Workplace Privacy
Electronic Surveillance Laws
A statutory regime that governs specific monitoring practices by employers. This includes the Wiretap Act, the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA).
The Employee Polygraph Protection Act of 1988
A statutory regime that governs specific monitoring practices by employers. This limits the employer use of lie detectors.
Data Loss Prevention (DLP)
A system that can identify critical data, monitor how it is being accessed, and protect it from unauthorized users. DLP is a strategy used by businesses to ensure that sensitive data is not accessed, misused or lost by unauthorized users. This goal is accomplished by DLP software and tools by monitoring and controlling endpoint activities as well as protecting data as it moves. DLP combines 1 - the use of information security tools 2-the utilization of training for employee behavioral modification and 3-the implementation of effective standards, policies and procedures. DLP is designed to ensure that privacy protection is an integral part of the methodology.
US Constitutional Protections
Apply specifically to government employees.
The Federal National Child Protection Act
Authorizes state officials to access the FBI's National Crime Information Center database for some positions that involve contact with children.
The Consumer Financial Protection Bureau (CFPB)
Both the FTC and the CFPB regulate unfair and deceptive practices and enforce a variety of laws, including the FCRA, which limits employers ability to receive an employee's or applicant's credit report, driving records, criminal records and other consumer reports obtained from a CRA.
State Law and Employment Privacy
Employees tend ot have narrow protections under contract, tort and statutory law. The free market approach of US Law applies broadly, except where a discrete problem has arisen and prompted a response by the legal and political system. Each state has an agency, often called the Department of Labor, that oversees the state labor laws. These laws include state minimum wage laws and laws limiting work by minors. This same department also administers state unemployment insurance programs and employee rehabilitation programs. Some departments also conduct safety inspections of worker conditions.
Using Social Media to Monitor Current Employees
Employers may choose to use social media for their business as well as used to screen perspective employees. Social media monitoring is used to keep track of current employees to mitigate brand or reputation damage. There are potential risks when using social media to keep track of current employees. Employees must be careful not to violate antidiscrimination and privacy laws.
The Vail Letter
Frequently employers use 3rd parties to investigate employee misconduct. As an "undercover aspect of the investigation" although this requires corporations liability under FCRA (which requires notice and consent from the employee in order for the employer to obtain a consumer report. According to an opinion letter issues for the FTC know as the "Vail Letter", if an employer hired an outside organization such as a private investigator or background research firm to conduct these investigations, the outside organization constituted a CRA under the FCRA and any report furnished to the employer by the outside organization was an "investigative consumer report". Under this opinion, an employer that received these reports was required to comply with the FCRA by providing notice to the suspected employee and obtain consent (which kind of defeats the purpose of obtaining the investigative report). FACTA amended the FCRA to address the problems created by the Vail Letter. Along with other FCRA and FACTA provisions (discussed in the Financial Privacy Section) FACTA Provided that, if certain conditions were met, an employer is no longer required to notify an employee that it is obtaining an investigative consumer report on the employee from an outside organization in the context of an internal investigation. Specifically, FACTA changed the definition of "consumer report" under FCRA to exclude communications relating to employee investigations from the definition if three requirements are met: (1) The communication is made to an employer in connection with the investigation of: (1) suspected misconduct related to employment or (2) compliance with federal, state, or local laws and/or regulations, the rules of a self-regulatory organization, or any preexisting written employment policies. (2) The communication is not made for the purpose of investigating a consumer's creditworthiness, credit standing or credit capacity and does not include information pertaining to those factors. (3) The communication is not provided to any person except: (1) the employer or agent of the employer (2) a federal or state officer, agency, or department, or an officer, agency or department with authority over the activities of the employer or employee (4) as otherwise required by law (5) pursuant to 15 USC 1681f, which addresses disclosures to government agencies.
Location-based Services (LBS)
Mobile phones, GPS devices, and some tablet computers provide geolocation data, which enables tracking of the user's physical location and movements. This creates a category of personal information that typically did not exist before the prevalence of these mobile devices. Employers interested in monitoring the location of company vehicles equipped with GPS may generally do so without legal hindrance, provided that the monitoring occurs for business purposes during work hours, and employees have been informed beforehand. If a company wants to monitor the location of its employees themselves though - they may face greater legal barriers. Some states limit monitoring of employee Geolocation data to an extent.
Occupational Safety and Health Administration (OSHA)
OSHA requires employers to provide a safe workplace that complies with occupational health and safety standards. These standards require employees to perform tasks in a safe manner in order to avoid injury. Thus, ensuring compliance with OSHA is one legal reason to monitor employees.
The Fair Credit Reporting Act (FCRA)
Regulates the use of "consumer reports" obtained from consumer reporting agencies (CRAs) in reference checking and background checks of employees. The FCR and antidiscrimination laws create national rules that structure how information is gathered and used pre-employment.
Federal Employee Privacy Protection
Several Federal agencies handle this including: The Department of Labor (DOL) The Equal Employment Opportunity Commission (EEOC) the Federal Trade Commission (FTC) The Consumer Financial Protection Bureau (CFPB) The National Labor Relations Board (NLRB)
Using Social Media to Screen Potential Employees
Social media has been used increasingly to screen prospective hires. Companies now exist that are dedicated entirely to track and individuals online presence and screening candidates for predesignated elements selected by the employer. These could include potential drug use, criminal activity, or unsafe behavior. These companies could be under the FCRA for background check information.
SCA
Strong Customer Authentication - This is a requirement of PSD2*, which asks businesses to use at least two authentication elements to verify electronic payments. The SCA creates a general prohibition against the unauthorized acquisition, alteration or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided. Violations for interceptions can lead to criminal penlaties or civil lawsuits.
Consumerization of Information technology (COIT) and BYOD
The COIT Trend refers to not only to the use of personal computing devices in the workplace but also to online services, such as webmail, cloud storage, and social networking. BYOD is a manifestation of the COIT trend, in which employees use their personal computing devices for work purposes. BYOD comes with a lot of security and privacy challenges though.
The Equal Employment Opportunity Commission (EEOC)
The EEOC works to prevent discrimination in the workplace. The EEOC oversees many laws, including Title VII of the Civil Rights Act, the Age Discrimination in Employment Act of 1967 (ADEA) and Titles I and V of the Americans with Disabilities Act of 1990 (ADA). The EEOC has cautioned businesses that they should carefully review background screening processes, such as denying employment based on criminal convictions, to ensure that their requirements are job related and consistent with business necessity.
EU Employee Privacy
The European Union (EU) includes employee privacy within its general rules applying to the protection of individuals. Monitoring is permitted only with specific legal justification, and background checks are limited in scope. Employees have broad workplace privacy expectations and rights. Companies with employees in the US and other countries thus must be alert to the possibility that different workplace rules apply in connection with employment privacy. This can make the privacy professionals job hard when a multinational corporation's human resource data systems in one country contain PII about employees residing in other countries, or even when employees share PII across borders, such as through email or other communication channels (for examples)
Other Federal Laws with employment privacy implications regulate data collection and record keeping...
The Fair Credit Reporting Act (FCRA) regulates the use of "consumer reports" obtained from consumer reporting agencies (CRAs) in reference checking and background checks of employees. - The Fair Labor Standards Act (FLSA) establishes the minimum wage and sets standards for fair pay - The Occupational Safety and Health Act (OSHA) regulat3es workplace safety. - The Whistleblower Protection Act protects federal employees and applicants for employment who claim to have been subjected to personnel actions because of whistleblowing activities. - The National Labor Relations Act (NLRA) sets standards for collective bargaining, which also applies in social media communications. - the Immigration Reform and Control Act (IRCA) requires employment eligibility verification. - The Securities Exchange Act of 1933 requires disclosures about payment and other information about Senior executives of publicly traded companies as well as registration requirements for market participants such as broker-dealers and transfer agents.
Constitution Law
The US constitution has significant workplace privacy provision that apply to the federal and state governments, but they do NOT affect private-sector employment. Notably, the 4th Amendment prohibits unreasonable searches and seizures by state actors. Courts have interpreted this amendment to place limits on the ability of government employers to search employees' private spaces, such as lockers and desks. Some states, including California, have extended their constitutional rights to privacy to private-sector employees. In general for private-sector actors, however, there is no state action, and no constitutional law governs employment privacy.
US Federal Employment Laws
The US has a number of federal laws that prohibit discrimination. These provide employees with some Privacy protection because this limits the questioning with respect to what is being protected, such as age, national origin, or disability. The US has federal laws that regulate employee benefits management (which offer certain privacy and security protections for benefits related information). They also mandate collection of employee medical information. These laws include the following protections: - The Health Insurance portability and Accountability Act of 1996 (HIPAA) - contains privacy and security rules that regulate "protected health information" for health insurers, including self-funded health plans. - The Consolidated Omnibus Budget Reconciliation Act (COBRA) requires qualified health plans to provide continuous coverage after termination to certain beneficiaries. - The Employee Retirement Income Security Act (ERISA) ensures that employee benefits programs are created fairly and administered properly. - The Family and Medical Leave Act (FMLA) entitles certain employees to unpaid leave in the event of birth or illness of self or a family member.
Intercepting Communications
The Wiretap Act and the Electronic Communications Privacy Act (ECPA) are generally strict in prohibiting the interception of wire communications, such as telephone calls or sound recordings from video cameras; oral communications, such as hidden bugs or microphones; and electronic communications, such as emails. The exact rules for wire, oral and electronic communications vary and unless an exception applies, interception of these communications is a criminal offense and provides a private right of action.
Sutton v. United Air Lines
The court held that pilots with severe myopia - but correctable with glasses - did not have a disability under the ADA because a "disability exists only where an impairment substantially limits a major life activity, not where it 'might', 'could' or 'would' be substantially limiting if mitigating measures were not taken.
The Department of Labor (DOL)
The mission of the DOL is "to foster, promote, and develop the welfare of the wage earners, job seekers, and retirees of the US; improve working conditions; advance opportunities for profitable employment; and assure work-related benefits and rights." To achieve this mission, the department administers a variety of federal laws, FLSA, OSHA and ERISA.
Substance Use Testing
There are no federal privacy statute that directly governs employer testing of employees for substances such as illegal drugs, alcohol or tobacco. For public-sector workers, there is considerable case law under the 4th amendment about when such testing is reasonable. The ADA specifically EXCLUDES current illegal drug use from its protections, and a test for drug use is not considered a medical examination. Federal law mandates drug testing for certain positions within the federal sector, including employees of the US Customs and Border Protection. Federal law also created regulation for drug testing for employees in the aviation, railroading and trucking industries. The rules preempt state laws that would otherwise limit drug testing. A majority of states have passed one or more statutes governing the testing of employees for drugs and/or alcohol.
Important Note
There is no overarching or organized law for employment privacy in the US. Federal laws apply in specific areas, such as to prohibit discrimination and regulate certain workplace practices, including employment screening and the use of polygraphs and credit reports. Although, State law and Tort law in some instances provides protections for employees, but usually the employee must show fairly bad practices to succeed. State legislatures have enacted numerous employment privacy laws, providing protections to employees in a bewildering range of specific situations, which often vary state by state.
The National Labor Relations Board (NLRB)
This administers the National Labor Relations Act. The board conducts elections to determine if employees want union representation and investigates and remedies unfair labor practices by employers and unions.
The Employee Polygraph Protection Act of 1988 (EPPA)
This is a prominent example of federal protection of privacy in the workplace. Under the act and its regulations, issued by the DOL, employers are prohibited from using "lie detectors" on incumbent workers or to screen applicants. This includes polygraphs, voice stress analyzers, psychological stress evaluators, or any similar device used for the purpose of rendering a diagnostic opinion regarding an individual's honesty. EPPA does have some exceptions for certain occupations (including government employees, employees in certain security services, those engaged in the manufacture of controlled substances, certain defense contractors and those in certain national security functions).
Americans with Disabilities Act (ADA)
This law forbids employers with 15 or more employees from discriminating against a "qualified individual with a disability because of the disability of such individual" and specifically covers "medical examinations and inquiries" as grounds for discrimination. Before an offer of employment is made, the ADA permits such examinations and inquiries only where "job related and consistent with business necessity." A company may required a medical examination AFTER the job offer of employment has been made and may condition the offer of employment on the results of such an examination. This is only allowed if all entering employees are subjected to this and confidentiality rules are followed for the results of the examination and the results are used only in accordance with the statutory prohibitions against discrimination on the basis of disability. This Act was amended in 2008 with the ADA Amendments Act (ADAAA). Most importantly, the ADAAA legislatively overturned two US Supreme Court cases under which ADA claims were frequently rejected: Sutton V. United Air Lines and Toyota v. Williams (more detail on these below).
Tort-Law for Workplace Privacy
Three common Tort Laws are relevant to employee Privacy (note - liability for these is hard to impose): (1)Intrusion upon seclusion - states, "One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs' or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person" Example: If the employer puts a camera or peephole in a bathroom - a jury would find this offensive. (2) Publicly give to private life - states, "One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person and (b) is not of legitimate concern to the public." Courts have been cautious in finding these. (3) Defamation - this focuses on a false or defamatory statement, and is defined as as communication tending "so to harm the reputation of another as to lower him in the estimation of the community or to defer third persons from associating or dealing with him. For employment law, these can arise for example if a false drug testing report is issued or if a former employer provides a factually incorrect reference to a possible future employer.
Toyota v. Williams
Toyota further limited the scope of the ADA, rejecting a claim that carpal tunnel syndrome limited a worker's Ability to work with power tools, holding that "an individual must have an impairment that prevents or severely restricts the individual from doing activities that are of central importance to most people's daily lives. The impairment's impact must also be permanent and long-term." The ADAAA significantly expanded the scope of ADA protections by broadly defining disabilities to include conditions that are mitigated, in remission, or episodic if they would substantially limit a major life activity of an employee when active or absent mitigation. Pursuant to the ADAAA, the EEOC released regulations addressing the scope of the ADA in 2011.
Employment Background Screening
Typically, anyone who works with elderly, children or the disabled must now undergo background screening.
Postal Mail Monitoring
US Federal law generally prohibits interference with mail delivery. Mail is considered "delivered", however when it reaches a business. Someone working for that business can open that mail or package and does NOT violate that statute (even if that representative was not the intend recipient). Personal email should not be sent to work when possible though.
Us "Employment at Will"
US law looks at the relationship between the employer and employee as fundamentally a matter of contract law. The general rule in the US is employment at will, which means the employer has broad discretion to fire an employee. That discretion, in turn, has been understood to grant the employer broad latitude in defining other aspects of the employment relationship, such as issues about the employer's knowledge about an employee. A contract though can alter the rules between employer and employee. An example of this is Unions negotiating for limits on drug testing and monitoring of the workplace by the employer.
California Investigative Consumer Reporting Agencies Act (ICRAA)
Under the ICRAA, employers must notify applicants and employees of their intention to obtain and use a consumer report. Once disclosure is made, the employer must obtain the applicant or employee's written authorization prior to requesting the report. Disclosure requirements under ICRAA are more stringent than under the FCRA. Under the ICRAA, any person who acquires an investigative consumer report for employment purposes must provide separate written disclosure to the applicant or employee before the report is obtained.
Electronic Communications Privacy Act (ECPA)
he Electronic Communications Privacy Act of 1986 was enacted by the United States Congress to extend restrictions on government wire taps of telephone calls to include transmissions of electronic data... ECPA does NOT generally preempt stricter state privacy protections. Notably, certain state laws protect email communications.