Now more than ever, businesses are relying on the Internet, social media, and other forms of technology to attract and retain customers. As a result, employees are spending more time interacting with these tools. And, as could be predicted, some employees take liberties when using these tools for their benefit. While technology has become more sophisticated allowing employers to limit employee use of company-owned resources, employees have been known to defeat even the most restrictive barriers.
So, what is an employer to do? Often hand in hand with company property use policies are policies regarding the near relinquishment of all privacy rights in the workplace. And while the law does offer employers support, employees do not surrender all privacy rights when walking through the company door.
At the outset, employers are safest when there are clear policies on how company property can be used, and the employee acknowledges that there is no expectation of privacy when using company property. When a privacy matter is in question, the answer requires a balancing of the employee’s expectation of privacy against the business’s interest in infringing on that privacy. Clear, written policies on the use of company property can tip the scales in favor of the employer as these can demonstrate the employee had knowledge of no reasonable expectation of privacy.
Computer and Internet
Computers and the Internet provide numerous opportunities for employees to become distracted. The Internet also permits ready access to material that could contribute to a hostile work environment including racist or pornographic content. Company computers connected to the Internet form a pipeline for viruses and other electronic malware that can disrupt and even take hostage business information. These factors strongly favor a business’s right to make sure that computers and the Internet are only used for business purposes. As a result, the general rule is that employers may freely monitor employee computer and Internet use.
This monitoring extends to business equipment used away from the office. A company computer used exclusively at home is subject to the same monitoring and scrutiny as would activity on the computer if used in the workplace.
The law surrounding email monitoring is more complex than computer and Internet monitoring. There is a labyrinth of federal and state laws regarding electronic communications. This collection of laws generally protects citizens from having their communications intercepted; commonly known as wire-tapping. Further compounding the issue is the differentiation drawn between monitoring employee use of company email versus monitoring personal email accessed with company equipment.
Like the balancing mentioned above, courts often find that an employee has no expectation of privacy when making electronic communications using company equipment and servers. The caveat being that the company has a written policy regarding email monitoring. On the other hand, interception and retrieval of messages from personal email accounts, even if those accounts are accessed with company owned equipment, are generally protected. To minimize the disruption and risk of personal email use with company equipment, companies should consider blocking Internet domains that offer access to personal email. Such protection offers numerous advantages including ensuring company resources are utilized only for business purposes and it reduces the risk of claims for invasion of privacy.
It is a common practice for businesses to record phone calls to monitor customer experiences. It also serves as an excellent record should a dispute arise. Any business that utilizes phone call recording needs to make sure all participants to the call are aware that a recording may take place. This responsibility arises from California Penal code sections 631 and 632 which prohibit the interception or recording of telephone calls without the consent of all parties to the call.
But what about the situation where an employee uses a company phone for private purposes? If the call is to a person outside the company, that person would have to consent to the recording. Employers are advised not to record or intercept these calls. If the call is made to another employee, and all employees have acknowledged that communications are not private and are subject to monitoring, this would likely satisfy the consent requirement in Penal code 631 and 632.
It stands to reason that anything a person puts out publicly on social media is not offered any protection of privacy. The world of social media also extends deeper than what is publicly available, and employers have attempted to reach into this content by having employees or prospective employees disclose social media username and passwords. And while an excellent opportunity to find out information about an employee, the law and courts have swiftly foreclosed such practices.
California Labor code section 980 prohibits an employer from requesting or requiring an employee or prospective employee to disclose social media usernames and passwords. An employer may also not require an employee or prospective employee to access social media sites so that the employer can review social media content.
Be careful though. While beyond the scope of this blog, employers can run afoul of the law by using publicly posted information to make adverse employment decisions. While not a privacy issue, employees have the right to concerted activity.
Employers can’t monitor spaces where one would expect privacy. These spaces include bathrooms, dressing rooms, showers and locker rooms. Conversely, public monitoring in public spaces is freely allowed.
Secret monitoring in public spaces is subject to greater restriction though. If supported by legitimate business needs and the monitoring is limited to those needs, privacy concerns are not implicated. Secret monitoring in public spaces without a specific business need or other limitations can implicate privacy rights.
Businesses, even acting with the best intentions, can unwittingly find themselves violating an employee’s privacy rights. Employers should routinely assess business and technology practices to verify that information isn’t being monitored or stored in a way that, even if unintentionally compromised, discloses private information.
Consider this hypothetical. While a company never takes adverse action based on personal emails sent by employees, it nonetheless stores the content. A breach of the company’s data results in disclosure of personal information transmitted via email. A strong argument could be made that the company invaded the employee’s privacy by merely storing the information even if the business never utilized the information.
This blog has touched on the employer’s biggest areas of concern. Not discussed are searches of a person or a person’s things which, while separate, raise many of the same privacy concerns discussed here.
Since invasion of privacy cases turn on an employee’s reasonable expectation of privacy, employers are advised to fully disclose in writing all employee monitoring and the absence of an employee’s expectation of privacy…acknowledged and agreed to by employee signature.