Technology in the workplace has evolved dramatically in recent years, bringing with it additional privacy concerns and greater security measures for employers, such as key cards, password encryption, audio, and video surveillance, and Internet monitoring devices. In particular, monitoring technology assists an employer in keeping its workplace secure, and preventing employee misconduct, such as inappropriate Internet use, fraud, or theft.
To this end, technological advancements allow companies to “supervise” their employees on a much wider scale. However, employers must also be mindful of applicable state and federal laws which may protect employees from unreasonable invasions of privacy.
As employers have greater means to oversee their employees’ conduct, the risk of employee claims rises correspondingly. Federal law and Massachusetts laws both recognize that employees have privacy interests in their personal information. Accordingly, an employer must consider these competing interests when it monitors its employees’ conduct.
As an employer drafts a monitoring policy and establishes security measures, it must be aware not only of federal and state laws, but also of the effect of its policy on worker morale. A monitoring policy that is legal, but that employees view as unfair or unnecessary, may create distrust in the workplace and ultimately decrease productivity.
Employers must be aware of the rigorous privacy law in Massachusetts. In Massachusetts, an individual has a right against unreasonable, substantial, or serious interference with privacy. Generally, to determine whether an employer has violated an employee’s privacy, it weighs both:
In an employment situation, interference with privacy becomes a concern in any of the following situations:
Generally, it is advisable for an employer to obtain the written consent of employees before partaking in these types of activities. In Massachusetts, courts balance the employer’s interest in conducting the activity against the employee’s right to privacy to determine whether the interference is reasonable.
Employees may have a reasonable expectation of privacy in their workspace, desk, files, lockers, or briefcases. An employer may reduce the employees’ expectation of privacy by notifying employees in advance that:
To the extent that an employer wishes to implement a policy providing that employee work spaces, desks, files, lockers, and other areas are subject to search, the employer should publish the policy and distribute it or post it.
The law in this area is murky and evolving, but an employer can likely monitor and intercept its employees’ electronic communications – including emails and text messages – in the workplace, provided that it both:
The law governing the privacy of electronic communications distinguishes between such communications in transit Title I of the Electronic Communications Privacy Act (ECPA), on the one hand, and in storage (Title II of the ECPA) on the other.
In general, the law prohibits the “interception” of electronic (and non-electronic oral) communications – such as the “acquisition of the content” of any wire, electronic, or oral communications through the use of any electronic, mechanical, or other device of electronic communications – in transit.
This general prohibition has three important exceptions that may apply to an employer's interception of its employees’ electronic communications:
As noted previously, the laws restricting the interception of electronic communications also apply to certain non-electronic oral communications. Specifically, the “oral communications” to which the laws apply include any utterance by an individual “exhibiting an expectation that such communication is not subject to interception under such circumstances justifying such expectation.” In other words, if parties communicate in a private manner, it likely constitutes an “oral communication” to which the laws against interception apply. Thus, conversations between employees, even in a public workspace, may sometimes be protected “oral communications” if spoken beyond the hearing range of others.
With respect to stored electronic communications and data – including computer files and archived email messages – the law prohibits the unauthorized access, interception, and disclosure of such data and communications. There is an important exception to this prohibition, however, for conduct authorized “by the person or entity providing a wire or electronic communications service.” Thus, employers that provide electronic communication services to their employees may access messages once they are stored in its computer or telephone systems, without notifying employees that they have done so. The exception likely does not apply, however, to email systems that are exclusively internal to the employer (for instance, does not provide for or allow communication with those outside the organization).
An employer’s violation of these laws can have serious consequences. The ECPA, for instance, provides individuals with a private right of action, and allows for the recovery of actual and punitive damages, as well as attorneys’ fees and costs. It also provides for statutory damages, which usually are awarded in daily increments of $100 dollars a day, and capped at $10,000. Damages are awarded on a daily basis even though many different types of violations may happen within the course of the same day.
Finally, other federal laws affect workplace privacy issues and, in some cases, impose additional requirements on employers with respect to their employees’ personal information. The Health Insurance Portability and Accountability Act (HIPPA) restricts access to personal health information and imposes obligations on employers to safeguard such information concerning its employees. In addition, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT Act) Act gives certain government agencies more extensive search powers than the previously had, including easier access to employers’ (and others’) communications systems.
Employers should also monitor new regulations that impact federal privacy rights, such as the Health Insurance Portability and Accountability Act, which restricts access to personal health information. See Health insurance portability and privacy for more information.
In addition, multinational companies should be aware of international laws that restrict access to personal information. For instance, the European Union’s data privacy directive requires companies to abide by its protocols for the protection of its member state citizens’ and residents’ personal information.
Massachusetts has enacted a data privacy law to safeguard the personal information of Massachusetts residents in both paper and electronic records. The law’s regulations require that employers take certain measures to ensure the security and confidentiality of personal information and protect against unauthorized use of employee data.
The obligations of the data privacy law are broad. They apply to all businesses that employ Massachusetts residents, at least to the extent that the business maintains any employee records containing “personal information.” “Personal information” is defined to include a resident’s:
In light of this expansive definition, nearly all employers that maintain personnel or payroll information are covered by the law.
The regulations impose a duty to protect the security and integrity of personal information. This duty includes the creation of a written, comprehensive information security program that contains administrative, technical, and physical safeguards to protect against both internal and external risks to the integrity of personal information. The required safeguards depend on:
Moreover, the revised regulations significantly amend the prior regulatory requirements. The specific requirements are detailed below.
At a minimum, all security plans must include:
In addition, the new regulations require to be used by businesses, to the extent safeguards are “technically feasible.” These safeguards include:
The determination of whether a business’ electronic information systems comply with these new regulations is highly technical, and will likely require the assistance of information technology professionals.
The regulations require that employers provide employees with training on the plan. In particular, the regulations require education and training of appropriate employees on the proper use of computer security systems and the importance of personal information security.
The regulations state that businesses must require third-party vendors to agree by contract to implement appropriate security measures to protect personal information. However, the recently revised regulations provide a window of time for businesses to amend third-party service provider agreements that are not compliant with the regulations. The regulations allowed for the use of non-compliant contracts until February 25, 2010, provided that such contracts were entered into prior to March 1, 2010 and were appropriately amended by March 1, 2010.
Employers should also be mindful of the requirement to provide notice of a known or suspected breach of the security of personal information. Massachusetts law requires businesses that maintain or store personal information to provide notice immediately of such breach to all of the following:
The statute requires specific information be provided in such notices. The notice to the affected employee must include:
The notice must be provided as soon as is practicable.
The notice to the attorney general and the director of consumer affairs and business regulation must include:
The Attorney General’s Office may seek civil penalties for violations of the statute, which may include penalties of up to $5,000 per violation, as well as costs of investigation and enforcement (including reasonable attorneys’ fees).
The use of video cameras to monitor employees at work may interfere with employee privacy rights. Video monitoring brings both federal and Massachusetts law into play:
The use of Global Positioning System (GPS) devices in a company car or otherwise to monitor the whereabouts of employees is a form of surveillance that may also implicate employee privacy rights. Under Massachusetts law, as noted earlier, courts weigh the employer’s legitimate business interest in obtaining the information in question against the degree of intrusion on the employee’s privacy. Accordingly, a Massachusetts employer wishing to track the location of its employees using GPS devices should tailor the scope of its tracking to the business interest justifying its action – and it should also notify the employee and get his or her consent.
Unquestionably, employers have a significant interest in monitoring the workplace to minimize employee theft, drug abuse, and other wrongdoing. In light of post-9/11 security concerns, employers also have an interest in ensuring workplace safety. Employee searches are one way that employers may prevent wrongdoing and maintain a safe work environment, however, employers must recognize that there are limits as to how they conduct these searches.
Searches at work may take a number of forms. Sometimes the employer needs to search company property – such as offices, desks, drawers, computers or lockers – that the employer provided to the employee for use at work. The employer may also want to search the property of an employee, such as a purse, gym bag, or briefcase. Finally, an employer might search an employee’s person, such as with a pat-down search, or his or her car while it is on the employer's premises. These searches, some of which are more intrusive than others, may constitute an invasion of employee privacy rights.
Whether a search is justified depends on both the need for the search and the privacy interests of the employee. Non-investigatory searches, such as entering an employee’s office or opening a desk drawer to locate necessary business items, are generally permissible if the employer has a legitimate business reason and the search is limited to that which is necessary. The employer should contact the employee before conducting this type of search.
Investigatory searches, such as a search for illegal drugs or a concealed weapon, should generally be limited to situations where the employer has a specific reason to believe an employee is engaged in wrongdoing and where the employer believes that the contraband would compromise the safety of other employees or the public.
An employer may limit an employee’s reasonable expectation of privacy by maintaining appropriate policies. Employers should notify employees, either in a handbook or by posting a policy, that it may search lockers, desks, and offices periodically.
Another way employers may monitor employees is by:
There are many legal issues related to employer investigations, which are covered in Workplace investigations.
Employee testing is yet another way to monitor workplace conduct. Testing may be as simple as a drug test or as complicated as a battery of questions for a psychological evaluation. What makes testing different from other types of monitoring is that the information is supplied directly by the employee. Certain testing, such as physical examinations, may be prohibited by statutes such as the Americans with Disabilities Act (ADA) (see Disabilities and reasonable accommodation). Testing for illegal drugs is not covered by the ADA, however, Massachusetts courts have used the privacy statute to limit the occasions when an employer may conduct this type of search (see also Background checks). Psychological tests may have an adverse impact on certain legally protected classifications of employees and, therefore, may raise an inference of discrimination. Employers should work with an attorney to develop testing policies that comply with all applicable employment laws.
The courts continue to deal with the difficult tug-of-war between employers’ legitimate business interests and employees’ reasonable expectations of privacy. As technology develops new ways to monitor employees, employers must continually keep abreast of new developments in the law. Nonetheless, there are certain general guidelines that employers may follow to avoid liability arising from monitoring policies and procedure manuals:
Note: Be cautious about total prohibitions against non-work-related communications. Union-related emails or postings should not be prohibited provided employees are allowed to make other non-work-related communications on the same systems.