviewed after implementation.
- No one defines the system of record for files created outside the platform.
- The parties haven't tested a breach or records request workflow before a real issue lands.
In co-employment, shared responsibility only works when tasks are divided precisely. Otherwise it becomes shared confusion.
For companies that want a more disciplined framework, a PEO HR shared responsibility matrix is usually more useful than a generic privacy rider because it maps actual work to actual owners.
Common and Costly Compliance Pitfalls
Most confidentiality failures don't start with a cyberattack. They start with ordinary workplace behavior.
Small disclosures that create big problems
A manager announces in a team meeting that an employee will be “out for medical reasons for a while.” The manager thinks that's considerate planning. HR now has a preventable disclosure problem.
A payroll contact exports an employee census file from the PEO platform and emails the spreadsheet to a broker, a controller, and a department head “for visibility.” The file includes birth dates, addresses, compensation data, and dependent information. No one intended harm, but the file just traveled far beyond any reasonable need-to-know boundary.
An HR generalist attaches an investigation summary to the employee's general profile because it's easier than creating a restricted file. Months later, a supervisor with broad access opens the file while reviewing performance history. That kind of exposure creates litigation risk even if nothing is printed or forwarded.
These aren't edge cases. They're workflow failures. They happen when companies rely on trust and good intentions instead of access rules, segregation, and training.
Investigation secrecy is not automatic
One of the most misunderstood areas in hr confidentiality laws is workplace investigations. Employers often tell everyone involved not to discuss the matter. That feels prudent, but it can create its own legal problem.
According to NLRB precedent, a blanket instruction for employees not to discuss an ongoing investigation can violate the National Labor Relations Act by chilling protected activity. Employers need a specific business justification, such as witness protection or preventing evidence destruction, to support that request, as outlined in this analysis of investigation confidentiality under the NLRA.
That distinction matters even more in non-union settings because many employers assume the NLRA issue doesn't apply. It can.
Ask for confidentiality in an investigation only when the facts justify it, and document why. Don't treat secrecy as the default script.
A few high-risk habits deserve immediate correction:
- Loose meeting language: Managers should never speculate publicly about leave, accommodations, medical issues, or complaint details.
- Spreadsheet sprawl: Sensitive exports should be minimized, secured, and tracked. If the data doesn't need to leave the system, it shouldn't.
- Overbroad permissions: “HR access” is too vague. Recruiting, payroll, employee relations, and benefits rarely need the same visibility.
- Mixed recordkeeping: Storing medical, discipline, and routine performance documents together creates preventable compliance headaches.
Building Your Internal Confidentiality Playbook
Most organizations don't fail because they lacked concern. They fail because the process is informal.
HR.com's 2023-24 survey found that only 33% of organizations rate their legal compliance processes as “highly mature,” which means many employers still lack the documented workflows needed to protect confidential employee data consistently, according to ClearStar's summary of the HR.com survey.
The controls that matter most
A defensible playbook starts with data classification. If the company can't define which records are confidential, restricted, or routine internal information, access control will stay messy no matter how good the software is.
The next step is role-based access. That sounds technical, but it's mostly an org chart exercise. Which users need to see pay data, accommodation records, investigation notes, or dependent information? In many mid-sized companies, too many users inherit visibility because settings were copied from implementation defaults and never revisited.
Training has to be practical. Managers don't need a seminar on every statute. They need scenario-based instruction: what to say when an employee asks about a coworker's leave, where to store complaint notes, when not to forward a report, and who approves a file release.
A workable checklist for lean teams
- Map the record flow: List where applicant, employee, payroll, benefits, leave, and investigation data enters, lives, and exits.
- Set access by job function: Don't grant broad visibility because it's convenient during rollout.
- Write disposal rules that people can follow: Shredding, secure deletion, and retention timing should be operational, not aspirational.
- Create an escalation rule: File requests, subpoenas, breach alerts, and investigation confidentiality issues should go to named owners.
- Update the handbook and policies: A practical reference point is this guide to employee handbook standards for small business, especially when confidentiality duties need to match current workflows.
A short agreement template can help with employee-facing language, but generic language is rarely enough on its own. Teams drafting or refreshing those provisions may find useful examples in this resource on customizing confidentiality clauses as long as the final language is adapted to actual HR processes, system access, and co-employment realities.
The strongest confidentiality policy is the one supervisors can follow under pressure on an ordinary Tuesday.
One practical option during a PEO evaluation is to use an outside advisor to compare provider workflows, security obligations, and contract language. PEO Metrics, for example, reviews PEO terms, pricing, and risk allocation for employers evaluating or renegotiating providers.
PEO Contract Clauses That Protect Your Business
A standard PEO agreement usually describes service scope in detail and confidentiality in broad terms. That's not enough.
The contract should answer the questions that cause the most damage after an incident. Who owns employee data. Who can use it. Which security obligations apply. How quickly the provider must notify the client. Who pays when the provider's lapse causes loss.
Terms worth negotiating before signature
Focus on the clauses that control outcome, not just optics.
- Confidential information definition: The definition should expressly include employee personal data, payroll data, medical and accommodation records, background screening information, benefits data, and investigation materials.
- Data ownership language: The employer should retain ownership of employee and applicant data, including data entered into or generated through the provider's system for the client account.
- Security obligations: Boilerplate “commercially reasonable efforts” language is weak. The agreement should require defined safeguards, documented controls, and evidence the client can review.
- Breach notification timing: The employer needs prompt notice after discovery, plus a duty to provide relevant details, cooperate in investigation, and support legal response.
- Subprocessor and vendor controls: If the PEO uses third parties for payroll, benefits, storage, or support, the agreement should make the PEO responsible for managing those downstream risks.
- Return and deletion on exit: The contract should specify export format, timing, completeness, and post-termination deletion obligations.
- Indemnification: If the breach or improper disclosure stems from the PEO's negligence, security failure, or contractual breach, the financial responsibility should not slide back to the client by default.
What stronger language should accomplish
Strong language doesn't need to be flashy. It needs to be specific enough that both sides know what happens under stress.
A CFO should look for practical points of influence. Can the company audit or at least request evidence of controls. Does the agreement force quick escalation. Are service credits the only remedy, or can the employer recover actual losses tied to the provider's failure. Does the liability cap swallow the protection the clause seems to offer.
The goal isn't to shift every risk to the PEO. That won't happen, and it shouldn't. The goal is to align responsibility with control. If the provider controls the platform, integrations, and security environment, the agreement should reflect that reality.
Before signing or renewing, it helps to review a PEO master service agreement checklist against the actual confidentiality workflow. The right clause is the one that matches how records are stored, accessed, exported, investigated, and returned, not the one that merely sounds protective.
Companies evaluating or renegotiating a PEO don't need to guess where confidentiality risk sits. PEO Metrics helps employers compare PEO contract terms, service models, and co-employment risk allocation so HR and finance teams can push for clearer data ownership, stronger breach language, and cleaner responsibility lines before those issues become expensive.
