Skip to content Skip to footer

Table of contents

This Massachusetts Human Resources Manual is offered to you for free. Find state specific laws and regulations below.

Privacy rights — Massachusetts

 

Technology in the workplace has evolved dramatically in recent years, bringing with it additional privacy concerns and greater security measures for employers, such as key cards, password encryption, audio, and video surveillance, and Internet monitoring devices. In particular, monitoring technology assists an employer in keeping its workplace secure, and preventing employee misconduct, such as inappropriate Internet use, fraud, or theft.

To this end, technological advancements allow companies to “supervise” their employees on a much wider scale. However, employers must also be mindful of applicable state and federal laws which may protect employees from unreasonable invasions of privacy. 

As employers have greater means to oversee their employees’ conduct, the risk of employee claims rises correspondingly. Federal law and Massachusetts laws both recognize that employees have privacy interests in their personal information. Accordingly, an employer must consider these competing interests when it monitors its employees’ conduct. 

As an employer drafts a monitoring policy and establishes security measures, it must be aware not only of federal and state laws, but also of the effect of its policy on worker morale. A monitoring policy that is legal, but that employees view as unfair or unnecessary, may create distrust in the workplace and ultimately decrease productivity. 

Employer's responsibilities 

Employers must be aware of the rigorous privacy law in Massachusetts. In Massachusetts, an individual has a right against unreasonable, substantial, or serious interference with privacy. Generally, to determine whether an employer has violated an employee’s privacy, it weighs both:

  1. the employer’s legitimate business interest
  2. the nature of the employee’s privacy right.

In an employment situation, interference with privacy becomes a concern in any of the following situations:

  • alcohol and drug testing
  • gathering medical and other personal information
  • conducting surveillance
  • eavesdropping or wiretapping
  • obtaining certain confidential information to determine eligibility for employment. 

Generally, it is advisable for an employer to obtain the written consent of employees before partaking in these types of activities. In Massachusetts, courts balance the employer’s interest in conducting the activity against the employee’s right to privacy to determine whether the interference is reasonable.

Expectation of privacy

Employees may have a reasonable expectation of privacy in their workspace, desk, files, lockers, or briefcases. An employer may reduce the employees’ expectation of privacy by notifying employees in advance that:

  • these areas may be searched
  • employees should not store personal information in these areas. 

To the extent that an employer wishes to implement a policy providing that employee work spaces, desks, files, lockers, and other areas are subject to search, the employer should publish the policy and distribute it or post it.

Monitoring or intercepting electronic communications in the workplace

The law in this area is murky and evolving, but an employer can likely monitor and intercept its employees’ electronic communications – including emails and text messages – in the workplace, provided that it both:

  1. has a legitimate business interest in doing so
  2. has instituted an electronic communications policy that notifies employees that their electronic communications in the workplace are being monitored and that they have no expectation of privacy in any such communications.

The law governing the privacy of electronic communications distinguishes between such communications in transit Title I of the Electronic Communications Privacy Act (ECPA), on the one hand, and in storage (Title II of the ECPA) on the other.

In general, the law prohibits the “interception” of electronic (and non-electronic oral) communications ­–­ such as the “acquisition of the content” of any wire, electronic, or oral communications through the use of any electronic, mechanical, or other device of electronic communications – in transit.

This general prohibition has three important exceptions that may apply to an employer's interception of its employees’ electronic communications:

  1. The service-provider exception - This exception enables owners of a communications system (such as a server) to routinely review communications in order to manage and safeguard the system’s information. Thus, to the extent that an employer owns the server through which its workplace electronic communications occur, it may engage in a routine review of those communications in order to manage and safeguard the system's information.
  2. The business use exception - This exception applies to interceptions made in the normal course of the electronic communication provider’s business. In order for this exception to apply, the intercepting equipment must be “furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of business” and the interception must be used by the provider “in the ordinary course of its business.” Thus, where employees use the telephone to conduct their business and the employer routinely uses monitoring equipment such as a telephone extension to check quality and customer service, the monitoring likely falls within the business use exception.
  3. The consent exception - If one party to the communication consents to being monitored, there can be no “interception” of the communication. Thus, where an employee has consented to the monitoring of his or her workplace electronic communications, the law’s prohibition against interception and monitoring will not apply. Significantly, the employer need not obtain express consent to avoid violation of the ECPA; rather, if the employer implements a policy permitting employer monitoring of email, voicemail, and telephone calls and requiring employees to acknowledge their understanding of that policy, consent will be implied. 
    However, the employer must be clear in its policy about what communications it monitors. If an employee consents only to monitoring of his or her business-related calls, he or she will not be deemed to have consented to the monitoring of personal calls. Conversely, a court would find that when an employee uses a line knowing that it is monitored for business purposes, the employee has consented to the monitoring. Written consent by an employee is the strongest defense against an ECPA claim. That said, courts are far less inclined to allow interception of employee communications where employers are attempting to monitor the content of personal phone calls. In monitoring communications, an employer should stop the interception as soon as it realizes that the communication is of a personal nature.

As noted previously, the laws restricting the interception of electronic communications also apply to certain non-electronic oral communications. Specifically, the “oral communications” to which the laws apply include any utterance by an individual “exhibiting an expectation that such communication is not subject to interception under such circumstances justifying such expectation.” In other words, if parties communicate in a private manner, it likely constitutes an “oral communication” to which the laws against interception apply. Thus, conversations between employees, even in a public workspace, may sometimes be protected “oral communications” if spoken beyond the hearing range of others.

With respect to stored electronic communications and data – including computer files and archived email messages – the law prohibits the unauthorized access, interception, and disclosure of such data and communications. There is an important exception to this prohibition, however, for conduct authorized “by the person or entity providing a wire or electronic communications service.” Thus, employers that provide electronic communication services to their employees may access messages once they are stored in its computer or telephone systems, without notifying employees that they have done so. The exception likely does not apply, however, to email systems that are exclusively internal to the employer (for instance, does not provide for or allow communication with those outside the organization). 

An employer’s violation of these laws can have serious consequences. The ECPA, for instance, provides individuals with a private right of action, and allows for the recovery of actual and punitive damages, as well as attorneys’ fees and costs. It also provides for statutory damages, which usually are awarded in daily increments of $100 dollars a day, and capped at $10,000. Damages are awarded on a daily basis even though many different types of violations may happen within the course of the same day.

Finally, other federal laws affect workplace privacy issues and, in some cases, impose additional requirements on employers with respect to their employees’ personal information. The Health Insurance Portability and Accountability Act (HIPPA) restricts access to personal health information and imposes obligations on employers to safeguard such information concerning its employees. In addition, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT Act) Act gives certain government agencies more extensive search powers than the previously had, including easier access to employers’ (and others’) communications systems.

Other sources of privacy rights

Employers should also monitor new regulations that impact federal privacy rights, such as the Health Insurance Portability and Accountability Act, which restricts access to personal health information. See Health insurance portability and privacy for more information.

In addition, multinational companies should be aware of international laws that restrict access to personal information. For instance, the European Union’s data privacy directive requires companies to abide by its protocols for the protection of its member state citizens’ and residents’ personal information.

Protecting personal information

Massachusetts has enacted a data privacy law to safeguard the personal information of Massachusetts residents in both paper and electronic records. The law’s regulations require that employers take certain measures to ensure the security and confidentiality of personal information and protect against unauthorized use of employee data.

Application

The obligations of the data privacy law are broad. They apply to all businesses that employ Massachusetts residents, at least to the extent that the business maintains any employee records containing “personal information.” “Personal information” is defined to include a resident’s:

  • last name, first name, or first initial
  • and either their:
    • Social Security number
    • driver's license number or state issued identification card number
    • finanical account number or debit or credit card number.

In light of this expansive definition, nearly all employers that maintain personnel or payroll information are covered by the law.

Requirements

The regulations impose a duty to protect the security and integrity of personal information. This duty includes the creation of a written, comprehensive information security program that contains administrative, technical, and physical safeguards to protect against both internal and external risks to the integrity of personal information. The required safeguards depend on:

  • the size, scope, and type of business
  • the amount of resources available to the business
  • the need for the security and confidentiality or information at hand. 

Moreover, the revised regulations significantly amend the prior regulatory requirements. The specific requirements are detailed below.

Security plans

At a minimum, all security plans must include:

  • designation of one or more employees who maintain the plan
  • an identification and assessment of foreseeable risks to the security of personal information (both internal and external), and evaluation and improvement (as necessary) to safeguards, including ongoing employee training, employee compliance and means for detecting/preventing security failures
  • security policies regarding whether and how employees may keep, access, or transport records outside of the business
  • disciplinary measures for violations of the plan
  • steps for preventing access to personal information by terminated employees
  • steps to ensure third-party providers comply with the regulations
  • reasonable restrictions on physical access to personal information
  • regular monitoring to ensure effectiveness of the plan and need for upgrading
  • review of the plan on at least an annual basis
  • documentation of responsive actions in connection with any breach of security and mandatory post-incident review of such actions.

Safeguards

In addition, the new regulations require to be used by businesses, to the extent safeguards are “technically feasible.” These safeguards include:

  • secure user authentication protocols, including:
    • control of user IDs and other identifiers
    • secure method of selecting passwords or other user identification technologies (such as biometrics or token devices)
    • control of data security passwords
    • restricting access to active users
    • blocking access for failed access attempts
  • secure access control measures, including:
    • restrictions on access to only those with a need to know
    • unique IDs, plus passwords
  • encryption of all publicly transmitted personal information (for instance, Internet and wireless communications)
  • monitoring for unauthorized access
  • encryption of personal information stored on laptop/portable devices
  • firewall protection for systems connected to the Internet
  • malware/virus protection
  • education and training of employees.

The determination of whether a business’ electronic information systems comply with these new regulations is highly technical, and will likely require the assistance of information technology professionals.

Employee training

The regulations require that employers provide employees with training on the plan. In particular, the regulations require education and training of appropriate employees on the proper use of computer security systems and the importance of personal information security.

Third-party vendors

The regulations state that businesses must require third-party vendors to agree by contract to implement appropriate security measures to protect personal information. However, the recently revised regulations provide a window of time for businesses to amend third-party service provider agreements that are not compliant with the regulations. The regulations allowed for the use of non-compliant contracts until February 25, 2010, provided that such contracts were entered into prior to March 1, 2010 and were appropriately amended by March 1, 2010.

Notification of security breaches

Employers should also be mindful of the requirement to provide notice of a known or suspected breach of the security of personal information. Massachusetts law requires businesses that maintain or store personal information to provide notice immediately of such breach to all of the following:

  • the attorney general
  • the Director of the Massachusetts Office of Consumer Affairs and Business Regulation
  • the affected employee. 

The statute requires specific information be provided in such notices. The notice to the affected employee must include:

  • the consumer’s right to obtain a police report
  • how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze
  • any fees required to be paid to any of the consumer reporting agencies. 

The notice must be provided as soon as is practicable.

The notice to the attorney general and the director of consumer affairs and business regulation must include:

  • the nature of the breach
  • the number of residents of Massachusetts affected by the incident at the time of notification
  • any steps the person or agency has taken or plans to take relating to the incident.

The Attorney General’s Office may seek civil penalties for violations of the statute, which may include penalties of up to $5,000 per violation, as well as costs of investigation and enforcement (including reasonable attorneys’ fees).

Common issues concerning privacy

Surveillance

The use of video cameras to monitor employees at work may interfere with employee privacy rights. Video monitoring brings both federal and Massachusetts law into play:

  • Video surveillance may violate an employee’s right against unreasonable interference with privacy under Massachusetts law. As a general rule, the employer interferes with an employee’s privacy rights when it uses video surveillance in spaces where an employee has a reasonable expectation of privacy (such as bathrooms, locker rooms, or other locations where employees generally expect to be private).
  • Video monitoring has the potential to violate federal and state wiretap statutes. Silent video surveillance does not implicate the Wiretap Act, however, videotaping that includes an audio signal constitutes “interception” of an oral communication. An employer may avoid liability by conducting surveillance without audio recording or, as with other interceptions, by obtaining written consent from employees.
  • Federal labor law may limit the use of video monitoring and other surveillance. The National Labor Relations Board (NLRB) held that a company committed an unfair labor practice when it failed to bargain with its employees’ union regarding the use of surveillance cameras. According to the Board, a labor union has a statutory right to bargain with employers over the activation of video cameras, the placement of cameras, and the discipline of employees who are observed engaging in misconduct.

The use of Global Positioning System (GPS) devices in a company car or otherwise to monitor the whereabouts of employees is a form of surveillance that may also implicate employee privacy rights. Under Massachusetts law, as noted earlier, courts weigh the employer’s legitimate business interest in obtaining the information in question against the degree of intrusion on the employee’s privacy. Accordingly, a Massachusetts employer wishing to track the location of its employees using GPS devices should tailor the scope of its tracking to the business interest justifying its action – and it should also notify the employee and get his or her consent. 

Workplace searches

Unquestionably, employers have a significant interest in monitoring the workplace to minimize employee theft, drug abuse, and other wrongdoing. In light of post-9/11 security concerns, employers also have an interest in ensuring workplace safety. Employee searches are one way that employers may prevent wrongdoing and maintain a safe work environment, however, employers must recognize that there are limits as to how they conduct these searches.

Searches at work may take a number of forms. Sometimes the employer needs to search company property – such as offices, desks, drawers, computers or lockers – that the employer provided to the employee for use at work. The employer may also want to search the property of an employee, such as a purse, gym bag, or briefcase. Finally, an employer might search an employee’s person, such as with a pat-down search, or his or her car while it is on the employer's premises. These searches, some of which are more intrusive than others, may constitute an invasion of employee privacy rights.

Whether a search is justified depends on both the need for the search and the privacy interests of the employee. Non-investigatory searches, such as entering an employee’s office or opening a desk drawer to locate necessary business items, are generally permissible if the employer has a legitimate business reason and the search is limited to that which is necessary. The employer should contact the employee before conducting this type of search.

Investigatory searches, such as a search for illegal drugs or a concealed weapon, should generally be limited to situations where the employer has a specific reason to believe an employee is engaged in wrongdoing and where the employer believes that the contraband would compromise the safety of other employees or the public. 

An employer may limit an employee’s reasonable expectation of privacy by maintaining appropriate policies. Employers should notify employees, either in a handbook or by posting a policy, that it may search lockers, desks, and offices periodically.

Another way employers may monitor employees is by:

  • conducting investigations
  • making inquiries to others about the employee
  • reviewing prior employment records, credit reports, and school records (see also Background checks)
  • investigating workplace harassment or other wrongdoing.

There are many legal issues related to employer investigations, which are covered in Workplace investigations.

Testing

Employee testing is yet another way to monitor workplace conduct. Testing may be as simple as a drug test or as complicated as a battery of questions for a psychological evaluation. What makes testing different from other types of monitoring is that the information is supplied directly by the employee. Certain testing, such as physical examinations, may be prohibited by statutes such as the Americans with Disabilities Act (ADA) (see Disabilities and reasonable accommodation). Testing for illegal drugs is not covered by the ADA, however, Massachusetts courts have used the privacy statute to limit the occasions when an employer may conduct this type of search (see also Background checks). Psychological tests may have an adverse impact on certain legally protected classifications of employees and, therefore, may raise an inference of discrimination. Employers should work with an attorney to develop testing policies that comply with all applicable employment laws.

Guidelines employers should follow

The courts continue to deal with the difficult tug-of-war between employers’ legitimate business interests and employees’ reasonable expectations of privacy. As technology develops new ways to monitor employees, employers must continually keep abreast of new developments in the law. Nonetheless, there are certain general guidelines that employers may follow to avoid liability arising from monitoring policies and procedure manuals:

  • Determine how the relevant state and federal laws affect monitoring policies. The law in this area is evolving, and practices that are acceptable today may incur more risk in the future, so be mindful of pending legislation. Because many monitoring systems are costly to design and implement, an employer should consider future legal developments when planning to institute a new monitoring policy.
  • Inform employees in writing of the ways in which the employer plans to monitor them. By giving employees notice, the employer diminishes any reasonable privacy expectations they might have in their workplace actions. Written notice is also critical for establishing that the employee has consented to monitoring, placing the employer in a strong legal position to defend alleged privacy violations. Consider consulting an attorney for assistance to draft and obtain consents that will be the best shield to liability.
  • Create a well-written policy regarding information technology practices and provide it to employees. Employees generally want to know the policies regarding email, telephone use, and other forms of office communication, so it is critical to formulate a reasonable and well thought-out policy for technology use. Make clear to employees that work communications, including voicemail and email, can and will be monitored, and explain that the employer is the sole owner of electronic communications.
  • Forbid defamatory, offensive, and abusive communications. Make efforts to prevent communications that could amount to defamation, slander, verbal abuse, harassment, or trade disparagement of employees, customers, clients, vendors, competitors, or any person or entity. Communications that are harassing or threatening – including derogatory comments based on race, national origin, marital status, sex, sexual orientation, age, disability, pregnancy, religious or political beliefs, or any other characteristic protected under local, state, or federal law – should be forbidden.
    • Note: Be cautious about total prohibitions against non-work-related communications. Union-related emails or postings should not be prohibited provided employees are allowed to make other non-work-related communications on the same systems.

  • Justify employee monitoring from the start with legitimate business interests. An employer should be able to list the reasons for monitoring and the business interests served by the monitoring, such as preventing unacceptable levels of personal technology use, maintaining productivity and high levels of employee service, and ensuring that employees abide by local, state, and federal laws.
  • Be vigilant in enforcing a policy of keeping business lines open for business purposes only and not for personal calls. However, do not monitor an employee’s personal calls.
  • Inform callers that their phone calls may be monitored. Callers may be informed through a recording at the beginning of the call.
  • Tailor monitoring so that sensitive information is disclosed only to individuals who have a legitimate need to know the information. Use the information for lawful business purposes only, and limit dissemination of the information to individuals with a legitimate need to know, such as upper level management or law enforcement officers.
  • On a regular basis, review the policies regarding employee privacy and access to communications and information, as well as the relevant law governing such issues. Because this area of the law is rapidly evolving, it is important to keep up with developments that may impact existing privacy policies.