Privacy. Ask anyone if we have a right to it and the universal answer is a resounding “Yes.” Ask where that “right” comes from and the likely answer will be, “I don’t really know.”
This is because privacy rights come from many different sources. The most obvious is our Constitution (although if you read it, you wouldn’t find the actual word there). Privacy rights also come from federal and state laws. But there simply isn’t one all-encompassing right of privacy. Whether someone has a right to privacy at all depends in large part on the circumstances. This article discusses the most important privacy laws affecting employment.
The Electronic Communications Privacy Act (ECPA) significantly impacts privacy rights in the workplace. It contains two important provisions. The first is the Wiretap Act. This deals with the unauthorized interception of electronic communications. (For example, think about listening in on someone else’s phone call.) Generally, the Wiretap Act prohibits the intentional interception, use and disclosure of any oral, wire or electronic communication. Courts generally have required that communications be seized at the time they are being made to be considered “intercepted.” (Reading someone’s e-mail after it was already received is not interception.)
There are important exceptions to the Wiretap Act. The most relevant is called the “consent exception.” As long as one party consents to the interception, it is permitted. While this sounds simple, it is not without its complexity. Although consent may be express or implied, it is best to get express consent through a consistent policy or agreement whenever possible. When you call a service and you are told that your call may be recorded for quality control purposes, you are giving consent to the interception by continuing the call.
The second important provision in the ECPA is the Stored Communications Act (SCA). The SCA protects stored electronic information such as e-mail or computer files on a hard drive. It also contains a broad exception to allow an employer to gain access to stored information as long as it is authorized by the entity that provides the electronic communication service. This exception would generally allow an employer to access e-mail or files stored on computers provided by the employer to employees.
The SCA generally allows you to obtain an e-mail message or monitor an employee’s actions from your own system. If a communication is directly intercepted, however, that will likely violate the ECPA. It is best to have a comprehensive computer-use policy, making it clear that employee activities may be monitored at any time.
Although the ECPA is a criminal statute, it also allows employees to sue employers for a violation.
In addition to federal law, each state has its own scheme of statutory and common law that impact employee privacy rights. Most states have laws that are at least as restrictive as the ECPA. In addition, state common law may provide an employee with a claim depending on what is done with that information.
Most states agree that the following acts will violate an individual’s common law privacy rights:
- Intrusion upon the individual’s seclusion or solitude or into private affairs;
- Public disclosure of embarrassing private facts; and
- Publicity that places the individual in a false light in the public eye.
While each of these types of claims is slightly different, they all share common elements. The employee must generally show an intrusion into, or public disclosure of, private facts where the disclosure is either unreasonable or false and damages the employee. Thus, even though information about an employee may have been gathered for a legitimate purpose, an employer cannot publicize it to everyone or place the employee in a false light. Accordingly, employers need to control who has access to information about employees. The best way for an employer to protect itself is to prevent disclosure to people who do not need the information.
The law imposes many obligations on employers when dealing with employee privacy issues. However, there are several practical things an employer can do to limit any potential liability:
- Do not create expectations of privacy that you cannot ensure.
- Your privacy policies should inform employees what is not considered “private.” For example, it is critical that policies on computer usage and e-mail communications inform employees that the employer may monitor the communications. This, in essence, destroys any expectation of privacy.
- Establish a protocol for all information requests received regarding an individual. For example, does your receptionist know what to do if someone calls and asks for personal information about an employee? Does the payroll coordinator know what to do with a third-party e-mail request for information about an employee’s compensation?
- Establish emergency and computer trespasser procedures.
- Consistently enforce all privacy policies that are in place. A policy is only as good as its enforcement.
Privacy rights are tricky. But employers do have a legitimate need to know certain things. The right policies and practices can keep an employer “in the know” without getting into trouble.