Privacy in the Workplace: Ethical Supervision by Employers
1. Electronic Issues: E Mail Monitoring, Telephone Monitoring and Employee Blogging
(a) E-mail Privacy in the Workplace
Introduction
The use of electronic communications in the workplace has evolved extremely rapidly: by one estimate, over 5.1 billion emails are sent in the U.S. each day. Unfortunately, the laws addressing this technology have evolved at a much slower pace than the technology. The result is a legal landscape that is in many ways complex and outdated: the laws that define the bounds of the employer-employee relationship in the electronic medium are confusing at best, and ineffective at worst. This presentation is intended to give you a brief survey of some of the key legal issues facing employers in this area, and conclude with a brief summary of "best practices" that can be used dealing with electronic communications in the workplace.
Applicable Law: The Electronic Communications Privacy Act
The federal Electronic Communications Privacy Act (ECPA) generally prohibits the interception of electronic communications and unauthorized access of electronic communications. "Interception" is defined as the real time acquisition of communications, e.g., the monitoring of employee email as it is actually being sent or received. "Unauthorized access" is defined as the access of an electronic communication in electronic
storage, e.g., the monitoring or accessing of emails after they have been sent or received, and are
stored on a server or other database Electronic communications include email messages.
To "intercept" or "access" means to monitor or review -- so we start from the point that
monitoring employee email is generally prohibited.
There are three important exceptions to this prohibition that essentially permit an employer to monitor ("intercept" or "access") an employee’s email:
- Provider Exception: If the email service that is monitored is provided through the company’s own computer system, the prohibition against interception does not apply. For example, a federal court found that a Nevada police department could retrieve pager text messages stored on the police department’s computer system because the department was the provider of the service, and "service providers may do as they wish when it comes to accessing communications in electronic storage."
- Ordinary Course of Business Exception: Courts have taken two different approaches to defining "ordinary course of business:"
- The "content" approach: the employer is permitted to monitor all business related email, but may not monitor personal email;
- The "context" approach: the employer may monitor email if they have a "legitimate business justification" to do so.
- Consent Exception:The employer may monitor email if it has obtained the consent of the employee to do so. This may be the easiest exception to perfect and, not surprisingly, is the most widely used. For example, publishing a properly drafted company email/privacy policy can be construed as consent and used as legal justification for monitoring email.
What does all this mean? Here are a few examples of email monitoring practices that are clearly within the bounds of the law:
- Monitoring employee email that is sent to or from the employee's company email address, or to a private email account that is accessed on the employer's network.
- Monitoring an employee's email that involves business-related issues, whether sent from or received by the company's computer system.
- Monitoring an employee's email when the employee has consented to such monitoring. Publishing a company email policy, and requiring each employee to assent to it, may be the most effective way to obtain this consent.
(b) Composing and Enforcing an Electronic Communications Policy: Best Practices
While no all encompassing checklist of concerns can encapsulate what an electronic privacy policy should include for every employer, the following is a list of "must haves" that all policies should include in some fashion:
- It should address e-mail, voice-mail, and computer files stored on the employer's computer systems;
- A statement to employees that company communication systems are intended to be used primarily for business use and that the company reserves the right to review, audit, and disclose any and all matters disseminated or stored on its systems;
- It should inform employees that all computer files, e-mail, and other communications stored on company computer systems are company property;
- Inform employees that the mere deletion of a message or file does not eliminate the employer’s ability and right to receive and review it;
- A statement that the employer reserves the right to review computer files, e-mail, and communications stored on the company's computer system at any time and for any reason;
- A statement that company policy strictly prohibits all discriminatory e-mail messages, obscene, derogatory, defamatory, or other inappropriate messages, including any sexually explicit material, ethnic or racial slurs, or anything that is or could be interpreted as disparaging of others based on race, national origin, gender, sexual orientation, age, disability, or religion;
- Explain that any password protection provided to the employee with respect to e-mail or voice-mail does not provide a special right of privacy to the employee, but is only given to prevent other employees and third parties from accessing the employee’s communications; and
- Make clear what use is acceptable and what use is unacceptable, and explain the consequences for violating the policy (verbal warnings, written warnings, dismissal, or other disciplinary action), while preserving the employer's ability to impose the appropriate discipline on a case-by-case basis.
(c) Benefits of a Policy
- One of the primary purposes of an electronic email policy is to decrease any expectation of privacy that the employee may have in his or her workplace communications. Such a decreased expectation of privacy will often serve as a layer of protection for the employer from a wide variety of employee lawsuits. For example, employers have used an employee email policy as a shield from liability in the following scenarios:
- A company’s decision to terminate a female employee was upheld on the grounds that the company had legitimate, nondiscriminatory reasons for the termination when she violated a company policy that prohibited employees from downloading pornographic images and storing them on the company’s computers.
- A company which issued a prompt warning to all employees not to abuse e-mail upon learning of offensive emails sent to and by a plaintiff was later found not liable for retaliatory discharge when it terminated the plaintiff for other reasons.
- A company that issued a prompt warning to the sender of offensive e-mails, as well as holding a company wide meeting to discuss the company's policy on email use, was not subject to later liability under Section 1981 of the Civil Rights Act for race discrimination claims arising from the emails.
(d) Telephone Privacy in the Workplace
The Federal Wiretap Act
The Federal Wiretap Act utilizes many of the same definitions as the Electronic Communications Privacy Act. A company’s approach to telephone privacy should involve application of many of the same definitions as in the ECPA, such as communication" and "interception," to oral, rather than electronic, communications. In addition, the two Acts share the same exceptions: provider, ordinary course of business, and consent.
The Wiretap Act defines an "oral communication" as one that one made in circumstances indicating that the individual uttering the communication expected it would be private. As under the ECPA, a communication may not be intercepted unless an exception is available.
So, what does this mean for employers? If and when are they permitted to monitor their employees' telephone communications? Outside of the three statutory exceptions, there are certain factors and considerations to be considered in determining whether telephone monitoring is permitted:
- Telephone calls. Courts generally look to the expectation of the employees in determining if telephone monitoring is permissible. The permissibility of monitoring depends on (i) whether the employees were told that their telephone use would be monitored, (ii) the employer's purpose in monitoring the call, and (iii) whether the monitoring is reasonable under the circumstances of each workplace situation. Here are a few examples of cases where monitoring of telephone calls was permitted:
- When a telephone call occurred during office hours, and involved scurrilous remarks about the employees' manager.
- When the employer was a repository of sensitive security information, monitoring was justified because legitimate business reasons made it permissible.
- Use of cordless/cellular phones. Communications over these devices present a special concern because they are easily intercepted, sometimes accidentally, and can be monitored more easily than other communications. The interception of communications using these devices are subject to the same rules as interception of traditional land line telephones.
- Voice Mail. This type of communication is treated differently than other communications. If a voicemail message is listened to after it has been recorded, monitoring is permissible. If the message is monitored as it is being recorded, then it is deemed to have been "intercepted" and the same rules apply as with telephone communications.
Pennsylvania Wiretap Act
The Pennsylvania Wiretap Act prohibits the interception, disclosure, or use of oral communications in certain circumstances. To state a cause of action under this law for unlawful monitoring of an oral communication, a plaintiff must show:
(1) That he or she engaged in a communication;
(2) That he or she possessed an expectation that the communication would not be intercepted;
(3) The expectation of privacy was justifiable under the circumstances; and
(4) That the defendant attempted to, or successfully intercepted, the communication,
or encouraged another to do so.
Note that the oral communication may be a telephone conversation, or an overheard office
conversation -- as long as the person making it had a justifiable expectation that the
communication would not be intercepted, an employer (or anyone else) may not legally monitor
the conversation.
Note also that the Pennsylvania law has a series of exceptions, some of which are similar to the
federal law. Here are a few of the most widely-applicable exceptions:
- Where all of the parties to the conversation have given prior consent (for example, a conversation between or among consenting employees).
- Where the interception is made for employee training purposes (for example, a telemarketing agency).
- Where a law enforcement officer is acting pursuant to a validly issued subpoena or other court order.
This is a somewhat murky legal area. However, it is clear that the monitoring of the following types of employee conversations are likely permissible:
- Where the employee has consented to the monitoring. For example, if an employer publishes a telephone policy that requires employees to consent to monitoring, the employer may lawfully eavesdrop on an employee’s telephone conversations.
- Where the employee does not have a legitimate expectation of privacy. To establish such a diminished expectation of privacy, a written company policy or manual would be helpful.
When the employer informs all employees, through an employee manual, separate written policy, or otherwise, that all conversations on company property are not private and should not be treated by employees as private or confidential, the employer may monitor and/or record any such conversation.
(e) Common Law Invasion of Privacy Tort Claims as a Limitation on the Employer’s Right to Electronically Monitor their Employees
Workmen’s Compensation Protection
In Pennsylvania, the Workers’ Compensation Act is generally the exclusive means by which employees may recover from employers for injuries arising out of the scope of employment. Only in cases where the injury is a) personal in nature and b) not part of the normal course of employment is an employer subject to suit by his employee. Thus, as a starting point, many employers may be protected by the Workers’ Compensation Act from invasion of privacy claims brought by their employees.
The Invasion of Privacy Claim
If an employee is able to show that electronic or telephonic monitoring by the employer falls outside the protection of the Workers’ Compensation Act, the employee may be able to assert a tort claim against an employer for invasion of privacy. The most likely claim is for "invasion of privacy."
To establish this tort, the employee must show that the employer:
(1) intentionally intruded, physically or otherwise,
(2) upon the solitude or seclusion of the employee or his private affairs or concerns.
The employer will only be subject to liability to the employee for invasion of the employee's privacy if the intrusion would be highly offensive to a reasonable person. Note that at least one court has found unauthorized email monitoring to be highly offensive, and thus actionable under this tort.
The invasion may be:
a) by physical intrusion into a place where the plaintiff has secluded himself on a conversation;
b) by use of the defendant's senses to oversee or overhear the plaintiff’s private affairs, or
c) some other form of investigation or examination into plaintiff’s private concerns."
(f) Workplace Blogging
What is a "blog?"
"Blog" is short for Web log, which is a diary, journal and/or running commentary posted on the Internet. Perhaps the best way to describe a blog is as a regularly updated personal journal or editorial. Blogs are generally accessible to anyone with Internet access. "Blogging" is the practice of authoring a blog.
How popular is blogging?
Blogging is a rapidly growing practice. It is estimated that over 10 million blogs currently exist, that approximately 20,000 new blogs are created in the U.S. each day, and that about 32 million Americans are regular blog readers. From the employer's perspective, this means that there is a good chance that, depending on the size of the employer, some percentage of their workforce either has their own blog, or reads blogs regularly.
Why is this important to an employer?
Blogging is essentially another medium through which employees can speak their minds, just as they would through a newspaper editorial, a television interview, or a conversation with coworkers. All of these things are ways which could be grounds for an employee’s termination, a lawsuit brought by the employee against the employer, or worse, a lawsuit in which the employee is sued and the employer is held vicariously liable for the employee's statements.
Consider these examples:
- A U.S. Senate staffer was fired as a result of her blog, which contained references to the sexual practices of her and her coworkers.
- A Delta Airlines flight attendant, who dubbed herself the "Queen of the Sky," was fired after Delta learned that she had posted revealing photos of herself on her blog.
- After a blogger known as the "Diva of the Disgruntled" was terminated by her employer, she used her blog to link to confidential company information. Her employer was subsequently fined $200,000 for her online disclosures.
These are just a few examples of how employee blogging can adversely affect an employer. At the rate blogging is growing, cases such as these are sure to increase in the future. Many large employers, including IBM and Sun Microsystems, have addressed the blogging issue by formulating a written blogging policy. If you are going to permit employees to maintain blogs, here are some of the issues a blogging policy should address:
- The policy should instruct bloggers to state that the opinions expressed in the blog about work-related matters are their own personal opinions and have not been reviewed or approved by the employer.
- Bloggers should be instructed to state that they assume full responsibility and liability for any work related content contained in the blog. These statements are particularly important if the employer otherwise encourages blogging by its employees (as is the case in IBM’s policy).
- Bloggers should be required to comply while blogging with the company’s policies protecting its trade secrets and other confidential information and with any provisions protecting trade secrets and non-disclosure contained within the employee’s employment agreement.
- The policy should warn of the potential civil and criminal penalties of posting copyrighted material, without authorization, on a blog.
- The policy should warn bloggers that the blog should not become a vehicle for personal attacks on the company, its products, its executives, supervisors, coworkers, competitors, or competitors’ products.
- The policy should advise that the company may, and is entitled to, monitor the blogs.
- The bloggers should be informed that they may, and will be subject to disciplinary action, up to and including termination, for violation of company blogging and any other company policies.
Advantages/Disadvantages of Allowing Employees to Blog
Whether to allow, permit, or encourage employees to blog is a question that must be answered on an employer by employer basis. For all the potential disadvantages, many of which are mentioned above, there may be advantages. For example, allowing a blogger to comment on relevant issues facing that company’s industry may foster a productive intra industry dialogue.
Or, a blogger using the corporate banner may be able to improve his employer’s image if his blog is smart and insightful. Each employer should consider blogging an important issue, and give it the appropriate consideration.
2. Non-Electronic Employee Privacy Rights: Background Checks, Drug & Alcohol Testing, "Lie Detector" Tests, Credit Checks, Employee Access to Personnel Files, & HIPAA
(a) Background Checks
Background checks, if used appropriately, can be an effective tool for employers to use in evaluating prospective and current employees. Because no single central "background check" repository exists , conducting a background check necessarily involves inquiries to several different agencies -- for example, a state criminal record repository, a credit bureau, or previous employers.
Some of the most common types of background checks include:
- Criminal background checks
- Education records/academic degree verification
- Credit checks
- Driving histories
- Medical exams
- Drug tests
- Psychological and personality tests
- Workers compensation reports
Laws limit two fundamental aspects of background checks: collection of the information about the individual and use of that information in making employment related decisions.
The Fair Credit Reporting Act and the Americans with Disabilities Act, which we will briefly discuss today, each affect what information can be collected for a background check. For instance, the Fair Credit Reporting Act requires that you obtain written consent by the applicant and advise the applicant of the ability to correct possible inaccuracies. The release of medical records is strictly regulated by HIPAA.
While collecting information and then using it to help make employment related decisions, you need to be aware of not only the restrictions that exist by way of state or federal law on the use of this information, but remember that much of this information is sensitive and needs to be maintained on a confidential basis, both within and outside of the company. Privacy concerns should be most heightened when handling any type of medical reports, drug tests, credit checks and criminal background information.
(b) Drug & Alcohol Testing
Substance abuse in the workplace is an issue of much concern to many employers. One way that employers have sought to prevent this problem is to require current employees or prospective employees to submit to a drug and/or alcohol test as a condition of employment. If administered appropriately, a drug testing policy is an effective way to prevent substance abuse in the workplace. If administered in the wrong way, drug testing can create liability for the employer based on an invasion of privacy (see above for additional information on this popular employee claim).
- The area of drug and alcohol testing is a popular ground for an invasion of privacy lawsuit. For example, an employer may be liable for invasion of privacy for the following conduct involving drug tests:
- Conducting the test in an unnecessarily broad manner -- for example, if a drug screen tests for prescription drugs. Knowledge of this information, which is extremely private, may be considered an invasion of privacy.
- Conducting the test in a way that impinges on an employee’s physical privacy -- for example, if the employer has a "monitor" ensure the integrity of the urine specimen, this may be an invasion of an employee's actual physical privacy.
The following is a list of "best practices" that an employer should consider while formulating a drug testing policy, or as a checklist to review their current policy:
- If the testing is done as a condition of employment, the prospective employee should be given an offer before they are required to undergo the test.
- The prospective employee should be informed that the offer of employment is conditioned on passing the drug test.
- The prospective employee should also be informed that past drug use is not a basis for denying them employment.
- The employer should clearly identify the purpose of the test, which must be business related.
- The employer should apply the policy firmly and uniformly to all employees/prospective employees.
- All test results must be kept strictly confidential and should be shared within the company only on a need to know basis.
- The employer should ensure that the company or vendor employed to perform the test is a licensed professional that will competently administer the test.
- The employer should pay for the test, regardless of the test outcome.
Note that federal employers, such as government agencies, are subject to the Drug Free Workplace Act of 1988. Private employers are not subject to this law.
(c) "Lie Detector" Tests
In the event that an employer decides to use a "lie detector" test (a/k/a polygraph examination), it is important to know that there are limitations on the permissible use of these exams in the workplace.
Federal Law
The Federal Employee Polygraph Protection Act of 1988 prohibits any employer from:
- requiring an employee or prospective employee, either directly or indirectly, to submit to a lie detector test;
- inquiring into the results of any prior lie detector test of an employee or prospective employee;
- taking any action, including discipline, discrimination, or discharge, against an employee or prospective employee on the basis of the results of a lie detector test.
There are several relevant exceptions to these prohibitions, i.e., factual scenarios where an employer is permitted to require an employee to submit to a lie detector test. These exceptions include when the employee:
(1) has access to the employer's property and is reasonably suspected of theft;
(2) is a prospective employee of a security firm; or
(3) is a prospective employee of a pharmaceutical company or other firm allowing access to controlled substances.
If any of these limited exceptions are met, then the employer may require the employee to submit to a polygraph test. Any employer who violates this law is subject to suit by the offended employee and/or the U.S. Department of Labor, and may be held liable to either for damages.
Pennsylvania Law
Pennsylvania has a similar law that imposes penalties on employers for requiring employees to submit to lie detector tests. In Pennsylvania, such conduct by an employer is a violation of the Pennsylvania Crimes Code and is classified as a second degree misdemeanor.
Note that Pennsylvania has nearly the same exceptions as the federal law, with the only difference being that there is no exception for employees suspected of theft. In addition, the use of similar tests, such as psychological stress evaluators, audio stress monitors, or similar devices that measures voice waves or tonal inflections to judge the truth or falsity of oral statements are also criminally prohibited in Pennsylvania if undertaken without the employee's consent.
(d) Credit Checks: The Fair Credit Reporting Act
The federal Fair Credit Reporting Act (FCRA) imposes certain requirements on employers who use credit checks as an evaluative tool. Keep in mind that, as in the other areas of this presentation, what is presented here is intended only to be a brief overview of this important area, and is not intended to be a complete summary of an employer’s legal responsibilities under the FCRA.
The FCRA requirements for employers are relevant in the context of personnel decisions concerning hiring, promoting, and firing. Although it uses the word "credit" in its title, the FCRA governs any type of third party background investigation that may be used to make an employment decision, not just credit checks. Facts obtained through a third party investigative agency are covered by the FCRA, as well as credit reports. There are several steps an employer who wishes to use a consumer or credit report in making a personnel decision must take:
(1) The employer must notify the individual in writing, before the report is acquired, that a report may be used.
(2) The employer must get the individual's written authorization to request a copy of the person's credit report.
*Note that notification and authorization can both be done as part of the initial application process.
(3) If the employer relies on the report in taking an "adverse action" -- defined as denying a job application, making a job reassignment, terminating an employee, or denying a promotion, the employer must:
a) Give the individual a disclosure, prior to taking the adverse action, that includes a copy of the individual’s credit report and a copy of the document, "A Summary of Your Rights Under the Fair Credit Reporting Act;" and
b) After taking the adverse action, give the individual notice that the action has been taken. This notice must include certain specific information, including the name of the credit bureau that supplied the credit report, and a notice of the individual's right to dispute the finding of the report.
e) Right of an Employee to Inspect His or Her Personnel File
In Pennsylvania, an employee’s right to inspect her personnel file is governed by the Pennsylvania Personnel Files Act. The following is a brief summary of the right of employees to inspect their personnel file.
Who has the right?
Any party that is:
- currently employed,
- laid off with reemployment rights, or
- on a leave of absence
has a right to inspect his or her personnel files.
Former employees have the right only when they are laid off with reemployment rights, or are placed on a leave of absence. Remember, if an employer sues/is sued by a current or former employee, the employee will likely be able to discover most or all of his or her entire personnel file under the rules of civil procedure.
What information does the right encompass?
A "personnel file" includes any:
- application for employment;
- wage, or salary information;
- notice of commendation, warning, or discipline;
- authorization for a deduction or withholding of pay;
- fringe benefit information;
- leave record; and
- employment history, including salary information, job titles, dates of changes, retirement records, attendance records, and performance evaluations.
What information is not covered by the right?
A "personnel file" does not include any:
- Records relating to the investigation of a possible criminal offense;
- letters of reference;
- documents which are being developed or prepared for use in civil, criminal, or grievance procedures;
- medical records;
- materials which are used by the employer to plan for future operations; or
- information available to the employer under the FCRA.
What is the right exactly?
The employee:
- can inspect the parts of his or her file used to determine qualification for employment, promotion, additional compensation, termination, or disciplinary action;
- must indicate his/her purpose in requesting the inspection;
- the particular parts of the file he/she wishes to inspect; and
- may not remove or copy the file or any part thereof (but is permitted to take notes).
The employer:
- must make the file available during the regular business day (but can require to employee to inspect the file on his or her personal time);
- may require the employee to file a written request (but may only impose such a requirement for the purpose of properly identifying the employee, or to avoid disclosure to ineligible individuals);
- may require inspection in the presence of a company representative;
- may limit inspection to once per calendar year; and
- must allow sufficient time for inspection, commensurate with the size of the file.
(f) Employer Record Keeping and Retention Requirements
There are numerous federal statutes that require an employer to retain employee personnel files for a period of time after they have been created and/or the employee's discharge. Below is a brief summary of three federal laws that require an employer to retain records in some way.
Age Discrimination in Employment Act (ADEA)
This federal law imposes a different retention period depending on the type of the personnel record:
- Application forms for temporary positions must be kept for ninety (90) days;
- Employee benefit plans, written seniority or merit rating systems must be kept for one (1) year after termination of the plan;
- Documents relating to personnel or employment records, such as job applications, resumes, and job orders submitted to employment agencies, must be retained for one (1) year after being made;
- A file on each employee, containing the employee's name, address, date of birth, occupation, rate of pay, and yearly compensation, must be kept for three (3) years after being made.
Title VII of the Civil Rights Act of 1964 & the Americans With Disabilities Act
These two federal laws impose identical record keeping requirements. Employers are required to
retain the files for a period of one (1) year from the date the personnel record was made or
personnel action was taken (whichever was later):
- Application forms;
- Job advertisements;
- Documents relating to hiring, firing, promotion, or transfer;
- Documents relating to employee training programs;
- Employment handbooks;
- Requests for reasonable accommodations;
- Payroll records; and
- Job descriptions.
Fair Labor Standards Act
This law also imposes different retention periods for different types of records:
- A Certificate of Age must be kept for each employee while he/she is employed;
- Supplementary basic records, such as work schedules, wage rate tables, earnings records, change in compensation records, must be kept for two (2) years; and
- Basic employee compensation records, such as payroll records, certificated and notices of
Wage and Hour Administrator, individual employment contracts, and collective bargaining agreements, must be kept from three (3) years.
(g) Quick Note on HIPAA
The Health Insurance Portability and Accountability Act (HIPAA), and regulations issued pursuant to it by the US Department of Health and Human Services, create standards for the electronic exchange, privacy and security of health information.
While many of the procedures and policies required by HIPAA affect only medical care providers, there are mandatory procedures and policies that must be implemented by all employers. For example, employers must develop policies and procedures regarding:
- The use and disclosure of "protected health information" as defined by HIPAA;
- Privacy training polices, and sanction policies for those tasked with implementing the policies;
- A Statement of Rights for employees who are Plan Members; Authorization policies for Plan Members; and
- Documentation and record retention policies for certain actions and records relating to group health plans and benefits under the plans.
Clearly, a detailed discussion of HIPAA requirements is beyond the scope of today’s presentation. This brief summary is meant only to flag HIPAA compliance as an important privacy area for all employers.