Workplace Privacy Flashcards
Workplace Privacy Concepts
Governed by a patchwork of federal, state, and local laws and regulations
What role does Human Resource Management play in workplace privacy?
Must balance the needs of the business with employee privacy obligations.
- Before employment – interviews and employee background screening
- During employment – employee monitoring and working with labor unions
- After employment – employee misconduct investigations and terminations
FTC Role in Workplace Privacy
Regulates unfair and deceptive trade practices. CFPB regulate unfair and deceptive practices and the use of credit reports.
DoL role in Workplace Privacy?
Most directly responsible for employment matters. Oversees the welfare of job seekers, wage earners, and retirees of the US by improving their working conditions, advancing their opportunities for profitable employment, protecting their retirement and healthcare benefit, helping employers find workers, strengthening free collective bargaining, and tracking changes in employment, prices, and other national economic measurements
What workplace privacy laws are overseen by the DoL?
o FLSA o OSHA o ERISA o EPPA o FMLA
Equal Employment Opportunity Commission (EEOC)
Prevents discrimination in the workplace. Enforces prohibitions on employment discrimination.
National Labor Relations Board (NLRB)
Conducts elections and investigates and remedies unfair labor practices. Regulates the rights of workers to organize in labor unions.
Securities and Exchange Commission (SEC)
Requires reporting of HR information by publicly traded companies.
U.S. Anti-Discrimination Laws
- Title VII Civil Rights Act of 1964
- Americans with Disabilities Act
- Genetic Information Discrimination Act
- Other federal laws protect against discrimination based upon age, pregnancy, bankruptcy, and other characteristics
Title VII Civil Rights Act of 1964
Outlawed discrimination based on race, color, religion, sex, or national origin
Americans with Disabilities Act (ADA)
Bars discrimination against qualified individuals with disabilities.
Genetic Information Nondiscrimination Act (GINA)
Prohibits the use of genetic information in employment decisions
FCRA Employee Background Screening Requirements
Created a national rule for how information is gathered and used pre-employment. FCRA prohibits obtaining a consumer report unless a “permissible purpose” exists. However, permissible purposes include “employment purposes” which in turn include (1) preemployment screening for the purpose of evaluating the candidate for employment and (2) determining if an existing employee qualifies for promotion, reassignment, or retention. FCRA also permits employers to obtain an “investigative consumer report” on the applicant if a permissible purpose exists.
To obtain any consumer report under FCRA, an employee must meet the following standards:
o Provide written notice to the applicant that is obtaining a consumer report for employment purposes and indicate if an investigative consumer report will be obtained
o Obtain written consent from the applicant
o Obtain data only from a qualified consumer reporting agency, an entity that has taken steps to assure the accuracy and currency of the data
o Certify to the consumer reporting agency that the employer has a permissible purpose and has obtained consent from the employee
o Before taking an adverse action, such as denial of employment - provide a pre-adverse action notice to the applicant with a copy of the consumer report, in order to give the applicant an opportunity to dispute the report with a summary of their rights
o After taking adverse action, provide an adverse action notice
2. Retain records for one year under most circumstances. FTC requires secure disposal of records when they are no longer needed.
Adverse Action Notices
- Adverse action was taken based on background information
- Contact information for company providing the report
- Disclosure that the company providing the report did not take the adverse action
- Notice of the right to dispute the report
Personality and psychological evaluations
Personality screening must be done in a way that avoids violating the ADA. Employee Polygraph Protection Act (EPPA) prohibits the use of lie detectors in most employment settings. EPPA and ADA put significant restrictions of psychological examinations in the workplace. Employers must comply with rules limiting lie detectors as well as the ADA prohibitions on the use of medical tests, including those designed to test an impairment of mental health. Employers continue to use psychological tests measuring personality traits such as honesty, preferences and habits in hiring and employments, although one expert report that such tests may be concentrated in specific positions such as management and sales.
Polygraph testing
Employee Polygraph Protection Act of 1988 (EPPA) issued by the DOL, employers are prohibited from using “lie detectors” on incumbent workers or to screen applicants. A “lie detector” is defined to include polygraphs, voice stress analyzers, psychological stress evaluators, or any similar device used for the purpose of rendering a diagnostic opinion regarding an individual’s honesty. The law prohibits employers to use these tests, utilize results of these tests, or take adverse action due to knowledge of these tests.
Drug & Alcohol Testing
There are no federal statute that directly governs employer testing of employees for substances such as illegal drugs or alcohol or tobacco. Drug testing may be used in a variety of settings:
o Preemployment – generally allowed if not designed to identify legal use of drugs or addiction to illegal drugs (ADA restrictions)
o Reasonable suspicion – generally allowed as a condition of continued employment if there is “reasonable suspicion” of drug or alcohol use based on specific facts as well as rational inferences from those facts (e.g., appearance, behavior, speech, odors)
o Routine testing – generally allowed if the employees are notified at the time of hire unless state or local law prohibits it
o Post-accident testing – generally allowed to test as a condition of continued employment if there is “reasonable suspicion” that the employee involved in the accident was under the influence of drugs or alcohol
o Random testing – sometimes required by law, prohibited in certain jurisdictions, but acceptance where used on existing employees in specific, narrowly defined jobs, such as those in highly regulated industries where the employee has a severely diminished expectation of privacy, or where testing is critical to public safety or national security.
Social Media
Use information obtained from social media accounts carefully to avoid taking discriminatory action. Employers are generally legally permitted to use social media in informing their decisions, they must not violate existing anti-discrimination and privacy laws. Invasive monitoring practices may provide the basis for discrimination lawsuits if the employer accesses and appears to use information that is legally protected.
Employee Monitoring Technologies
Employees in the private sector do not have privacy expectations within the workplace (except for restrooms and private areas)
Employee Monitoring - Computer usage (including social media)
Monitoring employee computer use is generally permissible.
Employee monitoring - biometrics
The use of biometric information is regulated in Illinois, Texas, and Washington have laws requiring different levels of notice, consent, and security regarding biometric information
Employee monitoring - location-based services (LBS)
Social media may be used to an employer’s advantage for brand awareness but monitoring employees. Monitoring using location-based services may be regulated by state law
Employee monitoring - social media
Employers may monitor employee social media accounts but should not request passwords to personal accounts.
Employee monitoring - e-ail and postal mail
Business may open mail sent to a business address. US federal law generally prohibits interference with mail delivery. Employers can mitigate this risk by advising employees not to receive personal mail at work, declining to read mail once it is clear that it is personal in nature, and maintaining confidentiality for any personal information obtained in the course of monitoring
Requirements under the Electronic Communications Privacy Act of 1986 (ECPA)
prohibits the “interception of electronic communications.” Most of the activities an employee engages in while connected to a network (e.g., web traffic, e-mail and instant messenger sessions) qualify as electronic communications for these purposes. Interception means acquiring the contents of such communication during transmission, and “contents,” in turn, is defined to include “any information concerning the substance, purpose, or meaning of that communication.” This means that the ECPA does not prohibit the mere collection of information about the activities engaged in by an employee online (e.g., the time spent online, or the volume of data transferred). Rather, it protects the secrecy of the actual data transmitted to and from an employee’s workstation (e.g., the actual appearance of Web sites visited, form data submitted, subject lines and bodies of e-mails sent and received and transcripts of chat sessions, etc.)
Stored Communications Act
Most employers choose to obtain explicit consent for employee monitoring
Unionized worker issues concerning monitoring in the US workplace
Video surveillance in the workplace must be addressed in union collective bargaining agreements.
1. Employers may not interfere with union organizing activities. Prohibited practices:
o Spying on union activities
o Creating the impression of spying on union activities
o Photographing or videotaping employees engaged in union activities
Data handling in misconduct investigations
Employers should be aware of various issues when investigating an employee’s misconduct.
- Avoid jeopardizing the integrity of the investigation
- Protect information about individuals who are not the target
- Avoid unwarranted reputational damage
- Abide by union collective bargaining agreements
Use of third parties in investigations
When employers use third parties, they may expose themselves to liability under FCRA. FCRA generally requires notice and employee consent when the employer obtains a consumer report. According to an opinion letter issued to the FTC known as the “Vail Letter” if an employer hired an outside organization such as a PI or background research firm to conduct these investigations, the outside organization constituted a “consumer reporting agency” under FCRA.
FACTA changes to FCRA
FACTA changed the definition of “consumer report” under FCRA to exclude communications relating to employee investigations from the definition if three requirements are met:
o The communication is made to an employer in connection with the investigation of: (i) suspected misconduct related to employment, or (ii) compliance with federal state, or local laws and/or regulations, the rules of self-regulatory organization, or any pre-existing written employment policies;
o The communication is not made for the purpose of investigating a consumer’s creditworthiness, credit standing, or credit capacity and does not include information pertaining to those facts; and,
o The communication is not provided to any person except: (i) the employer or agent of the employer, (ii) a federal or state officer, agency, or department, or an officer agency, or department of a unit of general local government, (iii) a self-regulating organization with authority over the activities of the employer or employee, (iv) as otherwise required by law, or (v) pursuant to 15 U.S.C. 1681f, which addresses disclosures to government agencies
Documenting performance problems
- Must be provided to the recipient of adverse action
- Must include the nature and substance of the report
- May exclude witness names
- Must only be shared within the organization or otherwise required by law
Termination of the employment relationship
Departure of employees is a predictable event; IT systems should be designed to minimize the disruption to the company and other employees when a person no longer as authorized access.
Exit Interviews
Provide a chance to debrief departing employees. Use exit interview to remind employees of their NDA.
Transition Management
Basic steps to transition when an employee leaves includes:
- Secure the return of badges, keys, smartcards and other methods of physical access
- Disable access for computer accounts
- Ensure the return of laptops, smartphones, storage drives, and other devices that may store company information
- Seek, where possible, to have the employee return any company data that is held by the employee outside of the company’s systems
- Remind employees of their obligations not to use company data for other purposes
- Clearly marked personal mail, if any, should be forwarded to the former employee, but work-related mail should be reviewed to ensure that proprietary company is not leaked.
Records retention
retain employee records in accordance with records retention policies.
References
Common law poses no duty on a former employer to supply a reference for a former employee, but some modern state statutes do require references for specific occupations. The common law provides what is known as a “qualified privilege” for employers to report their experience with and impressions of the employee, to help in defense against defamation suits. Adopt standard practices for handling reference requests (should be consistent and comply with legal and regulatory requirements)
