Employers are challenged to balance their need for information with employees’ privacy rights. This conflict may arise when an employer wants to perform a background check on a job applicant, or when the employer wishes to monitor employee communications, or when an employee’s off-duty activities create a potential conflict of interest. The challenge for employers is to protect their right to obtain information, while establishing realistic employee privacy expectations and honoring any legally protected privacy rights.
Many employers choose to monitor employee communications and other personal activities. According to a survey by the Society for Human Resources Management and the Wall Street Journal, employers monitor employee activities for a variety of reasons, including:
- protection against computer viruses, hackers and other intruders,
- quality assurance,
- evaluations of employee performance or productivity,
- protection of proprietary information,
- prevention of workplace violence, and
- prevention of litigation (e.g., misconduct, workplace harassment, etc.).
When asked how their organization monitors employees, HR professionals reported some activities by employers, including: reading employee postal mail; using cameras to monitor activities; searching employees’ desks and offices; monitoring employees’ telephone use and computer use; and performing reference or background checks on applicants for employment.
Before using these strategies, employers should know the privacy protection employees enjoy under the law.
Fair Credit Reporting Act
Under the Fair Credit Reporting Act, employees have certain rights regarding credit checks and general investigative background checks obtained from third parties. The FCRA governs the disclosure of consumer reports, which includes information provided by consumer-reporting agencies that address credit, character, general reputation, personal characteristics or mode of living. Although employers often fail to recognize that the FCRA applies in the employment context, criminal background investigation reports and credit histories generally fall within the FCRA’s scope.
The FCRA requires employers to provide employees with certain notices and disclosures before requesting a report, before taking any adverse action based on the report and after taking adverse action based on the report. There are exceptions from these notices and disclosure requirements in which the report concerns suspected employee misconduct; compliance with federal, state or local laws; regulations; or pre-existing written employer policies.
If the report falls within one of these exceptions, the statute requires only limited employee notice, but still restricts access to the report to individuals or organizations prescribed by statute.
Common-law right to privacy
Employees may have a common-law right to privacy, which gives the employee the right to be free from an “unreasonable intrusion” upon their privacy. The availability of this right varies from state to state. For example, a common-law invasion of privacy cause of action has been recognized by the courts in Connecticut, but not in New York state.
When considering whether an employee has proven a violation of a common-law right to privacy, generally, a court will ask three questions:
- Did the employee have a reasonable expectation of privacy?
- If so, did the employer have a legitimate business reason for monitoring, accessing or disclosing?
- Were the employer’s actions reasonable under the circumstances?
However, employee consent to employer monitoring is a complete defense to common-law right to privacy claims, as an employee who gives consent no longer has a reasonable expectation of privacy.
Electronic Communications Privacy Act
Another source for employee privacy rights is the Federal Electronic Communications Privacy Act. The ECPA prohibits intentional, unauthorized interception and access of wire, oral or electronic communications (including email). This prohibition applies only to content of communication, not to the sender’s or recipient’s identities or the length of the communication. Generally, the ECPA applies to employers and provides employees a private cause of action, and punitive damages and attorneys’ fees. Violators may be subject to criminal sanctions.
Several ECPA exemptions may apply to employers, including an exemption for prior consent of one of the parties and an exception for interception by an employer in the ordinary course of business.
State law may provide employees additional rights regarding privacy of electronic communications. For example, under New York’s Wiretapping Law, Penal Law Section 250, monitoring, intercepting or accessing electronic communications without consent of one of the parties is a Class E felony. Unlike the federal ECPA, the New York law provides no system provider or ordinary course exceptions. However, if an employer obtains consent of one of the parties, the employer is permitted to monitor, intercept or access electronic communications.
For example, monitoring telephone calls for training or other purposes may fall within the ECPA’s ordinary course of business exception and would be permissible under federal law, but would violate New York state law, unless the employer had the prior consent of the employee. On the other hand, monitoring employees’ personal calls without the employee’s prior consent violates both the ECPA and New York’s Wiretapping Law.
Consent is a defense to a common-law right to privacy claim or to claims under the ECPA or some state statutes. Therefore, employers should obtain employee consent to intercept, monitor, access and disclose voice mail, telephone, email, internet or computer files. Such consent can be express or implied.
Express consent exists when an employee consents to employer monitoring and access in writing. Employers may obtain express consent at the time of hire or at any time during employment. Employers that want to obtain expressed consent from employees may circulate to current employees a consent form, which should be signed and returned to the employer. As new employees are hired, the employer should then obtain the same written consent by asking new employees to sign and return the consent form prior to beginning work.
Implied consent may be found when the employee did not provide written consent, but facts and circumstances demonstrate employee consent. Several factors are considered in determining whether an employee has given implied consent, including whether: the employer has an established policy; employees had notice of the policy; or employees were informed the computer/email system is private and confidential.
To establish implied consent, employers should have a formal policy stating that use of the system constitutes consent and should provide a pop-up reminder to employees at logon regarding waiver and the employer’s rights to monitor, intercept and access messages and files on its system.
Employers also should be sure to comply with other state laws impacting electronic monitoring. For example, effective May 7, 2022, New York employers are required to provide newly hired employees written notice of any electronic monitoring and obtain written or electronic acknowledgement of receipt of the notice. Employers also must post the notice in a conspicuous place, so that employees who are subject to electronic monitoring can review the notice readily.
Lawful political/recreational activities
Some states prohibit discrimination against employees because of lawful outside political or recreational activities. In New York, an employee is protected from discrimination for engaging in a variety of outside activities:
- political activities, such as running for public office, campaigning on behalf of a candidate or participating in political fundraisers;
- recreational activities, such as sports, hobbies, television viewing, etc.; and
- use of legal products, such as tobacco, alcohol and cannabis, when such use occurs during nonwork hours and off-premises/not on the employer’s equipment.
New York’s statute provides certain exceptions that permit the employer to act against an employee when, for example, the employee’s outside activities create a material conflict of interest or violate an established substance-abuse policy. Otherwise, the employee is protected from discrimination for his or her lawful off-duty activities.
Practices for employers
Employers should take steps to ensure they are respecting employees’ privacy rights while preserving their own rights to monitor employee activities. To ensure they are addressing privacy needs properly, employers should consider taking the following steps:
- identify risks that may need to be reduced through monitoring or appropriate employer policies;
- create, distribute and implement relevant policies and detail reasons for the policy before it’s implemented;
- obtain employee consent for monitoring, accessing and disclosing records;
- only disclose private information when necessary and only on a need-to-know basis; and
- consult with employment counsel regarding applicable state laws.