US Private Sector Privacy PDF
Document Details
Uploaded by SparklingCedar
Georgia Institute of Technology
2024
Tags
Related
- US Private Sector Privacy in the Workplace PDF
- Exam #2 Definitions PDF
- ELW4-Ch10 Privacy in the Workplace PDF
- Employment Law for Business and Human Resources Professionals: Alberta and British Columbia, 4th Edition PDF
- Boss Ex Machina: Employer Powers in Workplaces PDF
- Employee Rights and Discipline PDF
Summary
This document discusses US private sector employment privacy laws. It covers constitutional law, state contract, tort, and statutory laws related to the employer-employee relationship and employee privacy aspects within the US business context. The document also addresses federal laws in the Us that protect employee privacy.
Full Transcript
MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP show fairly egregious practices to succeed. State legislatures have enacted numerous employment privacy laws, providing protections to employees in a bewildering range of specific situations, which often vary state b...
MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP show fairly egregious practices to succeed. State legislatures have enacted numerous employment privacy laws, providing protections to employees in a bewildering range of specific situations, which often vary state by state. Taken together, there is considerable local variation and complexity on employment privacy issues. Along with laws protecting privacy, many labor laws in the United States mandate employee data collection and management practices, for instance, to conduct background checks and to ensure and document a safe workplace environment. Companies also have incentives to gather information about employees and monitor the workplace to reduce the risk of being sued for negligent hiring or supervision of employees. 1 The regulation of employment privacy in the United States stands in contrast with that in nations with comprehensive data protection laws. The European Union (EU), for example, includes employee privacy within its general rules applying to the protection of individuals. Monitoring is permitted only with specific legal justification, and background checks are limited in scope. 2 Generally, employees in the EU have broad workplace privacy expectations and rights. Companies with employees in the United States and other countries thus must be alert to the possibility that different workplace rules apply in connection with employment privacy. 3 This can be particularly challenging when a multinational corporation’s human resources (HR) data systems in one country contain personal information about employees residing in other countries, or even when employees share personal information across borders, such as through email or other communications channels. 12.1.1 Constitutional Law The U.S. Constitution has significant workplace privacy provisions that apply to the federal and state governments, but they do not affect private-sector employment. Notably, the Fourth Amendment prohibits unreasonable searches and seizures by state actors. Courts have interpreted this amendment to place limits on the ability of government employers to search employees’ private spaces, such as lockers and desks. 4 Some states, including California, have extended their constitutional rights to privacy to privatesector employees. 5 In general for private-sector actors, however, there is no state action, and no constitutional law governs employment privacy. 12.1.2 State Contract, Tort, and Statutory Law U.S. law looks at the relationship between the employer and employee as fundamentally a matter of contract law. The general rule in the United States is employment at will, which means the employer has broad discretion to fire an employee. That discretion, in turn, has been understood to grant the employer broad latitude in defining other aspects of the employment relationship, such as issues about the employer’s knowledge about an employee. A contract, however, can alter the rules between employer and employee. An individual employee, for instance, might negotiate a contract that says that certain private activities are outside the scope of the employment relationship. More generally, negotiation of a contract can create binding obligations on the employer. If the employer makes promises in a contract to honor employee privacy, then violations of those promises can constitute an enforceable breach of contract. 2 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP The most important contracts concerning employee privacy are collective bargaining agreements. Unions have often negotiated provisions that protect employee privacy, including, for instance, limits on drug testing and monitoring of the workplace by the employer. Turning to tort law, at least three common-law torts can be relevant to employee privacy, although U.S. law generally requires a fairly egregious fact pattern before imposing liability on the employer. First is the tort of “intrusion upon seclusion,” which states: “One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” 6 A classic example of such intrusion is if the employer puts a camera or peephole in a bathroom or employee changing room—a jury may well find that such surveillance is highly offensive to a reasonable person. Another example could be secret wiretaps or other intrusive surveillance of an employee. Although such an employee tort claim may succeed, this chapter will later discuss some of the ways employers can actually defeat that sort of wiretap claim, such as by an announced policy that the company’s computers are owned by the employer and subject to monitoring. A second tort claim can be “publicity given to private life,” which states: “One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person and (b) is not of legitimate concern to the public.” 7 A plaintiff would need to show a relatively broad dissemination of the facts involved and also that the facts disseminated would be highly offensive to a reasonable person. Courts have been cautious in finding such offensiveness, even for dissemination of a person’s salary or other information the employee considers private. Free speech principles under the First Amendment also often provide a defense against such a tort claim. A third tort claim is for defamation, which focuses on a false or defamatory statement, and is defined as a communication tending “so to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.” 8 For employment law, defamation torts can arise if, for instance, a false drug testing report is issued or if a former employer provides a factually incorrect reference to a possible future employer. Although the common law thus supplies some possible protections for employees, according to Matthew W. Finkin in Privacy in Employment Law, they have a narrow scope: “If privacy is to be protected by law, the task falls largely to the legislatures” rather than to the common-law courts. 9 State legislatures have indeed passed a large number of statutes that affect employee privacy. Finkin cites some striking examples, such as a California law guaranteeing a woman’s right to wear pants at work or the Florida right for employees to shop where they will, free of an employer’s dictate. Other state statutes prohibit marital status discrimination, and categories of inquiries regarding prospective employees, such as asking whether a worker has ever filed a claim for worker’s compensation benefits. 10 In recent years, a number of states have prohibited employers from requiring employees to disclose the passwords of their social network accounts. 11 Statutes vary enormously state by state, leading to “a patchwork of near bewildering complexity and large lacunae,” or gaps. 12 To summarize on state law and employment privacy, employees tend to have narrow protections under contract, tort and statutory law. The free market approach of U.S. law applies broadly, except 3 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP where a discrete problem has arisen and prompted a response by the legal and political system. Against this general backdrop of employer discretion, however, there may be significant state and local laws that apply in a particular setting. 12.1.3 Federal Laws on Employment Privacy Given this context of relatively limited constitutional or state law protections, a number of federal statutes have been enacted that bear on employment privacy. 12.1.3.1 U.S. Laws Protecting Employee Privacy The United States has a number of federal laws that prohibit discrimination. Antidiscrimination laws provide employees with some privacy protection—for example, by limiting questioning with respect to what is being protected, such as age, national origin, or disability. The United States also has federal laws that regulate employee benefits management. These laws offer certain privacy and security protections for benefits-related information. They also often mandate collection of employee medical information. These laws include the following protections: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains privacy and security rules that regulate “protected health information” for health insurers, including self-funded health plans. 13 The Consolidated Omnibus Budget Reconciliation Act (COBRA) requires qualified health plans to provide continuous coverage after termination to certain beneficiaries. 14 The Employee Retirement Income Security Act (ERISA) ensures that employee benefits programs are created fairly and administered properly. 15 The Family and Medical Leave Act (FMLA) entitles certain employees to unpaid leave in the event of birth or illness of self or a family member. 16 Other federal laws with employment privacy implications regulate data collection and record keeping: The Fair Credit Reporting Act (FCRA) regulates the use of “consumer reports” obtained from consumer reporting agencies (CRAs) in reference checking and background checks of employees 17 The Fair Labor Standards Act (FLSA) establishes the minimum wage and sets standards for fair pay 18 The Occupational Safety and Health Act (OSHA) regulates workplace safety 19 The Whistleblower Protection Act protects federal employees and applicants for employment who claim to have been subjected to personnel actions because of whistleblowing activities 20 The National Labor Relations Act (NLRA) sets standards for collective bargaining, which also apply in social media communications 21 The Immigration Reform and Control Act (IRCA) requires employment eligibility verification 22 4 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP The Securities Exchange Act of 1934 requires disclosures about payment and other information about senior executives of publicly traded companies, as well as registration requirements for market participants such as broker-dealers and transfer agents 23 Later in this chapter, we will also discuss two statutory regimes that govern specific monitoring practices by employers: The Employee Polygraph Protection Act of 1988, which limits employer use of lie detectors 24 Electronic surveillance laws, including the Wiretap Act, the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA) 25 12.1.3.2 U.S. Regulatory Bodies that Protect Employee Privacy Employee privacy is protected by several federal agencies, including the U.S. Department of Labor (DOL), the Equal Employment Opportunity Commission (EEOC), the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the National Labor Relations Board (NLRB). The mission of the DOL is “to foster, promote, and develop the welfare of the wage earners, job seekers, and retirees of the United States; improve working conditions; advance opportunities for profitable employment; and assure work-related benefits and rights.” 26 To achieve this mission, the department administers a variety of federal laws, FLSA, OSHA and ERISA. The EEOC works to prevent discrimination in the workplace. The EEOC oversees many laws, including Title VII of the Civil Rights Act, the Age Discrimination in Employment Act of 1967 (ADEA), and Titles I and V of the Americans with Disabilities Act of 1990 (ADA). 27 Both the FTC and the CFPB regulate unfair and deceptive practices and enforce a variety of laws, including the FCRA, which limits employers’ ability to receive an employee’s or applicant’s credit report, driving records, criminal records, and other consumer reports obtained from a CRA. 28 The NLRB administers the National Labor Relations Act. The board conducts elections to determine if employees want union representation and investigates and remedies unfair labor practices by employers and unions. 29 In addition, each state has an agency, often called the Department of Labor, that oversees the state labor laws. These laws include state minimum wage laws and laws limiting work by minors. The same department in most states may administer state unemployment insurance programs and employee rehabilitation programs. Some departments also conduct safety inspections of worker conditions. 12.2 Privacy Issues Before, During and After Employment Workplace privacy issues exist in all stages of the employment life cycle—before, during and after employment. Before employment, employers should consider rules and best practices about background screening, including rules for accessing employee information under the FCRA. During employment, major topics include polygraphs and psychological testing; substance testing; employee monitoring, including phone calls, emails; social media, and “bring your own device”(BYOD). After employment, the main issues are termination of access to physical and informational assets and proper human resources practices postemployment. It is important to 5 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP keep in mind that while consumer privacy practices pose a bigger risk for many organizations, HRrelated privacy presents a risk for virtually all organizations, including organizations in traditional industries that are not focused on data or data privacy. 30 For privacy professionals whose role encompasses human resources, multiple legal issues can arise in the employment life cycle. In addition to consulting with the legal and information technology (IT) departments, a privacy professional should keep in close contact with the HR experts in the organization. Even before the IT revolution put personnel records on computers, HR professionals had developed good practices for handling confidential information. It is worth noting that one consequence of the long-standing policies in HR is that these departments may be reluctant to adjust policies at the advice of a recently formed privacy team that is seeking to implement more recent developments in privacy. HR records are often physically segregated from other organization records or handled within IT systems with strict access controls. Because HR records apply to every person in an organization, including the most senior management, HR professionals have a special responsibility to respect the confidentiality of employee information. Employment laws in the United States often provide employers with more discretion than laws in the EU and other countries in the handling of personal information. U.S. laws also often vary by state. Organizations thus have to consider which jurisdiction’s rules apply to personal information about particular employees. 12.2.1 Privacy Issues Before Employment Employers today can have access to a wealth of information about applicants, gathered both directly from the candidates and through searches of public records and private databases. In the United States, the FCRA and antidiscrimination laws create national rules that structure how information is gathered and used preemployment. As in other areas of workplace privacy, states often have additional laws, and egregious practices can create tort suits under the common law. Collective bargaining agreements may also apply. As discussed in other chapters of this book, the privacy professional thus must be aware of both the many beneficial uses of personal information and the legal and other risks that can arise from improper handling of personal information. 12.2.1.1 Common Reasons for Employee Background Screening Before employees are hired—or even brought in for an interview—they are often subject to background screening. 31 The type and extent of screening varies depending on the work environment. There are many reasons and motivations for employers to conduct background screening. Some important trends have stimulated an increase in applicant screening. 32 For example: The terrorist attacks of September 11, 2001, resulted in heightened attention to security issues and support for more stringent identity-verification requirements Greater attention to child abuse and abductions has led to laws in almost every state requiring criminal background checks for people who work with children 6 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP Business governance scandals, such as those at Enron and WorldCom, spurred passage of the Sarbanes-Oxley Act in 2002, which has increased the incentives for corporate leaders to scrutinize practices in the areas they manage The rapid increase of information about candidates from online search and social media sites has made background checks easier 33 Certain professions are subject to background screening by law. Typically, anyone who works with the elderly, children or the disabled must now undergo background screening. The federal National Child Protection Act authorizes state officials to access the Federal Bureau of Investigation’s (FBI’s) National Crime Information Center database for some positions that involve contact with children. Many state and federal government jobs require rigorous background checks to obtain a security clearance. 34 Other groups that are targeted in background checks, depending on the state, include emergency medical service personnel, county coroners, humane society investigators, euthanasia technicians in animal shelters, bus and truck drivers, athletic trainers, inhome repair services, firefighters, gaming industry employees, real estate brokers, and IT workers. The EEOC has cautioned businesses that they should carefully review background screening processes, such as denying employment based on criminal convictions, to ensure that their requirements are job related and consistent with business necessity. 35 Employers use background screening to ensure they are hiring the best candidate for the job. Screenings can help determine whether the applicant will fit in the organization’s culture and make positive contributions to its growth. Screening can counter false or inflated information provided by job applicants and helps identify candidates who may damage the organization’s brand and reputation. In addition, employers seek to mitigate the risk of liability. Careful background screening can help defeat a later claim for negligent hiring, such as if an employee causes harm when there was prior evidence the person was dangerous. 36 Changing IT has led to changes in screening. An unprecedented amount of candidate data is now available to employers. The sophistication of today’s internet search, coupled with the ever-greater amount of information publicly accessible about many people, has enormously expanded the ability of employers to use “do it yourself” screening on the internet. Searches of publicly available information have generally been considered a reasonable practice in the United States. Significant privacy issues can accompany such practices, however, as discussed later in this chapter. For instance, internet searches should not be a basis for making impermissible, discriminatory hiring decisions, and there are laws in numerous states to prohibit more invasive practices, such as requiring candidates to provide their Facebook or other social network passwords so prospective employers can see information that the candidate has taken steps to keep private. 37 12.2.1.2 Antidiscrimination Laws as Limits on Background Screening The United States has a number of federal laws that prohibit discrimination in employment and have sometimes been used to limit background checks, notably: Title VII of the Civil Rights Act of 1964 bars discrimination in employment due to race, color, religion, sex and national origin. 38 The Equal Pay Act of 1963 bars wage disparity based on sex. 39 7 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP The Age Discrimination in Employment Act of 1967 bars discrimination against individuals over 40. 40 The Pregnancy Discrimination Act of 1978 bars discrimination due to pregnancy, childbirth and related medical conditions. 41 The Americans with Disabilities Act of 1990 bars discrimination against qualified individuals with disabilities. 42 The Genetic Information Nondiscrimination Act of 2008 bars discrimination based on individuals’ genetic information. 43 The Bankruptcy Act provision 11 U.S.C. § 525(b) prohibits employment discrimination against persons who have filed for bankruptcy. There is some ambiguity, however, as to whether the statute applies to discrimination prior to the extension of an offer of employment, and courts have read the statute both ways. 44 The primary purpose of these laws is to prohibit discrimination in hiring and other employment decisions. A secondary effect, however, is that they often affect how interviews and other background screen activities are conducted. For instance, an employer risks possible discrimination claims for interview questions about national origin or race under Title VII, about current or intended pregnancy under the Pregnancy Discrimination Act, about age under the ADEA, or about disability under the ADA. The EEOC has held that Title VII sex discrimination extends to claims based on an individual’s sexual orientation or gender identity. 45 Along with these federal laws, many states have their own antidiscrimination laws. Some of these have the same protected classes as the federal laws, and some include additional protected classes. Almost half the states currently prohibit sexual preference discrimination in both public- and private-sector jobs, while other states prohibit such discrimination in public workplaces only. 46 Roughly half the states prohibit discrimination based on marital status. 47 The complexities of antidiscrimination law are beyond the scope of this book. Extensive case law has grown up under each of these statutes, so that legal research beyond the text of each statute may be needed to assess current good practice. The risk for employers is that their interview questions and other background screening activities may provide evidence of discrimination. On the other hand, information that a candidate is a member of a protected class may be required by statute (such as when age is revealed in the course of verifying eligibility for employment), may be a bona fide occupational qualification, or may become known to the employer for some other nondiscriminatory reason. In practice, HR professionals often receive detailed training about how to collect information relevant to employment decisions while avoiding practices that increase the risk of an antidiscrimination claim. Many companies have established policies that prohibit discrimination and provide more detailed guidance about what interview and background screening practices are permitted. One strategy to reduce risk is to avoid asking questions that elicit information about membership in a protected class. For instance, avoid asking about membership in organizations that reflect religion or national origin. Another strategy is to be consistent and ask the same questions of all candidates. For instance, the company faces a greater risk of pregnancy or sex discrimination claims if women—but not men—are asked about how long they expect to stay on the job. 8 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP 12.2.1.3 The Americans with Disabilities Act and Medical Screenings The ADA created important restrictions on medical screening of candidates before employment. The law forbids employers with 15 or more employees from discriminating against a “qualified individual with a disability because of the disability of such individual,” and specifically covers “medical examinations and inquiries” as grounds for discrimination. 48 Before an offer of employment is made, the ADA permits such examinations and inquiries only where “job related and consistent with business necessity.” 49 A company may require a medical examination after the offer of employment has been made and may condition the offer of employment on the results of such an examination. Such an examination is permitted only if (1) all entering employees are subjected to such an examination regardless of disability, (2) confidentiality rules are followed for the results of the examination, and (3) the results are used only in accordance with the statutory prohibitions against discrimination on the basis of disability. 50 The ADA requires an employer to provide reasonable accommodation to qualified individuals who are employees or applicants for employment, unless to do so would cause undue hardship. 51 During the hiring process and before a conditional offer is made, an employer generally may not ask applicants whether they need a reasonable accommodation for the job, except when the employer knows that an applicant has a disability. After a conditional offer of employment is extended, an employer may inquire whether applicants will need reasonable accommodations so long as all entering employees in the same job category are asked this question. 52 The ADA restrictions on medical examinations and inquiries significantly affect a range of prehiring practices that previously were widespread. 53 Employers can no longer routinely ask questions about prior injuries and illnesses, including prior worker compensation claims. Psychological tests, previously used to predict conditions such as depression or paranoia, may well qualify as medical examinations. The ADA does not cover the use of drugs or alcohol, although it does cover questions about recovered drug addicts and alcoholics. In general, before hiring, employers should use caution about inquiring into the likelihood that a candidate has a covered disability or will seek a reasonable accommodation. 12.2.1.4 FCRA Restrictions on Background Checks The FCRA, discussed in more detail in Chapter 9 on financial privacy, regulates how employers perform background checks on job applicants. This law is not limited to background credit checks; it also covers any other type of background check, such as criminal records or driving records, obtained from a CRA. A CRA includes any organization that regularly engages in the assembling or evaluating of consumer information for the purpose of furnishing consumer reports to third parties for a fee. 54 Under the FCRA, the term consumer report includes all written, oral or other communications bearing on the consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. Examples of inquiries covered by FCRA include a credit report obtained from a credit bureau and a driving history report obtained from an information aggregator. In recent years, the FTC has aggressively enforced FCRA violations against nontraditional CRAs who collect data online and report it to employers. 55 Alleged FCRA violations are frequently litigated by affected individuals as well. 9 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP FCRA prohibits obtaining a consumer report unless a “permissible purpose” exists. Permissible purposes, however, include “employment purposes,” which in turn include (1) preemployment screening for the purpose of evaluating the candidate for employment and (2) determining if an existing employee qualifies for promotion, reassignment or retention. The FCRA also permits employers to obtain an “investigative consumer report” on the applicant if a permissible purpose exists. An investigative consumer report is one in which some of the information is acquired through interviews with neighbors, friends, associates or acquaintances of the employee, such as reference checks. To obtain any consumer report under FCRA, an employer must meet the following standards: Provide written notice to the applicant that it is obtaining a consumer report for employment purposes and indicate if an investigative consumer report will be obtained Obtain written consent from the applicant Obtain data only from a qualified consumer reporting agency, an entity that has taken steps to assure the accuracy and currency of the data Certify to the CRA agency that the employer has a permissible purpose and has obtained consent from the employee Before taking an adverse action, such as denial of employment, provide a pre-adverseaction notice to the applicant with a copy of the consumer report, in order to give the applicant an opportunity to dispute the report After taking adverse action, provide an adverse action notice If employers do not comply with these requirements, they may face civil and criminal penalties, including a private right of action. In 2003, the Fair and Accurate Credit Transactions Act (FACTA) amended FCRA. The amendments preempted a wide range of state laws on credit reporting, identity theft and other areas within the FCRA. 56 FACTA, however, specifically left some existing state laws in effect, notably the California Investigative Consumer Reporting Agencies Act (ICRAA). 57 The FCRA does not preempt states from creating stronger legislation in the area of employment credit history checks, such as the California ICRAA. Under the ICRAA, employers must notify applicants and employees of their intention to obtain and use a consumer report. Once disclosure is made, the employer must obtain the applicant or employee’s written authorization prior to requesting the report. On the notice and authorization form, employers must enable applicants and employees to check a box to receive a copy of their consumer report any time a background check is conducted. If employers wish to take adverse employment action, they must provide the employee with a copy of the report, regardless of whether the employee waived the right to receive a copy. This exception does not apply to employees suspected of wrongdoing or misconduct. Ten other states—Colorado, Connecticut, Delaware, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont and Washington—currently limit the use of credit information in employment. 58 These states require that credit history information be used only as related to the position applied for. The requisite degree of relation differs among states. While most states require a substantial relationship, Hawaii requires the applicant’s credit history to directly relate to an occupational 10 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP qualification. 59 Additionally, some states allow credit history checks to be performed if the position applied for fits within predefined occupational categories, generally involving financial or managerial responsibility or exposure to confidential information. 60 12.2.1.5 Restrictions on Background Checks under Fair Chance to Compete on Jobs Act The Fair Chance to Compete on Jobs Act (FCA) was enacted in 2019. 61 For many jobs, the FCA restricts federal agencies as well as federal contractors from requesting information related to an applicant’s criminal history until a conditional offer of employment has been made to the applicant. 62 Although a discussion of the breadth of state law restrictions on background checks is beyond the scope of this book, practitioners should be aware that FCA is part of a recent trend known as “Ban the Box.” Approximately two-thirds of states and more than 150 municipalities across the U.S. have enacted laws to remove the checkbox on job applications that ask an applicant if they have a criminal history. 63 12.2.1.6 Technologies to Screen Potential Employees In recent years, companies have used a variety of technologies to assist companies with the hiring process. We will discuss two of these technologies: social media and artificial intelligence (AI). Social media has increasingly been used to screen prospective hires. Social media sites such as Facebook, LinkedIn, TikTok, and Twitter facilitate easy and immediate sharing, collaboration and interaction. Businesses now exist that are dedicated entirely to tracking an individual’s online presence and screening candidates for predesignated elements selected by the employer. These may include potential drug use, criminal activity, or unsafe behavior. In doing so, employers should be alert to possible legal restrictions. 64 For example, there is the possibility that the FCRA applies to these nontraditional providers of background check information. 65 In addition, although employers are generally legally permitted to use social media in informing their decisions, acting in a discriminatory way in hiring is not. Reviewing applicant’s social media pages or posts may provide the basis for discrimination lawsuits if the employer accesses and appears to use information that is legally protected. This includes protected classes such as religion, ethnicity, gender or sexual orientation, political affiliations, and other sensitive information, all of which is commonly available on individuals’ social media pages. Employers also face risks when engaging in social engineering— the use of manipulation to gain access to otherwise private information. This includes connecting with potential hires through a false online profile or requesting access to private networks that are not available to the general public. If employers engage in these practices, they may be confronted with invasion of privacy actions for violating the applicant’s reasonable expectation of privacy. 66 Employers should thus consider what policies and training should exist to avoid taking actions that could violate legal restrictions, including reviewing information about applicants on social media sites. 67 Finally, employers should proceed with extreme caution when considering policies that require applicants to divulge access information to private networks as a condition of employment. In 2012, Maryland was the first state to ban employers from asking applicants (or employees) for their social network login information and passwords. 68 As of the writing of this book, approximately half the states have passed similar laws, and Congress has proposed similar legislation. 69 AI is also being used to screen applicants during the interview stage of the hiring process. When companies conducting job interviews initially adopted video conferencing, the main purpose of this 11 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP technology was to overcome the distance between the interviewer and the interviewee. Currently, many companies use AI to assess job applicants who appear via video. The AI evaluates the speech patterns, facial expressions, and gestures of the individuals interviewed in an effort to provide insights to those people who are making the hiring decision. 70 Privacy practitioners should be aware of privacy implications of using videotaped interviews as well as the possible biases in the algorithms being introduced into the hiring process. 71 12.2.2 Privacy Issues During Employment A range of workplace privacy issues can arise once an applicant has been hired. The discussion here addresses polygraphs and psychological testing; substance testing; employee monitoring, including of phone calls and emails; and social network monitoring and BYOD. 72 12.2.2.1 Polygraphs and Psychological Testing The Employee Polygraph Protection Act of 1988 (EPPA) is a prominent example of federal protection of privacy in the workplace. 73 Under the act and its regulations, issued by the DOL, employers are prohibited from using “lie detectors” on incumbent workers or to screen applicants. A lie detector is defined to include polygraphs, voice stress analyzers, psychological stress evaluators, or any similar device used for the purpose of rendering a diagnostic opinion regarding an individual’s honesty. 74 The act prohibits employers from requiring or requesting that a prospective or current employee take a lie detector test. Employers cannot use, accept, refer to, or inquire about lie detector test results. The act also prohibits employers from taking adverse action against an employee who refuses to take a test. 75 EPPA has exceptions for certain occupations, including for government employees, employees in certain security services, those engaged in the manufacture of controlled substances, certain defense contractors, and those in certain national security functions. Tests are also allowed in connection with “an ongoing investigation involving economic loss or injury to the employer’s business,” such as theft, embezzlement or industrial espionage. Even for such investigations, there must be reasonable suspicion to test an employee, and other protections for the employee apply. An employee cannot be discharged because of the results of a polygraph or for refusing to submit to a polygraph, unless additional supporting evidence also exists. EPPA requires employers to post the act’s essential provisions in a conspicuous location so that employees are aware of its existence. If the act is violated, employers may be subject to a fine from the DOL as well as to private lawsuits. Also, state laws are not preempted, and a large number of states have enacted laws further restricting the use of lie detectors in private employment. 76 EPPA and the ADA together place significant national limits on psychological testing in the workplace. Employers must comply with the rules limiting lie detectors as well as the ADA prohibitions on the use of medical tests, including those designed to test an impairment of mental health. Employers continue to use psychological tests measuring personality traits such as honesty, preferences and habits in hiring and employment, although one expert reports that such tests may be concentrated in specific positions such as management and sales. 77 12.2.2.2 Substance Use Testing Employers test for substance use for varied reasons: (1) to reduce costs resulting from lowered productivity, accidents, and absenteeism caused by drug use; (2) to reduce medical care costs 12 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.