Employee Privacy-What Can Employers Monitor?

Last modified on 2011-10-07 12:31:41 GMT. 13 comments. Top.

Can you spy on your employees?  Is it spying if they consent?  Does an employer have to give notice before monitoring employee phone and computer use?  Well, it depends on who owns the accounts and equipment and what the employer’s policies are.

Here’s a breakdown.

Overview by Device/System

Employer Phones:  Employers generally can monitor, listen in and record employee phone calls on employer owned phones and phone systems.  This includes cell phones, voice mail and text messages provided to employees.

For example, in City of Ontario v. Quon (2010), the US Supreme Court found that a police officer’s personal text messages on a government owned pager were not private and the employer/police department had the right to view the messages—even though public employees (unlike private employees) have 4^th Amendment rights against unreasonable search and seizure since their employer is the government.

Personal Phones:  Employers generally cannot monitor or obtain texts and voicemails on an employee’s personal cell phone.  But if you’re spending a lot of time at work loudly talking about your weekend plans, there is a good argument that it wasn’t private and you can be disciplined for not working.

Employer Computers- Again, if the employer owns the computers and runs the network, the employer is generally entitled to look at whatever it wants on the system, including emails.

Personal Accounts:  It depends on the circumstances—whether the use is at work and on employer equipment.  The employer should not look at private emails on a private email account that is password protected by the employee because the employee has a reasonable expectation of privacy, the account is the employee’s, and computer hacking laws provide protection against viewing personal emails without consent.

However, employees should be careful about using those accounts and passwords on employer owned equipment, because that information can be stored in backups, is visible to monitoring software and may not really be private at all.

Several cases involving private emails on employer time and equipment have gone against the employee and determined that the employer’s interception or use of an employee’s personal emails was permitted because of policies that allowed it and implied consent and because the employee was using employer owned computers or sending the emails from work.

Even cases of employees contacting their attorney have gone both ways.   In Stengart v. Loving Care Agency, Inc.  (New Jersey 2010) an employee emailed her lawyer on a company laptop, but through her personal password protected Yahoo account.  The court held the emails were protected by the attorney client privilege, but did not really address the privacy issue.

In Holmes v. Petrovich Development Company LLC (California 2011) an employee contacted her attorney on a company computer with a company email account.  The court found the emails were not protected by either a right of privacy or the attorney client privilege.  Using the company account and system waived the privilege, and company policies precluded any expectation of privacy. The employer had issued policies that company machines could only be used for business and gave notice that employees had no rights of privacy in their use of company equipment.

In Sitton v. Print Direction, Inc. (Georgia, September 2011), an employer did not violate an employee’s privacy rights by accessing an employee’s personal laptop to print out personal email messages.  The employee had been using his personal laptop at work to help his wife run their printing business.  The boss came into the employee’s office and saw the computer screen that had a non-work email open.  Both the trial court and the court of appeal found that the employer had a legitimate interest in investigating whether or not the employee was running another business from the employer’s worksite on the employer’s time and found that printing out the emails was proper.  The employee had to pay the employer damages for breach of the duty of loyalty.

I am not familiar with Georgia law and the duty of loyalty there. But I anticipate there might be a different result in right to work states and states like California, where there is also a Constitutional Right to Privacy.

Surveillance Cameras & Video Monitoring:  An employer can monitor its property with surveillance cameras, especially in public and common areas.  However, certain areas such as locker rooms, changing areas and bathrooms are generally considered private and not subject to monitoring.  Private offices may or  may not be protected depending on the circumstances. (See tomorrow’s piece on Common Law Privacy Rights.) Some states, such as Connecticut, have specific laws restricting how and for what purpose employers can videotape employees.  And state laws on recording conversations apply to video surveillance.

Laws on Phone and Computer Surveillance: 

1.  Electronic Communications Privacy Act of 1986  (part of the Omnibus Crime Control and Safe Streets Act, 18 USC sec. 2510 et seq.). This federal law generally prohibits unauthorized “interception” or access to electronic communications and would include telephone, email and computer use.  However, there are several huge exceptions that basically allow an employer to monitor anything on its own systems.

• Business Exception:  There is a business exception that allows an employer to monitor employee use of its own systems for “legitimate business needs.”  This includes improving customer service, preventing harassment and making sure that people are actually working.
• Consent to Monitoring: If one party to the communication consents to the monitoring, then monitoring is permitted even if the business exception does not apply.  “Consent” requires the employer to give advance notice of its policy to monitor—it does not require the employees to agree.  Consent is implied from the fact that they learned about the policy and decided to keep working there.
• Employer Owned Systems: The owner of the email, IM and phone message systems is also allowed to access the communications even if they are personal.
• Limitations on Employer Monitoring:  No continuous monitoring.  If the call is obviously personal, the employer has to stop listening.  However, the employee can still be disciplined for making personal calls on company time.

2.  Computer Hacking Laws. Using employee passwords to sign-in to their personal or social media accounts can violate state and federal computer hacking laws and constitute identity theft.  All 50 states have laws that prohibit someone from unauthorized access to another person’s computer and online accounts, especially if the intent is to change or modify access or content.   This would include deleting an inappropriate post.

In Pietrylo v. Hillstone Restaurant Group (New Jersey 2009), two employees set up a password protected MySpace account where employees could vent about working at the restaurant.  A manger got a hold of the password and logged into the site to discover disparaging and sexual remarks about management and references to illegal drugs.  The restaurant fired the employees who sued under the computer hacking laws.  The court found for the employees because the restaurant’s employee monitoring policy did not extent to private online communications on a social network outside of work.

3. State Laws on Recording Conversations—States are permitted to make more restrictive laws that protect employees and the public from monitoring, even if the federal law would allow it.  In Maryland, everyone in the conversation must consent before the conversation can be recorded.  California requires that any monitored phone conversation have a beep at certain intervals or there must be a message informing the caller that the conversation may be recorded.  Other states, including Connecticut, New York, Pennsylvania, Colorado and New Jersey, also have laws relating to when a conversation may be recorded.

Take-Away

If the employer owns the system, hardware or both, the employer can monitor employees’ use of it, including personal files and communications.

If the employee owns the system and hardware, the employer’s ability to view and obtain personal files depends on the whether the employee is using it at work, whether the employer has a legitimate interest in viewing the communication, what the state’s laws and employer’s policies are, and what the employee’s objective expectations of privacy are.

With the blending of work and personal lives on social media and through initiatives to improve employee engagement and create a friendlier, more personal culture at work, it’s essential that employers look this issue. Just because you can legally monitor something doesn’t mean that you should or that it is good management practice.  If you want a relaxed work environment where employees are trusted and treated as grown-ups, monitoring and discipline over personal phone and computer use will not promote your cause.  But if you are dealing with sensitive information that requires higher levels of security, then you may need to monitor to protect the business. But you can’t have it both ways.

Tomorrow-Common Law and Off Duty Privacy.

Employee Privacy 2 – When It’s Personal

Last modified on 2011-10-07 12:31:09 GMT. 2 comments. Top.

I get a lot of questions about employee privacy—what’s protected, what’s not and where. They are always really great questions because this area of law is unclear and developing quickly related to employee social media use.  Yesterday I talked about monitoring employees’ computer, phone and Internet use.  Today I’m looking at the more general privacy rights and how employers should handle them.

All Employees Have Some Privacy Rights

Privacy rights come from different kinds of laws. They can be based on specific statutes like HIPAA (privacy for medical information) GINA (privacy for genetic information) or computer hacking laws.

Privacy rights can also come from a constitutional provision or concept.  For example, the California Constitution has an express “right to privacy.”  The US Supreme Court has also recognized privacy rights based on federal constitutional rights to be free from governmental search, and First Amendment rights of expression, religion and association.

Courts also recognize common law privacy rights based on general tort law that protects against other people interfering with our person and property.

Common Law Privacy.

Common law means that courts have recognized a legal principle, but there may or may not be a statute about it.  All states generally recognize there are certain things that everyone has an expectation of privacy about.

• Physical and Sexual privacy—other people should not be able to see you naked unless you want them to.  And even then, their privacy rights may protect them from having to.
• Privacy in our homes –to do the things we want to do without surveillance or interference (unless it’s illegal).
• Medical Privacy—personal health information is, well, personal. So employees aren’t usually required to disclose that information; and employers generally can’t release it to other people.
• Financial Privacy—taxes and personal finances are private and do not have to be disclosed, except when there is a legitimate “need to know.”

When dealing with common law privacy issues, you look at three issues:

1. Whether there is a reasonable expectation of privacy;
2. Whether the interference was a significant intrusion; and
3. Whether there is a strong and legitimate reason or public policy for disclosing something, even if it is private.

Expectation of Privacy: This is an objective standard based on how a reasonable person would view the circumstances.  Most people would agree that having sex is private, but having sex in a glass elevator is not.  Seeing people at work is not private, but seeing people in the bathroom or shower is private.  So surveillance cameras in restrooms or locker rooms at work is generally considered a violation of common law privacy rights—even if it is there for a supposedly legitimate reason—like to deter theft from lockers

Significant Intrusion: The invasion part is usually pretty easy to figure out.  You ask whether it’s something people generally consider personal or private, whether it has been voluntarily or involuntarily disclosed and how big a deal it is.

Overhearing a snippet of someone’s personal call when the office door was open is not a significant intrusion.  Coming in when the door is closed and plopping down in a chair while someone discusses her tax audit with the IRS or is on the phone with her doctor about test results would be a significant intrusion.

Legitimate Reason for Disclosure:  If the employer has a legitimate reason for requiring the information, it will often be allowed to find out.  For example, employers can run credit checks and background checks on applicants for jobs where the employee will be responsible for handling money.  Employers can drug test applicants who will be driving  buses or operating dangerous machinery because it involves the physical safety of the employee and the people around him.

The law in its infinite, but really confusing, wisdom is often an evaluation about whether something is reasonable under the circumstances and whose rights outweigh the other’s.

What to do:

First, check to see if there is a law in your state that covers the situation.  There are laws regarding when employers can do background checks, obtain credit reports, and how and whether they can use medical information about employees.

In addition, some states including California, Connecticut, North Dakota and Colorado protect employees from discipline or discharge for off-duty conduct

If there is no specific law that covers the situation, but the employer believes it has a legitimate interest in knowing something about an employee, then ask these questions:

1. How personal is the information?  Does it have to do with someone’s body, sex life or preferences, health, finances or family?
2. Has the employee voluntarily disclosed the information or are you finding out from another source?  Posting something on twitter, facebook or drunken emails are voluntary disclosures by the employee.
3. Does the employer have a legitimate interest in the information that directly relates to the performance of the job by the employee?
4. How big a deal is it to both the employer and the employee?

Here is a true example, and how I would think about these questions.

An employee gets extremely drunk after work and passes out on the street.  His friends take pictures and tag the employee on Facebook.  A manager is “friends” with the employee and realizes that a company employee was passed out in public –where any of the company’s clients could have seen it. The employer is mortified and wants to fire him.

1. How personal is it?  Off-duty conduct would normally not be any of the employer’s business.  However, the employee was in public where people could see him.  If it was at a professional conference, it may not be considered off-duty.  But if it was in Las Vegas where everyone else was drunk too, better find out what the boss did that night before disciplining the employee.
2. Did the employee-voluntarily disclose the information?  Not directly. But by getting really drunk in public, having managers as Facebook friends, and “friends” who post pictures of you doing stupid things, makes the whole “expectation of privacy” argument pretty weak.
3. Does the employer have a legitimate interest?  Generally the employer has an interest in its reputation in the community, but not at the expense of its employees’ personal privacy and freedom to live their lives outside of work.   It’s generally a bad idea to discipline people for off-duty conduct unless it is a really big deal that directly affects the employer.
4. How big a deal is it?  Who actually saw the employee passed out on the street corner?  How long was he there?  Were there any other comments about it from a client or anyone outside the company?  What is the employee’s job?  Would people even know who he was, or where he worked?  Are there any other signs of substance abuse problems affecting the employee’s work?  Did he puke?

Before digging into employees’ personal lives, even if the employer wants or “needs” to know, it is important to consider the whole picture and the interests involved.  If the questions above, don’t get you to the answer, and you need a clear rule, then here’s one from this legal department:  When in doubt, stay out.

Next:  Employee Privacy and Social Media

Employee Privacy 3 – Social Media

Last modified on 2011-10-07 12:42:41 GMT. 4 comments. Top.

This is the third of a 3 part series on employee privacy.

The first post on monitoring explained that employers could monitor employees’ use of computers and phones if the employer owns the systems and hardware and the use is for work or during work time.

The second post on what’s personal explained that all employees have common law privacy rights in information about their personal lives, health, finances, sex lives, off-duty activity and personal email and phone accounts.

Social media is where an employee’s work life and personal life often collide.  In figuring out how to handle employee use of social media and privacy, here are the things to think about.

Who owns the Account and Content?

If the account is in the employee’s name, then it’s the employee’s personal account.  This is because employees have intellectual property rights to their names and likenesses, they signed up for the account, and they agreed to the End User License Agreement (EULA) that usually states the user owns the content.

But if the account is in the employer’s name, and the content is generated as part of the employee’s job, then the account belongs to the employer.  This is because the employee signed up for the account as an agent of the employer, and the content is owned by the employer under the work-for-hire doctrine.

Here’s more on who owns the contacts and content, and on copyright in social media accounts.

Is the Account Password Protected and What are the Privacy Settings?

Password and privacy settings relate to whether the information is public or private, and what the employee’s reasonable expectations of privacy are.

For example, my (and all) tweets on Twitter are public. I generally make my posts on Google+ public.  If not, it’s because I’m sending the information to a particular audience, not because it is private. My articles on HR Examiner are public.  I have no expectation of privacy in any of those posts.

But my Facebook account is private. My security settings are to “friends only.”  And I am generally not “friends” with people I only have business relationships with.

I do have passwords on each of those accounts and I am the only one who gets to post to my twitter, G+ and Facebook accounts.  If someone else got into those accounts and either posted something, or changed or deleted something I had posted, it would violate both my privacy and computer hacking laws.  There may also be identity theft issues.

Does the Post Relate to Work or Personal Life?

Employees have common law privacy rights in their off-duty conduct.  They also have privacy rights to medical and financial information, and the intimate details of their family and personal lives.

Employees don’t have privacy rights in information that is public, things they disclose publically, and information that would be personal, but the employer has the legal right to ask (like background checks for positions that require security clearance).

Employees do have rights to bitch about the employer on social media—either because it is their private account or because it is protected, concerted activity that is protected by the National Labor Relations Act.  More about protected concerted activity and the recent NLRB report here.

What is the Employer’s Interest in Employees’ Social Media Accounts?

Employers potentially have legitimate interests in an employee’s use of her personal social media accounts:

• to protect the employer’s trade secrets and confidential data about the employer and other employees;
• to avoid liability for defamation;
• and maybe to avoid damage to its own reputation and brand.

Trade Secrets: The right to protect confidential data and trade secrets is legitimate and well established.  Disciplining or firing an employee for disclosing trade secrets in any context would be upheld by the courts.

Defamation: Avoiding risk of liability for defamation is trickier.  Generally, the employer will not be responsible for statements by the employee unless it was in the course of her responsibilities for the employer; it was reasonable for the audience to believe the statement was made on behalf of the employer; or the employer controls what employees can say and cannot say on social media.

Under agency law, if you control it, you are responsible for it.  So issuing a policy that gives the employer the right to control what employees say in their personal social media posts, actually creates risk of liability rather than prevents it.  In other words, if employers want to manage risk, they will stay out of their employees’ social media accounts.

More on defamation and behaving badly online here.  And here are some other reasons your social media policy could backfire.

Reputation/Brand: Not looking bad in public is the issue employers often worry about most.  But this usually isn’t a legal issue–unless the employer is getting in trouble with the NLRB, employee privacy, or creating risk of liability by trying to control what employees say and don’t say in their personal social media accounts.

Your company’s reputation really depends on its marketing, what it’s like to work there, and how it does business.  Not whether employees are griping about it on Twitter.

If you’re managing your employees social media use to control your brand—you are probably just undermining both your employment brand and how your employees perform at the real work the company does.

Workforce analytics: What is there to get?

Last modified on 2011-10-07 12:46:09 GMT. 3 comments. Top.

Kelly Cartwright, HRExaminer Editorial Advisory Board Contributor

Kelly Cartwright is Vice President, Corporate Development at SourceRight Solutions and a member of the HRExaminer Editorial Advisory Board. Recognized as one of the Top 100 HR Influencers by HR Examiner, Cartwright has more than 15 years of experience in the Human Capital Management industry with deep expertise in the rapid development, delivery and implementation of professional services and technology solutions. Prior to joining SourceRight Solutions, she was the general manager of The Newman Group, a Futurestep Company. Full Bio »

Workforce analytics: What is there to get?

by Kelly Cartwright

For decades, the subject of metrics and reporting has caused heartburn for HR and business leaders alike.  Now there’s “workforce analytics.”  Like workforce planning and integrated talent management, the promise of analytics is easy to evangelize and difficult to achieve. You might look around and conclude that other companies are somehow doing better. It seems like everyone else is winning the race. Of course, this is simply not true.

A 2009 IBM whitepaper, Getting Smart About Your Workforce: Why Analytics Matter, still resonates today; and it notes that approximately 40% of survey respondents claimed to be able to obtain basic workforce data. That means 50 to 60% of respondents did NOT capture basic workforce data.  Capability has grown since then, but most would agree that workforce analytics is still an unrealized promise for a significant proportion of companies today.

The report cites some unsurprising barriers to effective analytics, including “data consistency, systems integration, information accessibility and analytic capabilities of end users.”  Clearly, implementing a workforce analytics function is a feat of human nature, as well as of process and technology.  So, with that in mind, I will ask, “What do companies need to get in order to achieve an effective workforce analytics capability? I see three main areas.

Getting on the same page: measures, metrics, analytics

Measures, metrics and analytics are not the same.  A GPS navigator provides all three.  Miles and hours are types of measures.  The navigator applies these measures to achieve meaningful metrics for tracking progress: miles per hour.  It applies those metrics to calculate travel time, and it tells you when you can expect to arrive. This last piece is an analytic. It is specific. It is predictive, and it illustrates one of the main hurdles companies face: they don’t always agree on their destination, let alone the measures and metrics involved in getting there.

Getting people on the same page about analytics is a challenge in itself. It’s about gathering the stakeholders, from business and from HR, in the same room. It means speaking the language of business to agree on the goals they’re trying to track.   In an excellent “Focus” roundtable, Workforce Analytics: a Distinct Competitive Advantage, Jay Kuhns, V.P. of Human Resources for All Children’s Hospital speaks of getting business leadership to embrace workforce data “in the same way they might embrace end-of-the-month financial data.” Companies aren’t there yet, but there is some agreement on the basics. Business leaders and HR are beginning to talk the same language.

Getting the complete picture: Contingent, Full-time and Contract Workers

An elephant in the room when it comes to workforce analytics is that it is not easy to even determine who your entire workforce is. This is due in large part to the growth of temporary, contract and contingent labor.

A New York Times article recently observed that 26% of new workers added to the US workforce between 2009 and 2010 were temporary.   The August Bureau of Labor Statistics release cites approximately 28 million part-time workers out of the total July 2011 US workforce of 140 million.   If you ask around you are likely to hear business leaders speak of anywhere from 5% contingent and contract workers all the way up to 40% in their organizations…or, they may say they don’t know what percent of their workforce is contingent.  That’s the elephant.

It’s difficult to effectively manage a workforce when you can’t account for a quarter of your labor.  How do you know where your contingent workforce is? How do you assess them, pay them, measure their performance, ensure compliance, and all those things that you do for FTEs? How do you do all these things globally and consistently?  Once again, understanding and tracking the contingent workforce takes commitment and agreement from across the company, as well as among associated vendors, on a common process, technology and data.

The good news is that the industry is recognizing this demand for meaningful intelligence around the contingent workforce. Mature solutions, in both technologies and managed services, are giving companies the ability to measure, manage and improve the way they attract, engage and deploy their contingent workforce. How companies use those resources varies, but the trend is growing.

Getting predictive: analysts call it mature, CEOs call it useful

Finally there is the challenge of making workforce analytics work. Last year’s data  about employee engagement, turnover, availability of skills in key positions, and productivity may be nice to have, but the goal is to ensure that you have the right person, at the right time and the right cost moving forward. That requires analytics that are predictive.

Predictive analytics require a stable base of relevant data, a clear link between data and business goals, solutions with the horsepower to crunch that data, and the willpower to commit the resources to make it work. Deloitte proposes a practical maturity model in its recent report on the subject.  In this scale, the least mature (non-existent analytics) is probably just as uncommon as the most mature (sophisticated predictive modeling capability), with most organizations falling somewhere in between, using available data to support strategic decisions.

Of course, people will naturally want analytics to tell a story…to tell their story. When is workforce analytics information broad enough and detailed enough to give us the ability to make decisions based on what it says, as opposed to using it to support a business case that we make outside of it? The answer to that question may be never. People will always make the ultimate strategic decisions, but analytics are now growing sophisticated enough to reveal the results likely to be achieved by certain decisions, and the detail needed to take the right course.

Moving Forward: To Wade In or to Dive?
Companies are constantly struggling with the economic complexity of globalization, uncertain growth, changing demographics and shrinking pools of critical talent. The visibility that workforce analytics can offer is a competitive advantage in such foggy times. Many organizations are “wading into the pool” when it comes to workforce analytics. They are making incremental advances to solve specific challenges, but they may not have the resources or universal mandate to make it priority. Others may be diving in, creating an integrated long-term strategy for evolving an advanced, predictive capability.

Where is your organization on the analytics curve? Is there data? Is there technology? Is there agreement? No one has everything, but we’re all being pushed in the right direction.