Here are the dos and don'ts of workplace monitoring and employee privacy rights.
While news sites are filled with stories about privacy violations by social media CEOs and big corporations sharing personal user information without permission, small business owners are concerned with a type of privacy closer to home: employee privacy rights.
On the one hand, business owners need to be sure their workplace is free from employee harassment, data theft and underproductivity. On the other, business owners are required to know where the boundaries are when it comes to employee privacy. If they take things too far, they could find themselves in the middle of a nasty privacy lawsuit.
As a business owner, understanding employee privacy rights from multiple viewpoints is crucial. To help you protect your business while staying legally compliant, let's start by covering the basics. What, exactly, are employee privacy rights, and why are they so important?
What are employee privacy rights?
Employee privacy rights are the regulations that determine how broadly an employer can:
Search an employee's possessions and/or their person
Monitor their actions, speech and/or correspondence
Know about their personal lives, inside and outside the workplace
Before the internet played such a major role in our lives, these rules were fairly straightforward and easy to understand. But due to the prominence of company-owned devices that are often used for personal activities and communications inside and outside the workplace, the extent of privacy limitations is a line that's growing increasingly blurry.
Employees might assume they have more privacy rights than they do in the workplace and therefore not be as cautious or vigilant as they should be. Passwords, individual user accounts and information segregation can all create a false sense of privacy. What really matters in determining workplace employee privacy is the wording in the employer's company policy.
Generally, employers can search through any part of a workplace device, be it a computer, tablet or smartphone. It doesn't matter if a user account is protected by a password. If the company policy states that all activity carried out on the device is effectively owned by the company, the individual using it has zero privacy rights in this sense.
We live in a world where technology is developing at a rapid speed – too fast for privacy laws to keep up. Because of this, privacy claims are often evaluated individually on a case-by-case basis.
What employers can and can't do
The following guidelines will help you, a business owner, understand what you can and can't do in relation to employee privacy rights within the workplace. Some states have stricter regulations than others. So, when in doubt, always contact your legal aid or government authority for the latest information affecting your business.
Internet usage and emails
Can: Monitor your employees' internet and email activity when using company-owned devices. This includes work emails as well as personal emails and time spent using the computer during a break.
Can't: Check employees' personal devices to see to whom they're sending messages or how they're using the internet. Even if their internet access is through the company W-iFi, you still can't request to see their devices.
Can: Listen in on calls made from workplace phones to customers or clients with the purpose of quality control. Some states require employees to inform both parties involved that the call is being monitored or recorded.
Can't: Monitor employees' personal calls made or received on workplace phones, as prohibited by the Electronics Communications Privacy Act (ECPA). Numbers called from extensions can be monitored with the use of a pen register device, but the information received is limited to numbers dialed and length of the call.
Can: Place video cameras within the workspace (including parking structure) for employee safety and security. Camera locations must be determined according to a genuine requirement to deter violence, limit theft and/or to monitor employee productivity.
Can't: Record audio within the video footage or place cameras anywhere it is reasonable for employees to expect privacy, such as in locker rooms, restrooms and break rooms. The National Labor Relations Act (NLRB) prevents the monitoring of employee union activities.
Can: Browse employees' public social media accounts and request that employees avoid posting about the company online.
Can't: Punish employees for content published online outside work hours, unless it's deemed damaging to the company (some states only). Neither can you demand an employee's username and password to access a personal social media account.
Can: Search someone's person, personal belongings, or car if they work in a high-security facility; there have been previous thefts in the workplace; or the person in question is behaving suspiciously.
Can't: Search someone's person, personal belongings or car without a valid reason. In most cases, employers cannot single out an individual for repeated daily searches.
Can: Open and read any mail addressed to an employee that arrives at the workplace. Federal laws prohibit mail obstruction; however, once the mail has arrived at the building, it's classified as being delivered.
Shouldn't: Withhold postal mail from employees. Despite there being no laws regarding mail after it's been delivered, it's still bad practice to destroy mail that has not yet been delivered to the person intended.
Can: Provide any information about a past or current employee when requested by a potential new employer.
Shouldn't: Disclose personal information, such as full name, date of birth, Social Security number, address or work schedule. Employers should also avoid giving away any employee details without first researching the person requesting it and asking the employee for their express permission.
The importance of clear documentation and understanding
Despite business owners being able to monitor various aspects of employees' activity inside and outside the workplace without any further action, it's important you protect your business in the event of a legal battle. If you have any of the above monitoring practices in place, it's essential to document them clearly and thoroughly in your company policy, as well as in individual contacts signed by new recruits.
When hiring a new employee, emphasize the limits of their workplace privacy and the monitoring your company carries out. To bypass claims of misunderstanding from a legal point in the future, ensure both you and the new recruit sign and date the section of the contract that covers privacy. This isn't a get-out-of-jail-free card, but it can go a long way in proving the employee in question understood your company's stance on privacy if a lawsuit arises.
A real example of a workplace privacy lawsuit
Sometimes, no matter how careful you strive to be, it's simply not enough. This was certainly the case in March 2019 when Plaintiff Elizabeth Frankhouser claimed her Fourth Amendment rights had been violated by her employer, Clearfield County Career and Technology Center (CCCTC).
Frankhouser was given permission by CCCTC to use her personal Dropbox account for work-related matters on her work computer. As a result, her account contained a mixture of personal and work-related folders. Her personal folders contained several photos which "could be considered borderline explicit."
Frankhouser's Dropbox account could only be accessed with her username and password, both of which were documented in a spreadsheet alongside a number of other personal and work-related login credentials.
CCCTC's internet technology administrator viewed the spreadsheet and used Frankhouser's username and password to access her Dropbox account. He downloaded several personal photos, and they were distributed throughout the company.
CCCTC administrators accused Frankhouser of storing inappropriate pictures on company-issued hardware: a violation of company policy. Later that month, Frankhouser was told to resign. Frankhouser filed a lawsuit alleging Fourth Amendment violations and invasions of privacy.
The Fourth Amendment impedes unreasonable seizures and searches when someone has a constitutionally protected and reasonable expectation of privacy. Although this amendment's protection only usually applies in criminal cases, it's also applicable when the government acts in its capacity as an employer. As CCCTC is a public company, it was applicable in this case.
Frankhouser argued she had a reasonable expectation of privacy with her Dropbox account, because all the content was stored in the cloud, not on any CCCTC-owned property. Ultimately, the court agreed with Frankhouser, because it was her own personal Dropbox account, it was password-protected, and the plaintiff never accessed her personal photos on CCCTC-owned property.
What to do to prevent a workplace privacy lawsuit
In the above example, the primary reason Frankhouser won her case was because the information kept within her Dropbox account was stored virtually within the cloud, not locally on a machine. This meant that her employers had no right to access anything stored on her Dropbox account, because it was a personal account stored and accessed remotely.
To prevent such an event occurring at your company, consider implementing the following:
Don't allow employees to use personal accounts for work projects. All work-related tasks should be completed using work-issued devices and software.
Ensure staff have the software required to do their job. Provide employees with everything they need so they're not forced to store important data outside workplace property.
Deter employees from saving personal information on workplace devices. Prevent staff from saving private data and login credentials for personal accounts on workplace devices so they can't be accessed by anyone else in the business.
Block irrelevant websites on workplace devices. Block social media, third-party email hosts and all other websites, which employees could use for personal reasons where they could disclose private information.
Discourage employees from making personal calls on workplace phones. Limit the number of personal calls accidentally recorded by encouraging personnel to use personal phones for private calls.