US Private Sector Privacy in the Workplace PDF

Summary

This document discusses drug testing policies in the US private sector, examining pre-employment, reasonable suspicion, routine, post-accident, and random drug testing. It also analyzes the legal landscape surrounding employee monitoring in various situations. The text covers issues such as employee privacy and safety, and the complexity of balancing those in the workplace.

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP related to drug use; (3) to reduce theft or other illegal activity in the workplace associated with drug trafficking; (4) to bolster corporate image; and (5) to comply with external legal rules that impose or support a drug testing policy. 78 There is no federal privacy statute that directly governs employer testing of employees for substances such as illegal drugs, alcohol or tobacco. For public-sector employees, there is considerable case law under the Fourth Amendment about when such testing is reasonable. As previously mentioned, the ADA prohibits discrimination based on disability, although the application of the ADA varies for illegal drugs and alcohol, and for current and past use. The ADA specifically excludes current illegal drug use from its protections, and a test for drug use is not considered a medical examination. 79 By contrast, the responsible federal agencies have stated that “an alcoholic is a person with a disability and is protected by the ADA if they are qualified to perform the essential functions of the job.” 80 Concerning a history of illegal drug use, the U.S. Department of Justice states that “policies that screen out applicants because of a history of addiction or treatment for addiction must be carefully scrutinized to ensure that the policies are job-related and consistent with business necessity.” 81 Federal law mandates drug testing for certain positions within the federal sector, including employees of the U.S. Customs and Border Protection. Federal law also creates regulation for drug testing for employees in the aviation, railroading and trucking industries. 82 The rules preempt state laws that would otherwise limit drug testing. Drug testing can be used in a variety of settings: Preemployment—generally allowed if not designed to identify legal use of drugs or addiction to illegal drugs Reasonable suspicion—generally allowed as a condition of continued employment if there is “reasonable suspicion” of drug or alcohol use based on specific facts as well as rational inferences from those facts (e.g., appearance, behavior, speech, odors) Routine testing—generally allowed if the employees are notified at the time of hire, unless state or local law prohibits it Post-accident testing—generally allowed to test as a condition of continued employment if there is “reasonable suspicion” that the employee involved in the accident was under the influence of drugs or alcohol Random testing—sometimes required by law, prohibited in certain jurisdictions, but acceptable where used on existing employees in specific, narrowly defined jobs, such as those in highly regulated industries where the employee has a severely diminished expectation of privacy or where testing is critical to public safety or national security A majority of states have passed one or more statutes governing the testing of employees for drugs and/or alcohol. 83 States such as Connecticut, Iowa and Minnesota have laws that generally prohibit employee drug tests unless there is reasonable suspicion to test a particular employee, although state law varies on whether employer violation of the statute prevents discharge of an employee who tests positive. 84 There has also been extensive litigation over time under the common law of the various states, on theories including defamation (if the test was inaccurate), 13 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP negligent testing, invasion of privacy, and violation of contract and collective bargaining agreements. Generalizing in the face of this state-by-state variation is risky. Cases upholding random drug testing usually involve occupational roles in highly regulated industries or positions that are critical to the protection of life, property or national security. More invasive tests, such as collection of a blood sample, are more prone to scrutiny than less invasive tests, such as a breathalyzer. With approximately two-thirds of the states in the United States recently enacting laws legalizing the use of marijuana for medical or recreational purposes, the issue of drug testing employees has become more complicated. 85 Fewer than half of the states that allow individuals to legally use marijuana afford any protections for employees who test positive for the drug. A minority of the state laws that permit legal marijuana use include explicit employee protections. 86 The treatment of employees in sectors regulated by federal law, such as the trucking, aviation, and railroading industries, is complicated. Because marijuana is federally prohibited, employees in these industries must adhere to federal requirements. 87 Privacy practitioners should be prepared to advise management concerning the complexity of crafting drug testing policies that comply with both federal and state laws. 88 12.2.2.3 Lifestyle Discrimination An employee’s lifestyle outside of work has generally been regarded as private, unless these actions negatively affect other people or are criminal. 89 In recent years, concerns have been raised about issues such as employees’ weight and smoking habits. Employers must use caution when taking negative actions against employees for lifestyle choices. 90 Weight. The classic example of weight discrimination was in the field of flight attendants, who were told they must remain under a certain weight to be employed. After numerous discrimination lawsuits in the airline industry, the mandate was changed to one requiring a person’s weight to be proportional to their height and age. 91 This illustration shows how restrictions focused on weight can make a company susceptible to being sued for discrimination. To address the concerns related to increasing obesity in the United States, the ADA was amended in 2009 to protect a person who is 100 pounds overweight from discrimination based on a disability. 92 In the employment context, the EEOC has obtained settlements on behalf of employees who alleged this type of discrimination, yet courts have split in their approach to the topic. This means the details of how the disability will be understood legally are still less than certain at this time. 93 A current trend concerning weight in the workplace arises in wellness programs that are sponsored by the employer. In 2013, CVS Pharmacy gained national attention when employees were required to provide information on weight as part of a wellness program or face a $600 surcharge. 94 Employers should take care to ensure that these attempts to assist their employees do not become avenues for discrimination. Smoking. Many employers ban smoking tobacco or vaping during work hours or on work property. No federal law protects smokers from discrimination. When designing a policy regarding smoking, employers should be aware that more than half of states have laws that limit smoking bans to the workplace. Under these laws, individuals are protected from discrimination by their employer if they choose to smoke while not at work. 95 14 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP Businesses who have restrictions related to lifestyle issues should clearly explain the business reason for such policies. While concerned for health insurance costs of employees who engage in certain habits, companies should be careful in carrying out the implementation of such policies. 96 For the privacy professional, it is important to understand this is a developing area of the law. Numerous state laws have been passed to address various lifestyle issues, and more are being considered. 97 Employer policies should be reviewed and updated in light of new developments. 12.2.2.4 Monitoring in the Workplace Technological trends have increased the range of ways employers can monitor employees. For example, employees often use company-issued computers, laptops, and smart phones. In the U.S, private-sector employees in general have limited expectations of privacy at the workplace. The physical facilities belong to the employer, and employers in the private sector thus generally have broad legal authority to do monitoring and searches at work. 98 Computers and other electronic equipment are similarly understood to be the property of the employer, with consequent broad employer rights about how the equipment is used. Organizations should consider establishing formal policies about workplace monitoring and accompanying documents, such as acceptable use policies for IT equipment. These policies may also be required by state law in order for such monitoring to be lawful. 99 Such policies often include when monitoring can or will occur, purposes of data use, to whom data may be disclosed, and the consequences to employees for violations. In special circumstances where additional monitoring is conducted, the employer may be required to describe the approval process and document when it is implemented. Providing employees with notices of these policies helps establish their knowledge and reasonable expectations about workplace activities. Such policies have proven broadly effective in addressing employee claims for improper monitoring. 100 When developing these policies, companies should be aware that these employer rights are frequently more limited in Europe and other countries, where employees often have a broader set of protections against monitoring under data protection, collective bargaining, and other employment laws. Companies with employees both in the U.S. and abroad thus may need to develop different policies and IT systems that conform to the varying laws. 12.2.2.4.1 Legal Obligations or Incentives to Monitor Employees In the U.S., companies often engage in monitoring of employees for a variety of reasons. Certain legal obligations for companies can be fulfilled, at least in part, by monitoring employees. Companies also have a variety of incentives to monitor employees. This means that strong policies both favor and limit monitoring of employees in the workplace. Because there are numerous reasons to monitor employees as well as a variety of ways to monitor employees (as discussed below), companies should be careful to develop and implement policies related to how data involving employee monitoring is collected, used, transmitted, and stored. Employers should also consider what policies and training should exist to avoid taking actions that could be considered inappropriate, discriminatory, or invasive. 101 The following are examples related to legal obligations and incentives to monitor: Follow workplace safety and other laws that require or encourage monitoring. OSHA, for example, requires employers to provide a safe workplace that complies with occupational 15 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP health and safety standards. These standards require employees to perform tasks in a safe manner in order to avoid injury. Thus, ensuring compliance with OSHA is one legal reason to monitor employees. 102 For example, monitoring with biometric sensors can help to ensure that workers are performing tasks in a safe manner, such as eye monitors for truck drivers. 103 Improve work quality (e.g., by monitoring service calls with customers). Call centers and firms that do financial transactions over the phone often record telephone conversations for reasons including agent training, quality assurance, and security/liability. If a dispute arises with a customer after the fact, the recording can often resolve what was said or agreed upon. Such recordings, however, must comply with the rules about phone call recording discussed below. As noted in Chapter 11, certain activities that may result in charges placed using preacquired account numbers, such as telemarketing, must be recorded. 104 Note though, for security reasons, call centers often pause the recording functionality when a customer relays full payment card information. Limit liability for employee’s actions. Employers monitor the workplace as a way to defend against a possible tort claim for negligent supervision, especially where the employer is on notice of a specific risk from one employee to other employees or third parties. The claim of negligent supervision is similar to the claim, discussed above, of negligent hiring. In both instances, there is uncertainty about what a jury will find to have been negligent, so employers have an incentive to err on the side of caution to reduce the risk of a successful claim. Also, some business lawyers have counseled companies to monitor email and other employee computer usage to reduce the risk that the employer will be held liable for creating a hostile work environment, for example, if sexually explicit or racially derogatory material is viewed at work. 105 Note that other experts disagree with this approach. 106 Protect physical security (e.g., by placing video cameras near entrances). Many U.S. employers use closed-circuit television (CCTV) or other video surveillance in the workplace. Security cameras are often used at the perimeter of a business to deter and detect burglary or other unauthorized intrusion. They are used within a business establishment to deter crimes such as shoplifting and armed robbery and outside to detect “driveaways” from gas stations or other businesses. They are used within warehouses and other parts of a business to reduce the incidence of stealing by employees. Insurance companies may give companies a discount for installing CCTV systems. 107 Employers also may have an interest monitoring the location of company vehicles equipped with GPS to prevent theft. To access certain restricted locations at a company, employees may have to verify their identity using biometrics, such as face scans or hand scans. Protect cybersecurity (e.g., by monitoring activity on computer systems). Companies today often have in place a variety of systems to monitor electronic communications. Companies routinely run antispam and antivirus software on emails. The computer security activities of the IT department include a range of intrusion detection and other measures. Depending on the company and job description, there may also be limits on acceptable use of work computers, including bans on accessing websites that are inappropriate for the workplace. 16 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP Also, to enhance cybersecurity, companies may require face scans or fingerprints for identity verification before accessing computers or other electronic equipment. Protect trade secrets and limit liability for unlicensed transmission of copyrighted material and other confidential company information. Companies endeavor to protect trade secrets and limit liability concerning leakage of copyrighted and other material. In an effort to thwart efforts by employees to obtain such information for nefarious purposes, companies analyze employees’ emails, review employees’ computer usage, and monitor phone calls. Companies may also track employees’ locations to determine if they are meeting with competitors. 108 Improve company’s reputation. Employers can use social media to their advantage—for example, a strong social media presence helps increase visibility in the marketplace. Social media can be used by employers to stay in touch with customer needs, and its effective use conveys a level of technological sophistication to its followers. It is also a helpful platform for receiving immediate feedback from consumers, clients and employees at a very low cost. Social media monitoring is used to keep track of current employees to mitigate brand or reputation damage. 109 Try to keep employees on task rather than spending time on personal business. Although monitoring can be justified to increase productivity by keeping employees on task, there can be serious privacy concerns from excessive video monitoring (such as in changing rooms), monitoring of workplace conversations (such as bugs secretly placed by a supervisor to listen to employees), email and other computer monitoring (such as when emails that an employee believes are personal are reviewed by the employer or screen recording for productivity management). 110 In this discussion of reasons to monitor employees, it is important to remember that employers often choose not to monitor even where they may have legal ability to do so, for reasons including ethics, cost and morale. Monitoring costs include the legal obligations to detect and act on misconduct revealed by the monitoring program. 111 12.2.2.4.2 Laws Applying to Types of Monitoring Federal laws governing wiretaps and access to stored communications are notoriously complex, and electronic monitoring of employees thus should often be done in consultation with a lawyer knowledgeable about the area. Chapter 13 discusses key aspects of these laws. The discussion here focuses on monitoring in the workplace. Federal and state laws regulate and restrict workplace surveillance activities, including electronic surveillance (such as accessing emails and monitoring internet activities), accessing social media accounts, video surveillance, and monitoring of telephone calls. 112 Intercepting communications. As discussed in Chapter 13, the Wiretap Act and the Electronic Communications Privacy Act (ECPA) are generally strict in prohibiting the interception of wire communications, such as telephone calls or sound recordings from video cameras; oral communications, such as hidden bugs or microphones; and electronic communications, such as 17 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP emails. The exact rules for wire, oral and electronic communications vary, and unless an exception applies, interception of these communications is a criminal offense and provides a private right of action. 113 Two exceptions to the prohibition on interception often apply in the workplace. 114 Under federal law, interception is permitted: 1. If a person is a party to a call or where one of the parties has given consent 115 2. The interception is done in the ordinary course of business 116 An employer who provides communication services, such as a company telephone or email service, has the ability to intercept provided the interception occurs in the normal course of the user’s business. 117 An important distinction exists when an employer listens to an employee’s purely personal call. In this instance, the employer risks violation of the wiretap laws. As courts have split on how broadly to define the “ordinary course of business,” many employers rely on the consent exception for interception of telephone calls. 118 Privacy professionals should be alert to the requirements of relevant state laws on recording phone calls, because some of these laws require one-party consent, while others mandate that all parties to the call consent. 119 Stored communications. As previously discussed, the SCA creates a general prohibition against the unauthorized acquisition, alteration or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided. 120 Violations for interceptions can lead to criminal penalties or a civil lawsuit. The law provides for exceptions. Two exceptions that may apply to the employer are for conduct authorized: 1. “By the person or entity providing a wire or electronic communications service” (often the employer) 121 2. “By a user of that service with respect to a communication of or intended for that user” 122 Generally, employers are permitted to look at workers’ electronic communications if the employer’s reason for doing so is reasonable and work-related. In the case of City of Ontario v. Quon, the U.S. Supreme Court allowed an employer to review an employee’s text messages when the employer was looking at the messages to determine whether the employer’s electronic usage policy had been violated. In the case, the employer—the City of Ontario—provided the pager used to send the messages at issue. Note that the distinction between private-sector employers and public-sector employers can be particularly important in cases involving ECPA. 123 In addition, privacy practitioners should be alert to the fact that ECPA generally does not preempt stricter state privacy protections. Notably, certain state laws protect email communications. 124 Social media accounts. As with applicants, employers should proceed with caution when accessing and collecting information from the social media accounts of employees. Employers have not traditionally had access to an employee’s personal email accounts, and similar reasoning should be applied to gaining access to the private parts of a person’s social network activities. 125 As discussed in Section 12.2.1.6 above, at the time of the writing of this book, approximately half the states in the U.S. have laws prohibiting employers from asking employees (or applicants) for access to their social media accounts. 126 In addition, employers must not violate existing antidiscrimination and privacy laws. 127 18 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP Unions and union-organizing activities. Collective bargaining agreements can be an additional limiting factor on an employer’s ability to monitor in the workplace. Many such agreements contain provisions designed to limit workplace monitoring or require that a union representative be informed of an employer’s monitoring activities. Also, according to the National Labor Relations Board, employees’ speech may be protected when social media or other means of electronic communication is used to complain about managers, coworkers or the companies that employ them. 128 Biometric data. Numerous state laws regulate the collection, use, transmission, storage, and destruction of biometric data. As of the writing of this book, three of these state laws regulate employee data held by employers. 129 The Illinois Biometric Information Privacy Act (BIPA) requires employers to notify employees of their biometric practices and to obtain informed consent from employees for such practices. Employers should be aware that BIPA includes a private right of action, and that numerous employment class action lawsuits have been filed by employees. 130 Texas and Washington also have biometric laws that applies to employers, but do not include a private right of action. 131 Photo and video surveillance. Federal law generally does not limit the use of either photography or video cameras. For example, cameras and video recordings that do not have sound recordings are outside the scope of the federal wiretap and stored-record statutes. State statutes and common law, however, create limits in some settings. California is like other states in forbidding video recording in areas such as restrooms, locker rooms, and places where employees change clothes. 132 Even in the absence of a statute, employees may be able to bring a common-law tort claim for invasion of privacy, especially where a jury would find the use of the camera to be offensive. In addition, as with other areas of workplace monitoring, collective bargaining agreements may apply. Postal mail monitoring. U.S. federal law generally prohibits interference with mail delivery. Importantly, mail is considered “delivered” when it reaches a business. As a result, the opening of business letters and packages by a representative of the business does not violate that statute, even if that representative is not the intended recipient. There is, however, some risk involved with monitoring postal mail under state common law. Employers can mitigate this risk by advising employees not to receive personal mail at work, declining to read mail once it is clear that it is personal in nature, and maintaining confidentiality for any personal information obtained in the course of monitoring. 12.2.2.4.3 Policies for Companies Related to Types of Monitoring Companies should be careful to develop and implement policies related to monitoring in numerous areas, such as: (1) how companies use location-based services, (2) how companies implement data loss prevention (DLP) programs, (3) how the IT department copes with what is called “the consumerization of information technology” or BYOD, and (4) how companies address teleworking. These policies can be particularly complex because each of these areas can blur the line between personal and professional environments, either by bringing the personal environment into the workplace environment or by bringing the workplace environment into the personal environment. Location-based services (LBS). Mobile phones, GPS devices, and some tablet computers provide geolocation data, which enables tracking of the user’s physical location and movements. This creates a category of personal information that typically did not exist before the prevalence of 19 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP these mobile devices. 133 Employers interested in monitoring the location of company vehicles equipped with GPS may generally do so without legal hindrance, provided that the monitoring occurs for business purposes during work hours, and employees have been informed beforehand. 134 A company wishing to monitor the location of its employees themselves, however, may face greater legal barriers. Some state laws limit monitoring of employee geolocation data to an extent. Connecticut, for example, prohibits any type of electronic employee monitoring without written notice and provides a civil penalty of $500 for a first offense. 135 California has increased protection for its employees by outlawing the use of “an electronic tracking device to determine the location or movement of a person” as a misdemeanor criminal offense. 136 In addition, the utilization of location-based services to monitor employees runs the risk of incurring invasion of privacy claims in situations where the employee has a reasonable expectation of privacy. Data loss prevention (DLP). DLP is a strategy used by businesses to ensure that sensitive data is not accessed, misused or lost. DLP software and tools monitor and control endpoint activities, such as employee use of smartphones or laptops. 137 DLP also may include encryption by default or other protections for data in transit. Another way of understanding DLP is that it combines (1) using information security tools, (2) training employees about acceptable behavior on work devices, and (3) implementing effective standards, policies and procedures to achieve the desired protection of data. Privacy concerns have been raised about deployment of DLP. The technology can potentially include surveillance over many or all of the activities on an endpoint device, such as a phone or laptop that an employee uses. Some endpoint protection programs have included powerful features, such as recording every key stroke, activating the webcam of laptops or smartphones, or tracking the geolocation of the smartphone user without their knowledge. 138 Conducting a privacy impact assessment is good practice, and organizations considering a DLP program should thus consider the likely privacy risks as well as the likely benefits of the program. 139 Consumerization of information technology (COIT) and bring your own device (BYOD). Individuals today have more IT options than ever before. Computing devices range from traditional desktop computers and laptops to powerful smartphones, tablet computers, and smart watches. Social networks, webmail and applications can be accessed across devices. Marked improvement in device capability and widespread internet access allow employees to connect to their online networks from almost any location. Increasingly, individuals are also using their personal devices for work purposes, blurring the line between personal and professional environments. The COIT trend refers not only to the use of personal computing devices in the workplace but also to online services, such as webmail, cloud storage, and social networking. Traditionally, adoption of high-level IT started with major publicand private-sector organizations, with consumer adoption coming later, after the price became affordable. In recent years, the trend has reversed. Today, IT often emerges in the consumer market and is driven by employees who use their personal devices, accounts and applications both in and outside of the office for work tasks. 140 Bring your own device (BYOD) is part of the COIT trend, in which employees use their personal computing devices for work purposes. BYOD offers significant advantages. It allows employees to 20 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP use the same technology at work that they use at home, which means more flexibility, efficiency and productivity in employee work schedules. Employers benefit from increased accessibility to their employees as well as reduced overhead and workplace device expenses. BYOD, however, presents significant security challenges that stem from the lack of employer control over employee devices. BYOD may expose organizations to security vulnerabilities and threats that they could otherwise protect against with work-issued devices. 141 Organizations face security risks with BYOD. For example, if an organization’s current policy requires specific security controls for company-owned devices but not personal devices, the latter used for work purposes can create risks for the company’s data. Data loss prevention or other security controls required for company-owned devices, however, may not be suitable or necessary for personal devices, depending on how they are used. Less security may be adequate, for instance, for personal devices that are not permitted to store sensitive employer data. One consideration is what information triggers breach notification laws—stricter policies may be called for when loss of the device would require breach notices. BYOD also presents new workplace privacy implications. Private-sector employers often monitor employees’ activities on a work network and work-issued devices, but the same monitoring may not be appropriate for personal devices. Employees may feel their privacy is invaded, for instance, if the company monitors their private email and web surfing. Employers should address both the security and privacy implications in designing BYOD policies. If the employer is engaged in device monitoring or surveillance, it should disclose that information and consider obtaining employee consent. When monitoring and searching the device, exposure of private employee data should be minimized. 142. When such policies are either not in place or not enforced, employees may be required to provide access to their devices or accounts in response to electronic discovery demands in legal proceedings against the company. For example, an employee who leaves a company for a competitor could be subject to claims such as trade secret theft if the company’s data was not completely deleted. 143 Teleworking. Teleworking exploded during the COVID-19 pandemic and many employees will desire that option post-pandemic. Teleworking allows employees to work from home or other locations out of the office, and the devices used may be provided by the employer or may be owned by the employee. Teleworking employees often discuss company issues via virtual meeting platforms or over the phone. To protect privacy and cybersecurity, companies may create and enforce policies such as: authorization and authentication of the employee, safety of the employee’s home network, patches to address known security vulnerabilities, and employee training concerning phishing and malware. 144 Endpoint security, discussed above as data loss prevention (DLP), can be a source of protection for companies, but can be viewed by employees as spyware. Companies may also need to remind employees that data needs to be protected from family members or others in the home. For instance, work-issued computers should not be used by others in the home, screens should be locked when employees are away from their computers, papers with confidential or customer information should be secured after use, and discarded papers with confidential or customer information should be shredded. 145 21 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP Companies should be aware that employee privacy can be more complicated when the employee is located in their home. Virtual meetings, for example, can have family members visible in the video – including children. As with BYOD policies, employers should clearly address teleworking issues in company policies and convey to employees the privacy limits and risks when teleworking. If the employer is engaged in monitoring or surveillance, it should disclose that information and determine if employee consent is required. In conducting employee monitoring, exposure of private employee data should be minimized when possible. 12.2.2.5 Investigation of Employee Misconduct When alleged employee misconduct occurs, the employer should be aware of issues such as the following: Be careful to avoid liability or loss due to failure to take the allegations seriously. Ignoring a problem may allow it to grow or otherwise become more difficult to resolve later. Treat the employee with fairness during the investigation to reduce possible employee resentment as well as the risk that later litigation will result in harsher penalties if the employer is seen to have been unfair. Follow laws and other corporate policies during the investigation. Particular attention should be given to collective bargaining agreements, which often contain provisions concerning investigations of employee misconduct. Document the alleged misconduct and investigation to minimize risks from subsequent claims by the employee. Consider the rights of people other than those being investigated, such as fellow employees who could be subject to retaliation or other problems. Investigations are often conducted in cooperation with an organization’s HR office. HR policies often apply to investigations. Progressive and documented discipline for initial or minor infractions can provide a reasoned basis for more serious discipline or termination if necessary. The privacy professional should work with the compliance department to determine the appropriate level of documentation. Frequently, employers use third parties to investigate employee misconduct. Formerly, this exposed corporations to liability under the FCRA. The FCRA generally requires notice and employee consent when the employer obtains a consumer report. According to an opinion letter issued for the FTC known as the “Vail Letter,” if an employer hired an outside organization such as a private investigator or background research firm to conduct these investigations, the outside organization constituted a CRA under the FCRA, and any report furnished to the employer by the outside organization was an “investigative consumer report.” 146 Under this opinion, an employer that received these reports was required to comply with the FCRA by providing notice to the suspected employee and obtaining consent. This destroyed the undercover aspect of investigations. 147 FACTA amended the FCRA to address the problems created by the Vail Letter. 148 Along with other FCRA and FACTA provisions discussed in Chapter 9 on financial privacy, FACTA provided that, if certain conditions were met, an employer is no longer required to notify an employee that it is 22 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP obtaining an investigative consumer report on the employee from an outside organization in the context of an internal investigation. Specifically, FACTA changed the definition of “consumer report” under FCRA to exclude communications relating to employee investigations from the definition if three requirements are met: 1. The communication is made to an employer in connection with the investigation of: (1) suspected misconduct related to employment, or (2) compliance with federal, state, or local laws and/or regulations, the rules of a self-regulatory organization, or any preexisting written employment policies. 2. The communication is not made for the purpose of investigating a consumer’s creditworthiness, credit standing or credit capacity and does not include information pertaining to those factors. 3. The communication is not provided to any person except: (1) the employer or agent of the employer; (2) a federal or state officer, agency, or department, or an officer, agency, or department of a unit of general local government; (3) a self-regulating organization with authority over the activities of the employer or employee; (4) as otherwise required by law; or (5) pursuant to 15 U.S.C. § 1681f, which addresses disclosures to government agencies. 149 If the employer takes adverse action on the basis of these reports, FACTA requires that the employer disclose a summary of the nature and substance of the communication or report to the employee. This report can be issued after the investigation has been conducted and allows employers to maintain the secrecy of the investigation. 150 12.2.3 Privacy Issues After Employment At the end of the employment relationship, an employer should restrict or terminate the former employee’s access to physical and informational assets, follow the correct termination procedures, minimize risks of post-termination claims, help management to transition after the termination, and address any privacy claims that arise. 12.2.3.1 Access to Physical and Informational Assets When a person leaves a company or is no longer supposed to have access to specific facilities or information, there should be clear procedures for terminating such access. Basic steps include: Secure the return of badges, keys, smartcards and other methods of physical access Disable access for computer accounts Ensure the return of laptops, smartphones, storage drives, and other devices that may store company information Seek, where possible, to have the employee return or delete any company data that is held by the employee outside of the company’s systems Remind employees of their obligations not to use company data for other purposes Forward clearly marked personal mail, if any, to the former employee but review workrelated mail to ensure that proprietary company information is not leaked 23 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 12 – as of 03/18/2024 © IAPP Because the departure of employees is a predictable event, IT systems should be designed to minimize the disruption to the company and other employees when a person no longer has authorized access. Access may end not only for a firm employee but also for contractors, interns and others who have temporary access to company facilities. To take a simple example, the same password should not be used by multiple people because of the need to change the password when one employee leaves. Privacy professionals may also need to consider appropriate practices for maintaining the HR records of former employees. There can be many reasons for retaining such information, such as to provide references, respond to inquiries about benefits and pensions, address health and safety issues that arise, respond to legal proceedings, and meet legal or regulatory retention requirements for particular types of records. There are also countervailing concerns about the privacy and security of sensitive employment records, and in some jurisdictions (such as in the EU), there may need to be a demonstrable business or legal reason to justify retaining certain personal information. 12.2.3.2 Human Resources Issues The HR office is often significantly involved in the period before an employee leaves, especially when employees are not leaving entirely of their own initiative. The HR office often will have detailed and sensitive information about an employee’s performance in the period before termination. This sort of information is gathered, for instance, to document the basis for the company’s decisions in case the former employee brings a wrongful termination or other claim against the employer. The HR office should have in place consistent policies to deal with the retention of employee records after an employee leaves the company, addressing records such as background checks, employee contracts, performance appraisals, and medical information. 151 A similar level of care is appropriate for post-termination contacts with the employee. External communications to the former employee should be crafted with care, especially if the termination resulted from misconduct. Communications with remaining employees, customers and others should meet company goals while refraining from disparaging the former employee. When an employer is asked to provide references for the former employee, HR, working with legal counsel, should have basic guidelines but collaborate on an appropriate response in more complex circumstances. Companies balance reasons to provide references with the risk of a suit for defamation. The law can vary significantly state by state. 152 The common law imposes no duty on a former employer to supply a reference for a former employee, but some modern state statutes do require references for specific occupations, such as airplane pilot and public school teacher. The common law provides what is known as a “qualified privilege” for employers to report their experience with and impressions of the employee, to help in defense against defamation suits. In recent years, publicity about winning defamation suits has made some employers reluctant to provide references. On the other hand, state legislatures have responded by passing laws that are designed to encourage accurate reports about former employees. A company also often has good reasons to provide references, including to retain goodwill with former employees, whose statements will affect the company’s reputation and with whom the company may do business in the future. 24 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.