Sample language for employee data-handling agreements

This is sample language that acknowledges the responsibility an organization and its employees have towards protecting customers’ personal data. It is intended for organizations that handle protected information and includes language recognizing the types of data the organization holds and the levels of responsibility for employees based on whether the employee has access to that data.

Organization descriptor
<Company> maintains consumer and policy related information that includes protected health information (PHI), electronic protected health information (ePHI), personally identifiable information (PII) and financial information including banking and credit card information subject to Payment Card Industry Data Security Standards (PCI DSS). All of this information collectively and individually is considered highly confidential and sensitive information.

Job role requires access
As such, I acknowledge that the ability to access many forms of information that are highly confidential and sensitive is inherent to the job duties associated with my role and job description at the company. I agree to abide by all relevant company policies and procedures regarding the use and disclosure of any information, including that which may contain demographic and/or health information regarding the company’s policyholders. I agree that within my job duties, all uses, disclosures and requests for any information shall be limited to that which is reasonably necessary to accomplish the intended purpose of the use, disclosure or request. I understand that disciplinary action will be imposed against me if I fail to comply with any company policy or procedure regarding access and disclosure of confidential or sensitive information.

Job role does not require access
As such, I acknowledge that I have no reason to access confidential or sensitive information based on my role and job description at the company. However, if I inadvertently receive access to any information outside of that normally received in the course of my job duties, I agree to immediately notify my direct supervisor and abide by all relevant company policies and procedures regarding the use and disclosure of any confidential or sensitive information. I also understand that disciplinary action will be imposed against me if I fail to comply with any relevant company policies and procedures regarding the use and disclosure of any information.