Data Privacy and I-9 FAQ
This information is provided solely for informational purposes and is not legal advice. Transmission of these materials is not intended to create, and receipt does not constitute, an attorney-client relationship. Readers should not act upon the information contained in this FAQ without first seeking advice from a qualified attorney.
The following information is excerpted from the practice pointer, “Data Privacy Considerations and I-9s — Protecting Employee Information and Avoiding a Breach” (prepared by the American Immigration Lawyers Association’s Verification and Documentation Liaison Committee, 11/30/2017).
Background: How does data privacy relate to I-9s?
In an era of frequent data breaches of employee and customer information, and heightened awareness and litigation surrounding these breaches, employers should understand how to store and transmit the I-9 forms which they complete for all U.S. employees upon hire. The I-9 contains Personally Identifiable Information (PII) that must be safeguarded.
For example, Section 1 of the I-9 asks for:
- Date of Birth
- Social Security Number
The I-9 also asks employees to provide information about their immigration status, such as:
- Alien registration number (for permanent residents)
- I-94 number
- Passport number and country of issuance
In addition, E-Verify employers are required to complete a photo match for certain documents including a U.S. passport, Employment Authorization Document (EAD), and Permanent Resident Card. E-Verify employers are required to retain a photocopy of these documents. Whether stored electronically or in hard copy with the I-9, this photocopy is another source of PII which the employer must protect.
How can employers limit their exposure of an I-9 data breach?
Employers can take the following steps to reduce PII exposure:
- Store I-9s in a secure location, where access is limited and is locked (or password protected if stored electronically)
- Store I-9s separately from employees’ personnel files to limit access and simplify retention process
- Purge and properly dispose of I-9s that have passed the required retention period (3 years from the date of hire or 1 year from the date of termination, whichever is later)
For electronic I-9 storage, a solid records program should:
- Ensure that only authorized personnel have access to electronic records
- Provide for backup and recovery of records to protect against information loss
- Record the date, identity of individual who created or changed the record, and action taken for all updates, modifications, corrections made to the I-9 (per USCIS’ M-274 Handbook for Employers)
When transmitting the I-9 electronically, employers should do so in a secure manner. At a minimum, the file should have password protection. Sending the file via encryption is recommended.
What if I cannot locate some I-9s?
There is a difference between not completing I-9s for every employee (this would be an immigration compliance problem) and having filled out I-9s but now being unable to locate those completed forms. Losing or misplacing I-9s is potentially a PII data breach as well as an immigration compliance issue.
Per some states’ laws, a data breach will require the employer to notify the individuals affected. In other states, the employer must notify the individual plus the state Attorney General. Depending on the jurisdiction, the employer may have an obligation to perform this notification within a certain amount of time.
If you are unable to locate I-9s that you know were completed, it is advisable to seek assistance from privacy counsel to determine whether any steps should be taken.
Any other advice?
To best protect employer and employee information, employers should work with privacy counsel to develop a policy that defines PII for the company and provides guidance on how such information must be secured. That policy should apply to any individual who works with or has access to that information: employees including HR, vendors, and other third parties.
I-9s should be included in the policy’s list of documents that should be secure and included in a data breach incident report (if the I-9 is lost or misplaced).
Employers should provide regular information security training to employees.