Thursday, June 13, 2013

Privacy in the Workplace

Are you monitoring your employees?

Privacy issues are splashed all over the news recently. The IRS, the NSA, Google. These have been hugely controversial stories related to personal information of US citizens balanced against national security (at least in the case of the NSA) and are but one side of an ongoing discussion about privacy issues, whether personal, public, or in the workplace.

As employers, we have to be risk managers. We have to protect our product, our service, our customers and our employees, from unwanted breaches. What goes too far and how do we make sure we don’t cross that line? Some businesses monitor employees’ use of company resources (internet usage, email, phone use, etc.) on an ongoing basis; others only when a potential problem or threat becomes known. We each have to make decisions, based on our company’s needs and how critical it is to our mission and bottom line, whether to monitor any particular activity or communication.

The reasons for monitoring employees’ work, communications, etc. vary and can include:

  • From a security standpoint, we wouldn’t want our employees to send out confidential or proprietary company information to unauthorized people, even if by accident. Finding out quickly if it’s happened can often give your company time to mitigate the damage.
  • Risk of claims of harassment, discrimination and bullying are becoming more and more apparent. Discovering such activity allows you to address it early and effectively.
  • Productivity is key to every company’s bottom line. Your employees shouldn’t be spending inordinate amounts of time browsing on Facebook or any other non-work related website during work hours.
  • Downloads and streaming music and video suck up bandwidth and if you need the network for important business you can find these activities can slow down, or even halt, access for the real business of your company.
  • Unauthorized or inappropriate downloading and web surfing can open individual computers and your network to viruses. Removing them is time consuming and possibly expensive, if you outsource your IT function. Viruses and malware can come from anywhere, so you could consider safeguarding your company’s system by using employee monitoring software.

When implementing a monitoring practice, whether ongoing or situational, you should do the following:

1. Develop written policies
It's critical to develop a policy on Internet and device usage that specifies allowable and prohibited activities. Set rules for acceptable use of email, instant messaging, social networks, blogging and Web surfing, as well as for downloading software and apps. Incorporate your harassment and discrimination policies into internet/email policies. Specifically limit or prohibit use for personal business. Require that all work computer, email, etc. passwords be submitted to an appropriate party (IT manager, supervisor, etc.). An overall technology policy, one that an employee signs upon receipt, is highly recommended.

2. Inform your employees
Explain the limits on employee privacy in the workplace and the fact that monitoring will occur. Letting people know you're watching can have an important deterrent effect; and reducing their expectation of privacy can go a long way toward protecting you if you ever have to take action against an employee for activity of this nature. Explaining why you might be monitoring their computer usage or email is encouraged as well. Transparency is important.

Encourage employees to keep private communications to home computers and personal smartphones.
3. Use technology tools
You may decide you want to filter or block some Web content, such as porn and hate sites. Some businesses have decided to block all, or most, social media sites. You would need to carefully examine both your overall motivation and your company culture before doing this. Prohibiting all personal use of computers and email may not be feasible or reasonable. There are many other technological tools to use (key loggers, etc.) that may be useful to employ, as well, either on an ongoing basis, or an investigatory basis.

There are some legal restrictions on a business’s ability to monitor such employee activity. The primary restrictions would be the Electronic Communications Privacy Act of 1986 (ECPA) (18 U.S.C. § 2511 et seq.), and state and common law protections against invasion of privacy. The ECPA is the only federal law that governs the monitoring of electronic communications in the workplace and is an amendment to the federal Wiretap Act. The Wiretap Act restricts the interception and monitoring of oral and wire communications, the ECPA extended these restrictions to electronic communications such as e-mail.

The ECPA does contain a "business purpose exception," which permits employers to monitor oral and electronic communications as long as the company can show a legitimate business purpose.

Writing for SHRM, Teresa A. Daniel, JD, PhD, founder and principal of InsideOut HR Solutions PLLC, notes that the ECPA contains a loophole that may limit employer liability for certain methods of monitoring. "The act’s definition of "electronic communications" expressly applies to the transmission of such communications and does not include the electronic storage of such communications. Therefore, courts have distinguished between monitoring electronic communications such as e-mail messages while they are being transmitted versus viewing e-mails while they are in storage. Viewing stored e-mail is similar to searching through an employee’s papers and files. Several courts confronting this issue have found that monitoring electronic communications after transmission does not run afoul of the ECPA."

States can and have imposed stricter limitations. In Connecticut, employers must provide advance written notice that specifies the types or methods of monitoring. In addition, several state constitutions, including California, Florida, Louisiana and South Carolina, guarantee their citizens a right to privacy. Employers in these states need to take additional steps to reduce or eliminate employees’ expectations of privacy with respect to electronic information and communication in the workplace.

Monitoring Computer Usage, E-mail Text Communications
The advantages of using electronic communications are many and obvious. However, employee abuse or misuse can place companies at risk for legal liability and breaches of data security. Employers can face claims of sexual harassment, discrimination, defamation, copyright infringement and other illegal or improper conduct. (Yeah, emailing those inappropriate jokes can cause trouble!) Knowing about and being able to stop this type of activity can help you avoid serious legal ramifications.

Be aware that when employees access personal, password protected email such as on Yahoo, Gmail, etc., your ability to track or monitor may be limited, even if done from a company-owned computer or device.

Telephone Communication

The federal Wiretapping Act prohibits the interception of stored voice-mail messages, as well as live telephone calls.

Employers may monitor employee conversations with clients or customers for quality control. Some states require employers to inform the parties to the call -- either by announcement or by signal (such as a beeping noise during the call) -- that someone is listening in. Other states, including Maryland, New Hampshire and Pennsylvania, require the consent of all parties to the recording or monitoring of a phone conversation. However, federal law allows employers to monitor work calls unannounced.

An exception is made for personal calls. Under federal law, once an employer realizes that a call is personal, the employer must immediately stop monitoring the call. However, if an employee has been warned not to make personal calls from particular phones, an employer might have more monitoring leeway. Also, if the employee specifically consents to unlimited monitoring of both business and personal calls, the law allows you leeway.

Again, the best practice here is to ensure employees know monitoring may occur. 

Social Media Sites

At last count, there were 8 states that passed laws prohibiting employers from requiring employees to turn over passwords to social media accounts. In general, I see no valid reason for most employers to want to actively monitor their employees’ use of social media websites on an ongoing basis. Having said that, there will be times when you become aware of inappropriate postings and want to take some action based on those postings, and therefore want to monitor on an investigatory basis. Beware, and be careful. The NLRB is hot into ruling on cases of employers taking action based on what employees post on such sites as Facebook or Twitter. It doesn’t mean you have no rights or options, but must navigate this route carefully. As I’ve said many times before, if someone is posting questionable or inappropriate things on public sites, one of their co-workers will inform you, one way or the other. So, you may not really have to bother monitoring in this case!