J. J. Keller® Compliance Network Logo
Start Experiencing Compliance Network for Free!
Update to Professional Trial!

Be Part of the Ultimate Safety & Compliance Community

Trending news, knowledge-building content, and more – all personalized to you!

Already have an account?
FREE TRIAL UPGRADE!
Thank you for investing in EnvironmentalHazmat related content. Click 'UPGRADE' to continue.
CANCEL
YOU'RE ALL SET!
Enjoy your limited-time access to the Compliance Network!
A confirmation welcome email has been sent to your email address from ComplianceNetwork@t.jjkellercompliancenetwork.com. Please check your spam/junk folder if you can't find it in your inbox.
YOU'RE ALL SET!
Thank you for your interest in EnvironmentalHazmat related content.
WHOOPS!
You've reached your limit of free access, if you'd like more info, please contact us at 800-327-6868.
:
focus-area/human-resources/privacy-and-data-security
559965337
['Privacy and Data Security']

Human Resource professionals should take part in a company’s data security process, making sure that goals are realized and that messaging is fully comprehended. When employers take “reasonable measures” to protect workers’ personal information, the danger of company liability is lessened. Employers may want to include ethics training and establish a corporate code of conduct that requires employees to report questionable practices. Companies should be sure employees are protected from retaliation for reporting wrongdoing.

institute_stream_09016340805a9d44

Privacy and data security

Over the past few years, few could have missed the news headlines detailing large, well-known companies that have fallen victim to data security breaches. The phenomenon has become all too common, and companies all over the country have faced negative publicity and considerable fines in the wake of their data being improperly shared.

HR’s role in data security

  • HR professionals should take part in a company’s data security process, making sure that goals are realized and messaging is fully comprehended.
  • Enforcement of disciplinary actions involving employees must be monitored and supported by HR personnel.

There’s some disagreement in the business world over the extent to which human resources (HR) professionals should be concerned about data security in their organizations. Some believe that it’s solely an information technology (IT) function, and it might be for companies that have an IT department. But even in companies with IT departments shouldering the bulk of data security concerns, HR still has a role to play.

Creating policies

HR tends to be the keeper and communicator of company policies. A company cannot effectively protect the security of its data without creating a plan to do so and informing employees of that plan.

While HR may not be solely responsible for drafting a data security policy, it should be involved to help ensure company goals are consistently represented and that the messaging is clear. HR may also be able to provide a less technical perspective that may be more in line with the view of most employees.

Getting the word out

Contrary to popular belief, data security breaches aren’t as likely to be caused by rogue hackers as they are by current and former employees. In most companies, employees who have access to data that could be part of a costly breach aren’t just IT workers, nor are they limited to a company’s top executives.

HR’s job includes identifying any employee who might benefit from understanding the company’s procedures for protecting sensitive data and making sure HR has the information necessary to do its part to prevent a breach.

Employers in certain industries are required to conduct data security training. They may also be required to conduct such training by a contract the company holds with the government or another entity. Even in the absence of mandated instruction, training for employees is an important step in preventing data breaches.

Employees must know what personally identifiable information (PII) is, common ways data is compromised, and what’s at stake when it is mishandled. Training should review the company’s policies surrounding the protection of PII, as well as who to contact when a breach of such information may have occurred.

Workers can benefit from learning about traps other companies have fallen into in recent years. For instance, an employee might be faced with a phishing expedition.

A phisher typically drafts an email using real company logos from a source the employee would recognize and trust. The email directs the recipient to click on a link and, once redirected to a fake website, the worker is asked to supply a username, password, credit card data, and other personal information. Even if an employee doesn’t provide any PII, clicking a phishing link could give scammers dangerous access to the company’s network.

A significant breach of a major and well-known U.S. retailer in 2013 was thought to have begun when an HVAC (heating, ventilation, and air-conditioning) company with which the retailer did business was the victim of a phishing attack. From there, phishers gained access to the retailer’s data. This example not only reinforces the need to train employees, but also to ensure that vendors and contractors are vigilant about employee training.

Getting buy-in

Part of communicating a data security policy is making sure employees understand the risks involved if data is breached. Training should convey the seriousness of the employer’s internal policies and procedures. It must help employees understand precisely how failing to follow the policy (from each of their individual roles within the company) could contribute to a breach. Employees who don’t understand the point of the guidelines are considerably less likely to follow them.

Enforcement

As with any policy, HR also has a role in the everyday application of a data breach policy. Employers that hope to prevent a data breach must be willing to implement discipline when employees exhibit behaviors prohibited by company policies, even if those behaviors don’t lead to a breach of data. While HR professionals may not be the ones implementing discipline, they must ensure managers practice consistent enforcement and must provide support for discipline when needed.

Limiting access and protecting data

Beyond training, employers must ensure that individual employees don’t have unnecessary access to any PII. For starters, employers should verify that any PII collected by the company is amassed for a specific reason. Where data is necessary, controls should be in place to ensure it is available only to employees with a clear business need to access it.

When these controls include individual user passwords, employees need to be reminded to create them thoughtfully and to keep passwords secure. Despite an increasing awareness of the importance of data security, “password” and “12345” have been at or near the top of the list of most common internet passwords year after year.

Preventing employee identity theft

  • Under FACTA, employers run the risk of civil litigation if their actions are deemed responsible for an employee’s identity being stolen.
  • When employers take “reasonable measures” to protect workers’ personal information, the danger of company liability is lessened.

Employers — especially their human resources (HR) departments — house quite a bit of employee personal information. This is a responsibility that employers must take seriously, particularly since the workplace is the number one source of identity theft.

This considerable responsibility translates into risk for employers. They can be held civilly liable under the Fair and Accurate Credit Transactions Act (FACTA) if their actions (or lack thereof) lead to the theft of an employee’s identity. Penalties include up to $2,500 per employee as well as the cost of actual damages suffered by individuals.

Identity theft and the law

Under FACTA, employers are required to safeguard all information about employees that is derived from a “consumer report.” This report includes any information obtained from a consumer reporting agency that is expected to be used in establishing employment eligibility.

Personal information includes a variety of identifiers beyond an individual’s name, including (but not limited to) telephone numbers, physical addresses, Social Security numbers, credit card numbers or other account numbers, email addresses, and driver’s license numbers. This type of data stored on paper or any other media all falls under FACTA.

Mitigating risk

FACTA requires employers to take “reasonable measures” to safeguard employees’ personal information. What is considered reasonable will depend on many factors, including the nature and size of the company, the sensitivity of the information, and the cost and benefit of a particular method of protecting information. That being said, here are several ways that employers can limit their risk of liability under FACTA:

  • Maintain written policies and procedures. Establishing (and following) written policies and procedures for keeping data secure can limit an employer’s liability even if the employer fails to keep data secure. These policies might outline data security measures, confidentiality provisions, or processes to identify or screen individuals who will have access to employees’ personal data.
  • Offer identity theft protection. Employers are not required to pay for identity theft protection, and employees may choose to decline the protection. However, the key to mitigating risk is to offer the benefit to employees while educating them about the risks of identity theft.
  • Follow FACTA’s disposal rule. Under FACTA, employers are required to take appropriate measures to dispose of information obtained from consumer reports to prevent unauthorized use of the information. Employers may determine a reasonable means to dispose of the records, which may include burning, pulverizing, or shredding paper records and erasing or destroying electronic records.

Safeguarding employees’ personal information may be required under FACTA, but it’s also a wise business practice. As many as nine million Americans (about one in 25 adults) have their identities stolen each year, according to the Federal Trade Commission (FTC). Depending on severity, the damage done by identity theft can take days or even months to undo. Employers can bet the disruption to employees’ personal lives will roll over into work time and almost certainly affect productivity.

Sarbanes-Oxley Act of 2002

  • Affecting the behavior of publicly traded entities, the Sarbanes-Oxley Act implements several safeguards to prevent potential improprieties.
  • This legislation places responsibility on HR professionals to clearly inform executives and employees about their obligations under the act.

The Sarbanes-Oxley Act of 2002 applies to companies that are publicly traded and to private subsidiaries of publicly traded companies. Passed in response to financial scandals, the act contains a number of provisions, including the following:

  1. Whistleblower provision. This protects employees who report conduct that violates the laws of the Securities and Exchange Commission (SEC) involving fraud against shareholders. It is illegal to discriminate or retaliate against an employee in response to that individual’s reporting of illegal financial activity. The Occupational Safety and Health Administration (OSHA) is the agency designated for receiving Sarbanes-Oxley complaints.
  2. Corporate responsibility for financial reports. Both the chief executive officer (CEO) and chief financial officer (CFO) must certify the accuracy of financial statements filed with the SEC. The act also prohibits them from attempting to influence or mislead auditors and requires that a code of ethics be adopted for senior financial officers.
  3. Blackout periods. The act mandates that no officer, director, or other insider may buy or sell company stock during pension fund blackout periods. It also requires 30 days’ notification to employees in advance of blackout periods. This applies to 401(k) plans as well as other retirement plans.
  4. Incorporates the Corporate and Criminal Fraud Accountability Act of 2002, which makes it a felony to knowingly destroy or create documents to impede, obstruct, or influence a federal investigation. This act includes white collar crime penalty enhancements, including hefty fines and imprisonment up to 20 years for tampering with records.
  5. Establishes the Public Company Accounting Oversight Board (PCAOB) to create standards for auditors and conduct inspections of accounting firms. It also requires public companies to have audit committees to develop procedures for receiving and investigating complaints regarding internal controls, accounting, and auditing, and to oversee the work of the company’s auditors.
  6. Prohibits company loans to directors or officers and provides for repayment of some earnings by CEOs and CFOs if earnings must be restated due to misconduct.
  7. Requires the establishment of internal controls for financial reporting, management’s assessment of those controls, and an auditors’ report.
  8. Increases the penalties for violating the Employee Retirement Income Security Act of 1974 (ERISA) reporting and disclosure requirements to a fine of up to $100,000 and imprisonment up to 10 years.

For human resources (HR), the Sarbanes-Oxley Act suggests the need to educate directors, officers, employees, and auditors about obligations of that act. Procedures should be established for handling internal Sarbanes-Oxley complaints and for document retention. Compensation practices for executives should be reviewed. In particular, stock options as a form of executive compensation are being viewed with a more critical eye because of the temptation of insiders to artificially inflate the stock price.

Employers may want to include ethics training and establish a corporate code of conduct that requires employees to report questionable accounting practices. Companies should be sure employees are protected from retaliation for reporting wrongdoing.

Privacy in the workplace

  • Multiple laws are in effect that regulate employee privacy, and employers would be prudent to know and understand them.
  • The NRLA secures the rights of workers to conduct discussions on employment issues, and recordings and photographs are allowed.

Privacy in the workplace is often a fine line between an employee’s rights to privacy and an employer’s need for security. In some cases, laws protect an employee’s right to privacy. In other cases, the situation may end up being determined in court. Sometimes employers have to balance the needs of the organization and the rights of employees.

Unfortunately, if a situation goes to court, it could cost an employer hundreds of thousands of dollars in damages. The number of cases that involve employee privacy is growing. Employers may benefit from understanding the laws that govern employee privacy and what they can do to protect themselves from litigation.

Laws and legislation

A number of federal laws govern an individual’s privacy:

  • The Employee Polygraph Protection Act prohibits the use of lie detectors in employment decisions, except for narrow applications.
  • The Electronic Communication Privacy Act is intended to provide individuals with some privacy protection in their electronic communications.
  • The Stored Communications Act prohibits the intentional unauthorized access of communications that are stored with an internet service provider.
  • The Americans with Disabilities Act requires employee and applicant medical information to be kept confidential.
  • The Health Insurance Portability and Accountability Act restricts the use and disclosure of an individual’s private health information without authorization.

These are federal laws that may apply to employment situations. Employers should keep in mind that many states have implemented privacy laws that go beyond the requirements of federal laws. There may even be local laws that apply.

Recording conversations in the workplace

Sometimes, it makes business sense to record certain communications in the workplace. For instance, many companies record customer service calls between employees and customers for quality purposes. From time to time, employers may want to record conversations between employees, perhaps between an employee and a human resources (HR) representative. Employees themselves may even want to record conversations such as these.

The parameters for recording vary by state. Some states are one-party consent states with regard to audio recording, which means that only one party to the conversation needs to give consent to a recording, and that could be the person recording the conversation (assuming that person is a party to the conversation). In those states, employees could potentially record a conversation in the workplace without informing the other parties to the conversation of the recording. Note that an employee could only record a conversation to which the employee had access.

All states except for 12 are one-party consent states. These 12 are two-party (or all-party) consent states:

  • California
  • Connecticut
  • Florida
  • Illinois
  • Maryland
  • Massachusetts
  • Michigan
  • Montana
  • New Hampshire
  • Nevada
  • Pennsylvania
  • Washington

In those 12 states, all parties to the recording must give consent for it to be legal. In one-party states, an employee or an employer could legally make a secret recording.

Recording policies

Historically, even when a recording could be legally made, employers weren’t required to allow them. An employer could typically have (and enforce) a no-recording policy in the workplace.

However, in February 2016, in Whole Foods Market Group, Inc., the National Labor Relations Board (NLRB) ruled that the making of certain recordings (audio, video, and photography) can be protected activity under the National Labor Relations Act (NLRA). In June 2017, the Second Circuit Court of Appeals agreed with the board that the employer’s overly broad rules violated the NLRA.

The NLRA protects employees’ rights to discuss terms and conditions of employment with one another to determine whether they might benefit from the services of a labor union. According to the NLRB, recordings and photographs can be a protected part of such a discussion. For instance, if an employee recorded inconsistent or unlawful management behavior to encourage other employees to take action, such a recording may be protected activity.

Likewise, if employees are documenting unsafe working conditions, that photo or recording would likely be protected. Essentially, if a recording in the workplace is part of one or more employees’ efforts to discuss or provoke action regarding terms and conditions of employment, it would probably be considered protected activity under the NLRA.

Employers should make sure the language used in their recording policies can’t be construed to limit employees’ rights under the NLRA. Policies should be specific and detailed, with examples whenever possible. A policy might remind employees that recordings and photography are prohibited where these activities could compromise trade secrets or customers’ personally identifying information, for example.

GPS tracking

In addition to video recording, some employers track employees’ physical movements using global positioning system (GPS) technology. Employers may want to track employees to ensure they are working where and when they say they are.

With GPS tracking, employers must turn to case law for guidance. Generally speaking, courts have held that monitoring employees’ positions while they are working is reasonable. As with video recording, it greatly helps an employer’s case to establish a business justification for tracking. Employers also help themselves by making sure employees know they are being tracked; this ensures they don’t have an expectation of privacy during working hours.

Some employers want to track employees’ positions outside of work hours. However, in such a case, a legitimate business reason for tracking the employee would be much more difficult to justify. While there isn’t much case law yet in this area involving employers, a 2012 case before the U.S. Supreme Court provides some guidance. In this case, a drug trafficking conviction was overturned after law enforcement officials used GPS tracking to monitor the defendant’s movements for a lengthy period of time. The court indicated such tracking violated the individual’s right to privacy. While this involved a private citizen, not an employee, it gives employers an idea about how monitoring an individual’s personal time might be viewed.

Personal property vs. company property

  • To win disputes over privacy rights, employers need to clearly inform their workers about expectations of privacy in the workplace.
  • Reimbursement to an employee for business use of a personal device or cell phone does not establish ownership of that device.

Just how far can employers go to ensure the safety and security of their business and employees? Can they look into an employee’s car, briefcase, or purse? Can they look into employee lockers or desks?

These questions do not always have black-and-white answers of yes or no. It usually depends upon the situation, and often the details thereof. An important factor is the expectation of “privacy.” Employees should be told that any employee property (e.g., purses, backpacks, or even vehicles) on the company premises is subject to search.

A policy that removes the expectation of privacy is essential to inform employees of the company’s rights. Employers are more likely to prevail in disputes over privacy rights if employees have been clearly informed they should have no expectation of privacy in the workplace.

If an employer deems it necessary to conduct a search, or to otherwise invade an employee’s privacy, the company should always choose the least-invasive method of conducting the search. For example, asking an employee with a purse to empty that purse is less invasive than demanding the employee turn over the purse and allow a supervisor to remove its items.

Companies should never conduct a “pat down” or body search of an employee. Unwelcome physical contact may be viewed as harassment or even assault.

Employers should also consider procedures that contribute to the removal of privacy expectations. For example, if employees are provided with lockers for personal items, the company might consider providing the locks and informing employees that the company retains a master key for searching the lockers. Courts have found that when employees are allowed to provide their own locks, the expectation of privacy increases.

Employees who refuse to consent to a search should not be detained. If the employee wants to leave the premises, and the company prevents the employee from leaving, this could be viewed as unlawful detainment (essentially a form of kidnaping). Such employees can be informed that their job is at stake, and they can be terminated for refusing to consent to a search but cannot be prevented from leaving company property.

Employee-owned devices

Courts have addressed company-issued devices, but the right to access information sent over devices owned and issued by the employer does not extend to employee-owned devices. While employers have the right to monitor how their own equipment is used, they do not have any special rights to access information sent over privately owned devices.

Some employers provide reimbursement for business use of employees’ personal devices or cell phones, but paying for business use does not establish ownership of the device (just as providing mileage reimbursement for the business use of a personal vehicle does not establish ownership of the vehicle). Employers may certainly offer a stipend or other compensation when expecting employees to use a personal cell phone for business, but doing so does not result in the same access privileges as company-issued equipment would offer.

Of course, employees could voluntarily disclose the manner in which their devices have been used, or messages sent to another person could be shared by that recipient. For instance, if an employee sends an offensive text message to a coworker, the coworker may share that information with the employer.

The Stored Communications Act applies broadly to “electronic” communications. Employers must obtain authorization to access information stored with a provider (such as text messages sent via cell phone). Generally, such access must be granted voluntarily, without threat of discipline or termination. Again, the recipient of the message could voluntarily share the message, but the sender should not be coerced to grant access.

If an employer suspects (or has evidence) of impropriety that impacts the business, then information sent over personal devices may be discoverable as part of a legal proceeding (e.g., under a subpoena), but the employer would not have a blanket right to access information, nor would the employer have the right to obtain records from a service provider without a court order.

Electronic security

  • Certain ECPA provisions let employers monitor employee communications if a legitimate reason can be proven or if the worker agrees in writing.
  • Many states deny employers access to an employee’s social media pages, especially that worker’s restricted or “hidden” information.

Beyond the physical objects that can encompass employee privacy, such as the desk and briefcase, electronic entities can bring up the issue of privacy. These include email, telephones, and computers. Can an employer monitor the telephone calls of its employees? Can it read an employee’s email?

One thing to note: Courts have indicated that monitoring such communications during their transmission is generally frowned upon, but once they become stored, it’s equivalent to searching an employee’s files. For example, listening to a voicemail (stored on the company system) is no different than reading an email sent from a company email account.

Despite the Electronic Communications Privacy Act (ECPA) seeming to prohibit employers from intentionally listening to or otherwise intercepting employee communications at work, it has a couple of exceptions that impact employers:

  1. Employers may monitor oral and electronic communications if they can prove they have a legitimate business reason to do so.
  2. Employers may monitor employee communications if they have the written consent of the employee. This exception is not limited to business communications.

Most people are familiar with business calls that indicate the call is monitored for business purposes.

The ECPA does not prevent access to electronic communications by system providers, which could include employers that provide the necessary electronic equipment or network to their employees. Courts have found that monitoring employees’ electronic transmissions involving email, the internet, and computer file usage on company-owned equipment is not an invasion of privacy. This holds true even in situations where employees have password-protected accounts.

Computer use and internet access

An employer can monitor employees’ email, internet access, and certain other use of a company computer. For instance, the history of websites an employee has visited can be accessed to determine if they are work-related (Companies should have a policy and make employees aware of it). However, if an employee accesses a personal email account or website (such as Hotmail, Yahoo, or Facebook), the content may not be read without the employee’s express (and freely given) permission, even if it was accessed on work time with company equipment.

Companies can still impose discipline for accessing these sites at work (as abuse of internet privileges), but content stored on an outside server (in contrast to a company-owned server) is protected under the Stored Communications Act. This law prohibits the intentional unauthorized access of communications that are stored with an internet service provider.

Employee photographs

Employers sometimes want to take photographs of employees for various purposes, but employees aren’t always on board with the idea — some may even allege that the employer taking photos of employees is illegal or an invasion of privacy.

While photographs can be taken in some circumstances, some states have laws limiting the use of employee photographs for commercial purposes, which may come into play if an employer were to use employee photos in advertising pieces or on a company’s externally facing website. In states with such laws, employers would typically need consent from employees to use photographs in this way.

Even where employee photos will not be used commercially or in states where consent is not specifically required, employers may still want to respect employees’ privacy and either ask for their consent or offer them an opportunity to opt out. Employees may have valid reasons for not wanting their photographs taken.

Restrictions on social media access

Employers should be aware that many states prohibit employers from requiring (or even requesting) that an employee or applicant provide access to a social media page. Usually, any information that is publicly available can still be accessed, but “hidden” information cannot be accessed.

For example, if an individual (employee or applicant) uses social media, but the chosen settings for privacy still allow information to appear in an internet search, the information could be discovered and used by the employer. However, if the individual’s privacy settings would “hide” or restrict access to postings, an employer cannot request or require access to that information.

The federal Stored Communications Act prohibits an employer from obtaining access to an individual’s personal account without voluntarily given authorization.

Neither state or federal laws restrict employers from monitoring computer use of company-owned or company-issued devices, nor do they restrict employers from accessing a company-sponsored social media page (such as a business page or account).

Policies related to privacy

  • Keeping confidential worker information private is an essential duty of employers, and they should have procedures and training to achieve this.
  • Employees can acquire greater peace of mind when their employer establishes a policy addressing the use of biometric data.

One of the more effective things employers can do is develop and enforce policies that remove employee expectancy of privacy. Workers should be informed upfront that the workplace is not a private place, and that to ensure security, the employer retains the right to perform:

  • Searches,
  • Inspections,
  • Checks, and/or
  • Tests.

These activities may involve all company property including grounds, buildings, company vehicles, rooms, offices, lockers, desks, computers (email and internet), and telephones.

Employers may retain keys to all lockable areas and make employees aware of this, as well as prohibiting the use of personal locks on company equipment.

If employers have such policies, they should be communicated so employees are aware of them, and the consequences of breaking the policies. Such policies should be read and signed by each employee to ensure awareness of them.

As an added measure, employers can post reminders of the policy in hard copy and electronically to promote the idea that the workplace is not private, and employees should have no reasonable expectation of privacy.

These policies should be applied to all employees to avoid any discrimination claims.

Employers have an obligation to keep private employee information private. These efforts can be enhanced via effective procedures and processes, along with any applicable training on the procedures and processes.

It’s also advisable to avoid crossing the line into an employee’s personal privacy. Unless absolutely necessary, employers should respect employee personal privacy, including such elements as medical information, family issues, etc., keeping in mind that laws protect a person’s individual privacy.

Employees should be trained how to respond to requests for information (including personal information) about other employees.

Medical information and privacy

Employers should maintain employee medical information they obtain, use, store, or disclose in separate and secure locations. The Equal Employment Opportunity Commission (EEOC) requires this for employee information obtained to ascertain the employee’s abilities to perform job-related functions.

The U.S. Department of Health and Human Services also has privacy requirements for personal health information related to an employer’s health plans. These requirements are spelled out in the Health Insurance Portability and Accountability Act (HIPAA). This information also must be kept private through policies, procedures, and physical security measures. Appropriate training is required for those who have access to this information.

These requirements could involve a separate file cabinet kept under lock and key, and only those with a legitimate business-related justification to access those files would have a key. Employers should be aware that requirements to maintain confidentiality do not end when an employee leaves the company, so mixing personnel files with medical files should be avoided even after an employee quits, retires, or is terminated.

Most employers have policies that protect the privacy of employee information. However, some employers were accessing this type of information and using it to make employment decisions. For example, an employer may learn that an employee being considered for a promotion has a serious health condition that may impede the employee’s ability to work long hours. Given this information, the employer passes over the employee based on this health information instead of focusing on the employee’s ability to perform the job.

Other issues of employee or applicant private health information relate to genetics. A noted case involved an employer that wanted applicants to submit to a medical test that would reveal a genetic disposition to a condition, which might later lead to expensive treatment. The employer was improperly using this information to weed out any undesirable future troubles.

When it comes to the privacy of employees’ medical information, many employers think of the Health Insurance Portability and Accountability Act (HIPAA). However, this law primarily applies to an employer’s activities related to a health plan. It does not cover activities as an employer that include requesting medical information from applicants or employees. Instead, those requests fall under the Americans with Disabilities Act (ADA).

Employers may request medical information when the need to know is job-related and consistent with business necessity. However, any decisions affecting employment must be based on objective medical evidence, not merely opinion or speculation.

Biometric tracking in the workplace

Whether for security reasons or for ensuring the validity of time clock punches, employers may be using varying forms of biometric tracking in the workplace. While facial recognition, retina or iris scans, and voice analysis are all types of biometric tracking currently in use, the most commonly used biometric identifier is a fingerprint.

Employers using biometric data in their employment practices need to proceed with a certain amount of caution, however. Aside from the inevitable employee concerns about how these identifiers will be used and protected, certain laws also affect how biometric data may be used.

For instance, Illinois’ Biometric Information Privacy Act requires that employers implement a strict retention schedule for any biometric data collected, which must also outline how and when the data will be destroyed. The law also requires that employees authorize the use of their biometric data, and that they be notified of the information that will be collected and how it will be used.

Even where the law doesn’t require one, a policy addressing the use of biometric data can help ease anxiety that might crop up for employees. With any relevant state laws factored in, a thorough policy should identify:

  • What biometric data will be collected,
  • The reasons for the biometric collection,
  • The employer’s commitment to keeping employees’ information confidential to help protect employees from identity theft,
  • The employer’s methods for safeguarding information (including retention periods and destruction methods), and
  • An individual to whom concerns about biometric data can be directed.

HR’s role in data security

  • HR professionals should take part in a company’s data security process, making sure that goals are realized and messaging is fully comprehended.
  • Enforcement of disciplinary actions involving employees must be monitored and supported by HR personnel.

There’s some disagreement in the business world over the extent to which human resources (HR) professionals should be concerned about data security in their organizations. Some believe that it’s solely an information technology (IT) function, and it might be for companies that have an IT department. But even in companies with IT departments shouldering the bulk of data security concerns, HR still has a role to play.

Creating policies

HR tends to be the keeper and communicator of company policies. A company cannot effectively protect the security of its data without creating a plan to do so and informing employees of that plan.

While HR may not be solely responsible for drafting a data security policy, it should be involved to help ensure company goals are consistently represented and that the messaging is clear. HR may also be able to provide a less technical perspective that may be more in line with the view of most employees.

Getting the word out

Contrary to popular belief, data security breaches aren’t as likely to be caused by rogue hackers as they are by current and former employees. In most companies, employees who have access to data that could be part of a costly breach aren’t just IT workers, nor are they limited to a company’s top executives.

HR’s job includes identifying any employee who might benefit from understanding the company’s procedures for protecting sensitive data and making sure HR has the information necessary to do its part to prevent a breach.

Employers in certain industries are required to conduct data security training. They may also be required to conduct such training by a contract the company holds with the government or another entity. Even in the absence of mandated instruction, training for employees is an important step in preventing data breaches.

Employees must know what personally identifiable information (PII) is, common ways data is compromised, and what’s at stake when it is mishandled. Training should review the company’s policies surrounding the protection of PII, as well as who to contact when a breach of such information may have occurred.

Workers can benefit from learning about traps other companies have fallen into in recent years. For instance, an employee might be faced with a phishing expedition.

A phisher typically drafts an email using real company logos from a source the employee would recognize and trust. The email directs the recipient to click on a link and, once redirected to a fake website, the worker is asked to supply a username, password, credit card data, and other personal information. Even if an employee doesn’t provide any PII, clicking a phishing link could give scammers dangerous access to the company’s network.

A significant breach of a major and well-known U.S. retailer in 2013 was thought to have begun when an HVAC (heating, ventilation, and air-conditioning) company with which the retailer did business was the victim of a phishing attack. From there, phishers gained access to the retailer’s data. This example not only reinforces the need to train employees, but also to ensure that vendors and contractors are vigilant about employee training.

Getting buy-in

Part of communicating a data security policy is making sure employees understand the risks involved if data is breached. Training should convey the seriousness of the employer’s internal policies and procedures. It must help employees understand precisely how failing to follow the policy (from each of their individual roles within the company) could contribute to a breach. Employees who don’t understand the point of the guidelines are considerably less likely to follow them.

Enforcement

As with any policy, HR also has a role in the everyday application of a data breach policy. Employers that hope to prevent a data breach must be willing to implement discipline when employees exhibit behaviors prohibited by company policies, even if those behaviors don’t lead to a breach of data. While HR professionals may not be the ones implementing discipline, they must ensure managers practice consistent enforcement and must provide support for discipline when needed.

Limiting access and protecting data

Beyond training, employers must ensure that individual employees don’t have unnecessary access to any PII. For starters, employers should verify that any PII collected by the company is amassed for a specific reason. Where data is necessary, controls should be in place to ensure it is available only to employees with a clear business need to access it.

When these controls include individual user passwords, employees need to be reminded to create them thoughtfully and to keep passwords secure. Despite an increasing awareness of the importance of data security, “password” and “12345” have been at or near the top of the list of most common internet passwords year after year.

Preventing employee identity theft

  • Under FACTA, employers run the risk of civil litigation if their actions are deemed responsible for an employee’s identity being stolen.
  • When employers take “reasonable measures” to protect workers’ personal information, the danger of company liability is lessened.

Employers — especially their human resources (HR) departments — house quite a bit of employee personal information. This is a responsibility that employers must take seriously, particularly since the workplace is the number one source of identity theft.

This considerable responsibility translates into risk for employers. They can be held civilly liable under the Fair and Accurate Credit Transactions Act (FACTA) if their actions (or lack thereof) lead to the theft of an employee’s identity. Penalties include up to $2,500 per employee as well as the cost of actual damages suffered by individuals.

Identity theft and the law

Under FACTA, employers are required to safeguard all information about employees that is derived from a “consumer report.” This report includes any information obtained from a consumer reporting agency that is expected to be used in establishing employment eligibility.

Personal information includes a variety of identifiers beyond an individual’s name, including (but not limited to) telephone numbers, physical addresses, Social Security numbers, credit card numbers or other account numbers, email addresses, and driver’s license numbers. This type of data stored on paper or any other media all falls under FACTA.

Mitigating risk

FACTA requires employers to take “reasonable measures” to safeguard employees’ personal information. What is considered reasonable will depend on many factors, including the nature and size of the company, the sensitivity of the information, and the cost and benefit of a particular method of protecting information. That being said, here are several ways that employers can limit their risk of liability under FACTA:

  • Maintain written policies and procedures. Establishing (and following) written policies and procedures for keeping data secure can limit an employer’s liability even if the employer fails to keep data secure. These policies might outline data security measures, confidentiality provisions, or processes to identify or screen individuals who will have access to employees’ personal data.
  • Offer identity theft protection. Employers are not required to pay for identity theft protection, and employees may choose to decline the protection. However, the key to mitigating risk is to offer the benefit to employees while educating them about the risks of identity theft.
  • Follow FACTA’s disposal rule. Under FACTA, employers are required to take appropriate measures to dispose of information obtained from consumer reports to prevent unauthorized use of the information. Employers may determine a reasonable means to dispose of the records, which may include burning, pulverizing, or shredding paper records and erasing or destroying electronic records.

Safeguarding employees’ personal information may be required under FACTA, but it’s also a wise business practice. As many as nine million Americans (about one in 25 adults) have their identities stolen each year, according to the Federal Trade Commission (FTC). Depending on severity, the damage done by identity theft can take days or even months to undo. Employers can bet the disruption to employees’ personal lives will roll over into work time and almost certainly affect productivity.

Sarbanes-Oxley Act of 2002

  • Affecting the behavior of publicly traded entities, the Sarbanes-Oxley Act implements several safeguards to prevent potential improprieties.
  • This legislation places responsibility on HR professionals to clearly inform executives and employees about their obligations under the act.

The Sarbanes-Oxley Act of 2002 applies to companies that are publicly traded and to private subsidiaries of publicly traded companies. Passed in response to financial scandals, the act contains a number of provisions, including the following:

  1. Whistleblower provision. This protects employees who report conduct that violates the laws of the Securities and Exchange Commission (SEC) involving fraud against shareholders. It is illegal to discriminate or retaliate against an employee in response to that individual’s reporting of illegal financial activity. The Occupational Safety and Health Administration (OSHA) is the agency designated for receiving Sarbanes-Oxley complaints.
  2. Corporate responsibility for financial reports. Both the chief executive officer (CEO) and chief financial officer (CFO) must certify the accuracy of financial statements filed with the SEC. The act also prohibits them from attempting to influence or mislead auditors and requires that a code of ethics be adopted for senior financial officers.
  3. Blackout periods. The act mandates that no officer, director, or other insider may buy or sell company stock during pension fund blackout periods. It also requires 30 days’ notification to employees in advance of blackout periods. This applies to 401(k) plans as well as other retirement plans.
  4. Incorporates the Corporate and Criminal Fraud Accountability Act of 2002, which makes it a felony to knowingly destroy or create documents to impede, obstruct, or influence a federal investigation. This act includes white collar crime penalty enhancements, including hefty fines and imprisonment up to 20 years for tampering with records.
  5. Establishes the Public Company Accounting Oversight Board (PCAOB) to create standards for auditors and conduct inspections of accounting firms. It also requires public companies to have audit committees to develop procedures for receiving and investigating complaints regarding internal controls, accounting, and auditing, and to oversee the work of the company’s auditors.
  6. Prohibits company loans to directors or officers and provides for repayment of some earnings by CEOs and CFOs if earnings must be restated due to misconduct.
  7. Requires the establishment of internal controls for financial reporting, management’s assessment of those controls, and an auditors’ report.
  8. Increases the penalties for violating the Employee Retirement Income Security Act of 1974 (ERISA) reporting and disclosure requirements to a fine of up to $100,000 and imprisonment up to 10 years.

For human resources (HR), the Sarbanes-Oxley Act suggests the need to educate directors, officers, employees, and auditors about obligations of that act. Procedures should be established for handling internal Sarbanes-Oxley complaints and for document retention. Compensation practices for executives should be reviewed. In particular, stock options as a form of executive compensation are being viewed with a more critical eye because of the temptation of insiders to artificially inflate the stock price.

Employers may want to include ethics training and establish a corporate code of conduct that requires employees to report questionable accounting practices. Companies should be sure employees are protected from retaliation for reporting wrongdoing.

Privacy in the workplace

  • Multiple laws are in effect that regulate employee privacy, and employers would be prudent to know and understand them.
  • The NRLA secures the rights of workers to conduct discussions on employment issues, and recordings and photographs are allowed.

Privacy in the workplace is often a fine line between an employee’s rights to privacy and an employer’s need for security. In some cases, laws protect an employee’s right to privacy. In other cases, the situation may end up being determined in court. Sometimes employers have to balance the needs of the organization and the rights of employees.

Unfortunately, if a situation goes to court, it could cost an employer hundreds of thousands of dollars in damages. The number of cases that involve employee privacy is growing. Employers may benefit from understanding the laws that govern employee privacy and what they can do to protect themselves from litigation.

Laws and legislation

A number of federal laws govern an individual’s privacy:

  • The Employee Polygraph Protection Act prohibits the use of lie detectors in employment decisions, except for narrow applications.
  • The Electronic Communication Privacy Act is intended to provide individuals with some privacy protection in their electronic communications.
  • The Stored Communications Act prohibits the intentional unauthorized access of communications that are stored with an internet service provider.
  • The Americans with Disabilities Act requires employee and applicant medical information to be kept confidential.
  • The Health Insurance Portability and Accountability Act restricts the use and disclosure of an individual’s private health information without authorization.

These are federal laws that may apply to employment situations. Employers should keep in mind that many states have implemented privacy laws that go beyond the requirements of federal laws. There may even be local laws that apply.

Recording conversations in the workplace

Sometimes, it makes business sense to record certain communications in the workplace. For instance, many companies record customer service calls between employees and customers for quality purposes. From time to time, employers may want to record conversations between employees, perhaps between an employee and a human resources (HR) representative. Employees themselves may even want to record conversations such as these.

The parameters for recording vary by state. Some states are one-party consent states with regard to audio recording, which means that only one party to the conversation needs to give consent to a recording, and that could be the person recording the conversation (assuming that person is a party to the conversation). In those states, employees could potentially record a conversation in the workplace without informing the other parties to the conversation of the recording. Note that an employee could only record a conversation to which the employee had access.

All states except for 12 are one-party consent states. These 12 are two-party (or all-party) consent states:

  • California
  • Connecticut
  • Florida
  • Illinois
  • Maryland
  • Massachusetts
  • Michigan
  • Montana
  • New Hampshire
  • Nevada
  • Pennsylvania
  • Washington

In those 12 states, all parties to the recording must give consent for it to be legal. In one-party states, an employee or an employer could legally make a secret recording.

Recording policies

Historically, even when a recording could be legally made, employers weren’t required to allow them. An employer could typically have (and enforce) a no-recording policy in the workplace.

However, in February 2016, in Whole Foods Market Group, Inc., the National Labor Relations Board (NLRB) ruled that the making of certain recordings (audio, video, and photography) can be protected activity under the National Labor Relations Act (NLRA). In June 2017, the Second Circuit Court of Appeals agreed with the board that the employer’s overly broad rules violated the NLRA.

The NLRA protects employees’ rights to discuss terms and conditions of employment with one another to determine whether they might benefit from the services of a labor union. According to the NLRB, recordings and photographs can be a protected part of such a discussion. For instance, if an employee recorded inconsistent or unlawful management behavior to encourage other employees to take action, such a recording may be protected activity.

Likewise, if employees are documenting unsafe working conditions, that photo or recording would likely be protected. Essentially, if a recording in the workplace is part of one or more employees’ efforts to discuss or provoke action regarding terms and conditions of employment, it would probably be considered protected activity under the NLRA.

Employers should make sure the language used in their recording policies can’t be construed to limit employees’ rights under the NLRA. Policies should be specific and detailed, with examples whenever possible. A policy might remind employees that recordings and photography are prohibited where these activities could compromise trade secrets or customers’ personally identifying information, for example.

GPS tracking

In addition to video recording, some employers track employees’ physical movements using global positioning system (GPS) technology. Employers may want to track employees to ensure they are working where and when they say they are.

With GPS tracking, employers must turn to case law for guidance. Generally speaking, courts have held that monitoring employees’ positions while they are working is reasonable. As with video recording, it greatly helps an employer’s case to establish a business justification for tracking. Employers also help themselves by making sure employees know they are being tracked; this ensures they don’t have an expectation of privacy during working hours.

Some employers want to track employees’ positions outside of work hours. However, in such a case, a legitimate business reason for tracking the employee would be much more difficult to justify. While there isn’t much case law yet in this area involving employers, a 2012 case before the U.S. Supreme Court provides some guidance. In this case, a drug trafficking conviction was overturned after law enforcement officials used GPS tracking to monitor the defendant’s movements for a lengthy period of time. The court indicated such tracking violated the individual’s right to privacy. While this involved a private citizen, not an employee, it gives employers an idea about how monitoring an individual’s personal time might be viewed.

Personal property vs. company property

  • To win disputes over privacy rights, employers need to clearly inform their workers about expectations of privacy in the workplace.
  • Reimbursement to an employee for business use of a personal device or cell phone does not establish ownership of that device.

Just how far can employers go to ensure the safety and security of their business and employees? Can they look into an employee’s car, briefcase, or purse? Can they look into employee lockers or desks?

These questions do not always have black-and-white answers of yes or no. It usually depends upon the situation, and often the details thereof. An important factor is the expectation of “privacy.” Employees should be told that any employee property (e.g., purses, backpacks, or even vehicles) on the company premises is subject to search.

A policy that removes the expectation of privacy is essential to inform employees of the company’s rights. Employers are more likely to prevail in disputes over privacy rights if employees have been clearly informed they should have no expectation of privacy in the workplace.

If an employer deems it necessary to conduct a search, or to otherwise invade an employee’s privacy, the company should always choose the least-invasive method of conducting the search. For example, asking an employee with a purse to empty that purse is less invasive than demanding the employee turn over the purse and allow a supervisor to remove its items.

Companies should never conduct a “pat down” or body search of an employee. Unwelcome physical contact may be viewed as harassment or even assault.

Employers should also consider procedures that contribute to the removal of privacy expectations. For example, if employees are provided with lockers for personal items, the company might consider providing the locks and informing employees that the company retains a master key for searching the lockers. Courts have found that when employees are allowed to provide their own locks, the expectation of privacy increases.

Employees who refuse to consent to a search should not be detained. If the employee wants to leave the premises, and the company prevents the employee from leaving, this could be viewed as unlawful detainment (essentially a form of kidnaping). Such employees can be informed that their job is at stake, and they can be terminated for refusing to consent to a search but cannot be prevented from leaving company property.

Employee-owned devices

Courts have addressed company-issued devices, but the right to access information sent over devices owned and issued by the employer does not extend to employee-owned devices. While employers have the right to monitor how their own equipment is used, they do not have any special rights to access information sent over privately owned devices.

Some employers provide reimbursement for business use of employees’ personal devices or cell phones, but paying for business use does not establish ownership of the device (just as providing mileage reimbursement for the business use of a personal vehicle does not establish ownership of the vehicle). Employers may certainly offer a stipend or other compensation when expecting employees to use a personal cell phone for business, but doing so does not result in the same access privileges as company-issued equipment would offer.

Of course, employees could voluntarily disclose the manner in which their devices have been used, or messages sent to another person could be shared by that recipient. For instance, if an employee sends an offensive text message to a coworker, the coworker may share that information with the employer.

The Stored Communications Act applies broadly to “electronic” communications. Employers must obtain authorization to access information stored with a provider (such as text messages sent via cell phone). Generally, such access must be granted voluntarily, without threat of discipline or termination. Again, the recipient of the message could voluntarily share the message, but the sender should not be coerced to grant access.

If an employer suspects (or has evidence) of impropriety that impacts the business, then information sent over personal devices may be discoverable as part of a legal proceeding (e.g., under a subpoena), but the employer would not have a blanket right to access information, nor would the employer have the right to obtain records from a service provider without a court order.

Electronic security

  • Certain ECPA provisions let employers monitor employee communications if a legitimate reason can be proven or if the worker agrees in writing.
  • Many states deny employers access to an employee’s social media pages, especially that worker’s restricted or “hidden” information.

Beyond the physical objects that can encompass employee privacy, such as the desk and briefcase, electronic entities can bring up the issue of privacy. These include email, telephones, and computers. Can an employer monitor the telephone calls of its employees? Can it read an employee’s email?

One thing to note: Courts have indicated that monitoring such communications during their transmission is generally frowned upon, but once they become stored, it’s equivalent to searching an employee’s files. For example, listening to a voicemail (stored on the company system) is no different than reading an email sent from a company email account.

Despite the Electronic Communications Privacy Act (ECPA) seeming to prohibit employers from intentionally listening to or otherwise intercepting employee communications at work, it has a couple of exceptions that impact employers:

  1. Employers may monitor oral and electronic communications if they can prove they have a legitimate business reason to do so.
  2. Employers may monitor employee communications if they have the written consent of the employee. This exception is not limited to business communications.

Most people are familiar with business calls that indicate the call is monitored for business purposes.

The ECPA does not prevent access to electronic communications by system providers, which could include employers that provide the necessary electronic equipment or network to their employees. Courts have found that monitoring employees’ electronic transmissions involving email, the internet, and computer file usage on company-owned equipment is not an invasion of privacy. This holds true even in situations where employees have password-protected accounts.

Computer use and internet access

An employer can monitor employees’ email, internet access, and certain other use of a company computer. For instance, the history of websites an employee has visited can be accessed to determine if they are work-related (Companies should have a policy and make employees aware of it). However, if an employee accesses a personal email account or website (such as Hotmail, Yahoo, or Facebook), the content may not be read without the employee’s express (and freely given) permission, even if it was accessed on work time with company equipment.

Companies can still impose discipline for accessing these sites at work (as abuse of internet privileges), but content stored on an outside server (in contrast to a company-owned server) is protected under the Stored Communications Act. This law prohibits the intentional unauthorized access of communications that are stored with an internet service provider.

Employee photographs

Employers sometimes want to take photographs of employees for various purposes, but employees aren’t always on board with the idea — some may even allege that the employer taking photos of employees is illegal or an invasion of privacy.

While photographs can be taken in some circumstances, some states have laws limiting the use of employee photographs for commercial purposes, which may come into play if an employer were to use employee photos in advertising pieces or on a company’s externally facing website. In states with such laws, employers would typically need consent from employees to use photographs in this way.

Even where employee photos will not be used commercially or in states where consent is not specifically required, employers may still want to respect employees’ privacy and either ask for their consent or offer them an opportunity to opt out. Employees may have valid reasons for not wanting their photographs taken.

Restrictions on social media access

Employers should be aware that many states prohibit employers from requiring (or even requesting) that an employee or applicant provide access to a social media page. Usually, any information that is publicly available can still be accessed, but “hidden” information cannot be accessed.

For example, if an individual (employee or applicant) uses social media, but the chosen settings for privacy still allow information to appear in an internet search, the information could be discovered and used by the employer. However, if the individual’s privacy settings would “hide” or restrict access to postings, an employer cannot request or require access to that information.

The federal Stored Communications Act prohibits an employer from obtaining access to an individual’s personal account without voluntarily given authorization.

Neither state or federal laws restrict employers from monitoring computer use of company-owned or company-issued devices, nor do they restrict employers from accessing a company-sponsored social media page (such as a business page or account).

Policies related to privacy

  • Keeping confidential worker information private is an essential duty of employers, and they should have procedures and training to achieve this.
  • Employees can acquire greater peace of mind when their employer establishes a policy addressing the use of biometric data.

One of the more effective things employers can do is develop and enforce policies that remove employee expectancy of privacy. Workers should be informed upfront that the workplace is not a private place, and that to ensure security, the employer retains the right to perform:

  • Searches,
  • Inspections,
  • Checks, and/or
  • Tests.

These activities may involve all company property including grounds, buildings, company vehicles, rooms, offices, lockers, desks, computers (email and internet), and telephones.

Employers may retain keys to all lockable areas and make employees aware of this, as well as prohibiting the use of personal locks on company equipment.

If employers have such policies, they should be communicated so employees are aware of them, and the consequences of breaking the policies. Such policies should be read and signed by each employee to ensure awareness of them.

As an added measure, employers can post reminders of the policy in hard copy and electronically to promote the idea that the workplace is not private, and employees should have no reasonable expectation of privacy.

These policies should be applied to all employees to avoid any discrimination claims.

Employers have an obligation to keep private employee information private. These efforts can be enhanced via effective procedures and processes, along with any applicable training on the procedures and processes.

It’s also advisable to avoid crossing the line into an employee’s personal privacy. Unless absolutely necessary, employers should respect employee personal privacy, including such elements as medical information, family issues, etc., keeping in mind that laws protect a person’s individual privacy.

Employees should be trained how to respond to requests for information (including personal information) about other employees.

Medical information and privacy

Employers should maintain employee medical information they obtain, use, store, or disclose in separate and secure locations. The Equal Employment Opportunity Commission (EEOC) requires this for employee information obtained to ascertain the employee’s abilities to perform job-related functions.

The U.S. Department of Health and Human Services also has privacy requirements for personal health information related to an employer’s health plans. These requirements are spelled out in the Health Insurance Portability and Accountability Act (HIPAA). This information also must be kept private through policies, procedures, and physical security measures. Appropriate training is required for those who have access to this information.

These requirements could involve a separate file cabinet kept under lock and key, and only those with a legitimate business-related justification to access those files would have a key. Employers should be aware that requirements to maintain confidentiality do not end when an employee leaves the company, so mixing personnel files with medical files should be avoided even after an employee quits, retires, or is terminated.

Most employers have policies that protect the privacy of employee information. However, some employers were accessing this type of information and using it to make employment decisions. For example, an employer may learn that an employee being considered for a promotion has a serious health condition that may impede the employee’s ability to work long hours. Given this information, the employer passes over the employee based on this health information instead of focusing on the employee’s ability to perform the job.

Other issues of employee or applicant private health information relate to genetics. A noted case involved an employer that wanted applicants to submit to a medical test that would reveal a genetic disposition to a condition, which might later lead to expensive treatment. The employer was improperly using this information to weed out any undesirable future troubles.

When it comes to the privacy of employees’ medical information, many employers think of the Health Insurance Portability and Accountability Act (HIPAA). However, this law primarily applies to an employer’s activities related to a health plan. It does not cover activities as an employer that include requesting medical information from applicants or employees. Instead, those requests fall under the Americans with Disabilities Act (ADA).

Employers may request medical information when the need to know is job-related and consistent with business necessity. However, any decisions affecting employment must be based on objective medical evidence, not merely opinion or speculation.

Biometric tracking in the workplace

Whether for security reasons or for ensuring the validity of time clock punches, employers may be using varying forms of biometric tracking in the workplace. While facial recognition, retina or iris scans, and voice analysis are all types of biometric tracking currently in use, the most commonly used biometric identifier is a fingerprint.

Employers using biometric data in their employment practices need to proceed with a certain amount of caution, however. Aside from the inevitable employee concerns about how these identifiers will be used and protected, certain laws also affect how biometric data may be used.

For instance, Illinois’ Biometric Information Privacy Act requires that employers implement a strict retention schedule for any biometric data collected, which must also outline how and when the data will be destroyed. The law also requires that employees authorize the use of their biometric data, and that they be notified of the information that will be collected and how it will be used.

Even where the law doesn’t require one, a policy addressing the use of biometric data can help ease anxiety that might crop up for employees. With any relevant state laws factored in, a thorough policy should identify:

  • What biometric data will be collected,
  • The reasons for the biometric collection,
  • The employer’s commitment to keeping employees’ information confidential to help protect employees from identity theft,
  • The employer’s methods for safeguarding information (including retention periods and destruction methods), and
  • An individual to whom concerns about biometric data can be directed.

Personal property vs. company property

  • To win disputes over privacy rights, employers need to clearly inform their workers about expectations of privacy in the workplace.
  • Reimbursement to an employee for business use of a personal device or cell phone does not establish ownership of that device.

Just how far can employers go to ensure the safety and security of their business and employees? Can they look into an employee’s car, briefcase, or purse? Can they look into employee lockers or desks?

These questions do not always have black-and-white answers of yes or no. It usually depends upon the situation, and often the details thereof. An important factor is the expectation of “privacy.” Employees should be told that any employee property (e.g., purses, backpacks, or even vehicles) on the company premises is subject to search.

A policy that removes the expectation of privacy is essential to inform employees of the company’s rights. Employers are more likely to prevail in disputes over privacy rights if employees have been clearly informed they should have no expectation of privacy in the workplace.

If an employer deems it necessary to conduct a search, or to otherwise invade an employee’s privacy, the company should always choose the least-invasive method of conducting the search. For example, asking an employee with a purse to empty that purse is less invasive than demanding the employee turn over the purse and allow a supervisor to remove its items.

Companies should never conduct a “pat down” or body search of an employee. Unwelcome physical contact may be viewed as harassment or even assault.

Employers should also consider procedures that contribute to the removal of privacy expectations. For example, if employees are provided with lockers for personal items, the company might consider providing the locks and informing employees that the company retains a master key for searching the lockers. Courts have found that when employees are allowed to provide their own locks, the expectation of privacy increases.

Employees who refuse to consent to a search should not be detained. If the employee wants to leave the premises, and the company prevents the employee from leaving, this could be viewed as unlawful detainment (essentially a form of kidnaping). Such employees can be informed that their job is at stake, and they can be terminated for refusing to consent to a search but cannot be prevented from leaving company property.

Employee-owned devices

Courts have addressed company-issued devices, but the right to access information sent over devices owned and issued by the employer does not extend to employee-owned devices. While employers have the right to monitor how their own equipment is used, they do not have any special rights to access information sent over privately owned devices.

Some employers provide reimbursement for business use of employees’ personal devices or cell phones, but paying for business use does not establish ownership of the device (just as providing mileage reimbursement for the business use of a personal vehicle does not establish ownership of the vehicle). Employers may certainly offer a stipend or other compensation when expecting employees to use a personal cell phone for business, but doing so does not result in the same access privileges as company-issued equipment would offer.

Of course, employees could voluntarily disclose the manner in which their devices have been used, or messages sent to another person could be shared by that recipient. For instance, if an employee sends an offensive text message to a coworker, the coworker may share that information with the employer.

The Stored Communications Act applies broadly to “electronic” communications. Employers must obtain authorization to access information stored with a provider (such as text messages sent via cell phone). Generally, such access must be granted voluntarily, without threat of discipline or termination. Again, the recipient of the message could voluntarily share the message, but the sender should not be coerced to grant access.

If an employer suspects (or has evidence) of impropriety that impacts the business, then information sent over personal devices may be discoverable as part of a legal proceeding (e.g., under a subpoena), but the employer would not have a blanket right to access information, nor would the employer have the right to obtain records from a service provider without a court order.

Electronic security

  • Certain ECPA provisions let employers monitor employee communications if a legitimate reason can be proven or if the worker agrees in writing.
  • Many states deny employers access to an employee’s social media pages, especially that worker’s restricted or “hidden” information.

Beyond the physical objects that can encompass employee privacy, such as the desk and briefcase, electronic entities can bring up the issue of privacy. These include email, telephones, and computers. Can an employer monitor the telephone calls of its employees? Can it read an employee’s email?

One thing to note: Courts have indicated that monitoring such communications during their transmission is generally frowned upon, but once they become stored, it’s equivalent to searching an employee’s files. For example, listening to a voicemail (stored on the company system) is no different than reading an email sent from a company email account.

Despite the Electronic Communications Privacy Act (ECPA) seeming to prohibit employers from intentionally listening to or otherwise intercepting employee communications at work, it has a couple of exceptions that impact employers:

  1. Employers may monitor oral and electronic communications if they can prove they have a legitimate business reason to do so.
  2. Employers may monitor employee communications if they have the written consent of the employee. This exception is not limited to business communications.

Most people are familiar with business calls that indicate the call is monitored for business purposes.

The ECPA does not prevent access to electronic communications by system providers, which could include employers that provide the necessary electronic equipment or network to their employees. Courts have found that monitoring employees’ electronic transmissions involving email, the internet, and computer file usage on company-owned equipment is not an invasion of privacy. This holds true even in situations where employees have password-protected accounts.

Computer use and internet access

An employer can monitor employees’ email, internet access, and certain other use of a company computer. For instance, the history of websites an employee has visited can be accessed to determine if they are work-related (Companies should have a policy and make employees aware of it). However, if an employee accesses a personal email account or website (such as Hotmail, Yahoo, or Facebook), the content may not be read without the employee’s express (and freely given) permission, even if it was accessed on work time with company equipment.

Companies can still impose discipline for accessing these sites at work (as abuse of internet privileges), but content stored on an outside server (in contrast to a company-owned server) is protected under the Stored Communications Act. This law prohibits the intentional unauthorized access of communications that are stored with an internet service provider.

Employee photographs

Employers sometimes want to take photographs of employees for various purposes, but employees aren’t always on board with the idea — some may even allege that the employer taking photos of employees is illegal or an invasion of privacy.

While photographs can be taken in some circumstances, some states have laws limiting the use of employee photographs for commercial purposes, which may come into play if an employer were to use employee photos in advertising pieces or on a company’s externally facing website. In states with such laws, employers would typically need consent from employees to use photographs in this way.

Even where employee photos will not be used commercially or in states where consent is not specifically required, employers may still want to respect employees’ privacy and either ask for their consent or offer them an opportunity to opt out. Employees may have valid reasons for not wanting their photographs taken.

Restrictions on social media access

Employers should be aware that many states prohibit employers from requiring (or even requesting) that an employee or applicant provide access to a social media page. Usually, any information that is publicly available can still be accessed, but “hidden” information cannot be accessed.

For example, if an individual (employee or applicant) uses social media, but the chosen settings for privacy still allow information to appear in an internet search, the information could be discovered and used by the employer. However, if the individual’s privacy settings would “hide” or restrict access to postings, an employer cannot request or require access to that information.

The federal Stored Communications Act prohibits an employer from obtaining access to an individual’s personal account without voluntarily given authorization.

Neither state or federal laws restrict employers from monitoring computer use of company-owned or company-issued devices, nor do they restrict employers from accessing a company-sponsored social media page (such as a business page or account).

Policies related to privacy

  • Keeping confidential worker information private is an essential duty of employers, and they should have procedures and training to achieve this.
  • Employees can acquire greater peace of mind when their employer establishes a policy addressing the use of biometric data.

One of the more effective things employers can do is develop and enforce policies that remove employee expectancy of privacy. Workers should be informed upfront that the workplace is not a private place, and that to ensure security, the employer retains the right to perform:

  • Searches,
  • Inspections,
  • Checks, and/or
  • Tests.

These activities may involve all company property including grounds, buildings, company vehicles, rooms, offices, lockers, desks, computers (email and internet), and telephones.

Employers may retain keys to all lockable areas and make employees aware of this, as well as prohibiting the use of personal locks on company equipment.

If employers have such policies, they should be communicated so employees are aware of them, and the consequences of breaking the policies. Such policies should be read and signed by each employee to ensure awareness of them.

As an added measure, employers can post reminders of the policy in hard copy and electronically to promote the idea that the workplace is not private, and employees should have no reasonable expectation of privacy.

These policies should be applied to all employees to avoid any discrimination claims.

Employers have an obligation to keep private employee information private. These efforts can be enhanced via effective procedures and processes, along with any applicable training on the procedures and processes.

It’s also advisable to avoid crossing the line into an employee’s personal privacy. Unless absolutely necessary, employers should respect employee personal privacy, including such elements as medical information, family issues, etc., keeping in mind that laws protect a person’s individual privacy.

Employees should be trained how to respond to requests for information (including personal information) about other employees.

Medical information and privacy

Employers should maintain employee medical information they obtain, use, store, or disclose in separate and secure locations. The Equal Employment Opportunity Commission (EEOC) requires this for employee information obtained to ascertain the employee’s abilities to perform job-related functions.

The U.S. Department of Health and Human Services also has privacy requirements for personal health information related to an employer’s health plans. These requirements are spelled out in the Health Insurance Portability and Accountability Act (HIPAA). This information also must be kept private through policies, procedures, and physical security measures. Appropriate training is required for those who have access to this information.

These requirements could involve a separate file cabinet kept under lock and key, and only those with a legitimate business-related justification to access those files would have a key. Employers should be aware that requirements to maintain confidentiality do not end when an employee leaves the company, so mixing personnel files with medical files should be avoided even after an employee quits, retires, or is terminated.

Most employers have policies that protect the privacy of employee information. However, some employers were accessing this type of information and using it to make employment decisions. For example, an employer may learn that an employee being considered for a promotion has a serious health condition that may impede the employee’s ability to work long hours. Given this information, the employer passes over the employee based on this health information instead of focusing on the employee’s ability to perform the job.

Other issues of employee or applicant private health information relate to genetics. A noted case involved an employer that wanted applicants to submit to a medical test that would reveal a genetic disposition to a condition, which might later lead to expensive treatment. The employer was improperly using this information to weed out any undesirable future troubles.

When it comes to the privacy of employees’ medical information, many employers think of the Health Insurance Portability and Accountability Act (HIPAA). However, this law primarily applies to an employer’s activities related to a health plan. It does not cover activities as an employer that include requesting medical information from applicants or employees. Instead, those requests fall under the Americans with Disabilities Act (ADA).

Employers may request medical information when the need to know is job-related and consistent with business necessity. However, any decisions affecting employment must be based on objective medical evidence, not merely opinion or speculation.

Biometric tracking in the workplace

Whether for security reasons or for ensuring the validity of time clock punches, employers may be using varying forms of biometric tracking in the workplace. While facial recognition, retina or iris scans, and voice analysis are all types of biometric tracking currently in use, the most commonly used biometric identifier is a fingerprint.

Employers using biometric data in their employment practices need to proceed with a certain amount of caution, however. Aside from the inevitable employee concerns about how these identifiers will be used and protected, certain laws also affect how biometric data may be used.

For instance, Illinois’ Biometric Information Privacy Act requires that employers implement a strict retention schedule for any biometric data collected, which must also outline how and when the data will be destroyed. The law also requires that employees authorize the use of their biometric data, and that they be notified of the information that will be collected and how it will be used.

Even where the law doesn’t require one, a policy addressing the use of biometric data can help ease anxiety that might crop up for employees. With any relevant state laws factored in, a thorough policy should identify:

  • What biometric data will be collected,
  • The reasons for the biometric collection,
  • The employer’s commitment to keeping employees’ information confidential to help protect employees from identity theft,
  • The employer’s methods for safeguarding information (including retention periods and destruction methods), and
  • An individual to whom concerns about biometric data can be directed.
Load More