Privacy

Scope

In some cases, mandated rules protect an employee’s right to privacy. In other cases, the situation may end up being determined in court.

Regulatory citations

• None

Key definitions

• None

Summary of requirements

In some cases, mandated rules protect an employee’s right to privacy. In other cases, the situation may end up being determined in court.

Unfortunately, if a situation gets to court, it could cost an employer hundreds of thousands of dollars in damages, and privacy concerns are becoming more and more prevalent in the workplace. Employers would do well to understand the laws that govern employee privacy and what they can do to protect themselves from litigation.

Laws and legislation. A number of federal laws govern an individual’s privacy:

• One of the most commonly referenced is the Fourth Amendment to the Constitution (freedom from search and seizure without probable cause), which applies only to governmental action.
• The Privacy Act of 1974 provides that government entities need to have an individual’s permission before disclosing personal information about that individual, but the Act, again, does not extend to private employers.
• The Employee Polygraph Protection Act, on the other hand, does apply to private employers. It prohibits the use of lie detectors in employment decisions, except for narrow applications.
• The Electronic Communication Privacy Act is intended to provide individuals with some privacy protection in their electronic communications. It is the only federal law that governs the monitoring of electronic communications in the workplace. Although it permits interception and monitoring by employers in many situations, it also requires notice that such actions may occur.
• The Americans with Disabilities Act requires that employers keep medical information confidential.

These are federal laws that may apply to employment situations. Keep in mind that many states have implemented privacy laws that go beyond the requirements of the federal laws. There may even be local laws that apply.

Employee’s personal property vs. employer’s property. Just how far can employers go to ensure the safety and security of their business and employees? Can they look into an employee’s car, briefcase, or purse? Can they look in employees’ lockers or desks?

The answers to these questions are not always clearly yes or no. Instead, the determination will depend on many factors, including:

• Whether the employer has alerted the employee that searches of personal property might occur,
• Whether the employer has a valid business justification for conducting a search, and
• Whether the employee has a reasonable expectation of privacy with regard to the item(s) that may be searched.

Electronic security. Beyond physical structures, which may or may not be searchable (a desk or a briefcase, for example), electronic entities can also bring up the issue of privacy. These include email, phones, and computers. Employers should inform their employees that monitoring may occur to decrease any expectation of privacy.

Under the Electronic Communications Privacy Act (ECPA), employers cannot intercept emails during transmission. Employers may access emails stored on their own servers. An employee might use company equipment to access a personal email account (like a Yahoo! mail account or a Gmail account), but since the email in these accounts is not stored on the company’s server, the company likely wouldn’t be able to access their contents without permission from the employee. While employers may not always be able to access the content of an employee’s personal email account, they are still able to regulate how employees use company equipment and how they use work time. That means employers may still put limits on the sites employees visit and may generally monitor internet use.

Most people are familiar with business calls that indicate that the call is monitored for business purposes. Such notices are designed to avoid any expectation of privacy.

Medical information — ADA, HIPAA, and GINA. Under the Americans with Disabilities Act (ADA), employers must maintain employee medical information they obtain, use, store, or disclose in separate and secure locations. These requirements could involve a separate file cabinet that is kept under lock and key, with only those with a legitimate business need allowed to access those files.

Most employers have had policies that protect the privacy of health-related employee information. However, some employers have used this type of information to make employment decisions. For example, an employer may learn that an employee being considered for a promotion has a serious health condition that may impede the employee’s ability to work long hours. Given this information, the employer passes over the employee based on this health information instead of focusing on the employee’s ability to perform the job. This example is a good illustration of why the ADA requires medical information to be kept confidential and separate from employees’ personnel files.

The Department of Health and Human Services also has privacy requirements for personal health information related to an employer’s health plans. These requirements are spelled out in the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA’s privacy provisions restrict the uses and disclosures of an individual’s private health information without the individual’s authorization. Note that employers often mistake medical privacy rules under the ADA as protections provided under HIPAA. HIPAA is similar in that it has to do with medical information, but it applies to employers only in their activities as group health plan sponsors, not in their activities as employers.

Other issues of employee or applicant private health information relate to genetics. A noted case involved an employer that wanted applicants to subject themselves to a medical test that would reveal a genetic disposition to a condition, which might later lead to expensive treatment. The employer was using this information to weed out any undesirable future medical problems. Such discrimination is now precluded by a recent amendment to the federal Civil Rights Act.

What to do. One of the more effective things employers can do to help define how far employee privacy goes in their organization is to develop and communicate policies that remove employees’ expectations of privacy. Let them know up front that the workplace is not a private place, and that to ensure security, the employer retains the right to perform:

• Inspections,
• Searches,
• Checks, and/or
• Tests.

These activities may involve all company equipment including grounds, buildings, company vehicles, rooms, offices, lockers, desks, computers (email and internet), and telephones.

To further remove any expectation of privacy, employers may want to retain keys to all lockable areas and items and prohibit employees from using personal locks on company equipment. Employees should be aware that the employer maintains this means of access at all times.

Of course, employers must also be sure to communicate their policies and procedures to employees. As an added measure, employers can post reminders of the policy in hard copy and electronically to promote the idea that the workplace is not private, and employees should have no reasonable expectation of privacy.

It’s also wise to avoid unnecessarily intruding into an employee’s personal life. Unless absolutely necessary, employers should respect employee personal privacy, keeping in mind that many laws protect a person’s individual privacy. Employees should be trained how to respond to requests for information—including personal information—about other employees.