picture: employee privacy: when it's personal

I get a lot of questions about employee privacy—what’s protected, what’s not and where. They are always really great questions because this area of law is unclear and developing quickly related to employee social media use.  Yesterday I talked about monitoring employees’ computer, phone and Internet use.  Today I’m looking at the more general privacy rights and how employers should handle them.

All Employees Have Some Privacy Rights

Privacy rights come from different kinds of laws. They can be based on specific statutes like HIPAA (privacy for medical information) GINA (privacy for genetic information) or computer hacking laws.

Privacy rights can also come from a constitutional provision or concept.  For example, the California Constitution has an express “right to privacy.”  The US Supreme Court has also recognized privacy rights based on federal constitutional rights to be free from governmental search, and First Amendment rights of expression, religion and association.

Courts also recognize common law privacy rights based on general tort law that protects against other people interfering with our person and property.

Common Law Privacy.

Common law means that courts have recognized a legal principle, but there may or may not be a statute about it.  All states generally recognize there are certain things that everyone has an expectation of privacy about.

  • Physical and Sexual privacy—other people should not be able to see you naked unless you want them to.  And even then, their privacy rights may protect them from having to.
  • Privacy in our homes –to do the things we want to do without surveillance or interference (unless it’s illegal).
  • Medical Privacy—personal health information is, well, personal. So employees aren’t usually required to disclose that information; and employers generally can’t release it to other people.
  • Financial Privacy—taxes and personal finances are private and do not have to be disclosed, except when there is a legitimate “need to know.”

When dealing with common law privacy issues, you look at three issues:

  1. Whether there is a reasonable expectation of privacy;
  2. Whether the interference was a significant intrusion; and
  3. Whether there is a strong and legitimate reason or public policy for disclosing something, even if it is private.

Expectation of Privacy: This is an objective standard based on how a reasonable person would view the circumstances.  Most people would agree that having sex is private, but having sex in a glass elevator is not.  Seeing people at work is not private, but seeing people in the bathroom or shower is private.  So surveillance cameras in restrooms or locker rooms at work is generally considered a violation of common law privacy rights—even if it is there for a supposedly legitimate reason—like to deter theft from lockers

Significant Intrusion: The invasion part is usually pretty easy to figure out.  You ask whether it’s something people generally consider personal or private, whether it has been voluntarily or involuntarily disclosed and how big a deal it is.

Overhearing a snippet of someone’s personal call when the office door was open is not a significant intrusion.  Coming in when the door is closed and plopping down in a chair while someone discusses her tax audit with the IRS or is on the phone with her doctor about test results would be a significant intrusion.

Legitimate Reason for Disclosure:  If the employer has a legitimate reason for requiring the information, it will often be allowed to find out.  For example, employers can run credit checks and background checks on applicants for jobs where the employee will be responsible for handling money.  Employers can drug test applicants who will be driving  buses or operating dangerous machinery because it involves the physical safety of the employee and the people around him.

The law in its infinite, but really confusing, wisdom is often an evaluation about whether something is reasonable under the circumstances and whose rights outweigh the other’s.

What to do:

First, check to see if there is a law in your state that covers the situation.  There are laws regarding when employers can do background checks, obtain credit reports, and how and whether they can use medical information about employees.

In addition, some states including California, Connecticut, North Dakota and Colorado protect employees from discipline or discharge for off-duty conduct

If there is no specific law that covers the situation, but the employer believes it has a legitimate interest in knowing something about an employee, then ask these questions:

  1. How personal is the information?  Does it have to do with someone’s body, sex life or preferences, health, finances or family?
  2. Has the employee voluntarily disclosed the information or are you finding out from another source?  Posting something on twitter, facebook or drunken emails are voluntary disclosures by the employee.
  3. Does the employer have a legitimate interest in the information that directly relates to the performance of the job by the employee?
  4. How big a deal is it to both the employer and the employee?

Here is a true example, and how I would think about these questions.

An employee gets extremely drunk after work and passes out on the street.  His friends take pictures and tag the employee on Facebook.  A manager is “friends” with the employee and realizes that a company employee was passed out in public –where any of the company’s clients could have seen it. The employer is mortified and wants to fire him.

  1. How personal is it?  Off-duty conduct would normally not be any of the employer’s business.  However, the employee was in public where people could see him.  If it was at a professional conference, it may not be considered off-duty.  But if it was in Las Vegas where everyone else was drunk too, better find out what the boss did that night before disciplining the employee.
  2. Did the employee-voluntarily disclose the information?  Not directly. But by getting really drunk in public, having managers as Facebook friends, and “friends” who post pictures of you doing stupid things, makes the whole “expectation of privacy” argument pretty weak.
  3. Does the employer have a legitimate interest?  Generally the employer has an interest in its reputation in the community, but not at the expense of its employees’ personal privacy and freedom to live their lives outside of work.   It’s generally a bad idea to discipline people for off-duty conduct unless it is a really big deal that directly affects the employer.
  4. How big a deal is it?  Who actually saw the employee passed out on the street corner?  How long was he there?  Were there any other comments about it from a client or anyone outside the company?  What is the employee’s job?  Would people even know who he was, or where he worked?  Are there any other signs of substance abuse problems affecting the employee’s work?  Did he puke?

Before digging into employees’ personal lives, even if the employer wants or “needs” to know, it is important to consider the whole picture and the interests involved.  If the questions above, don’t get you to the answer, and you need a clear rule, then here’s one from this legal department:  When in doubt, stay out.

Next:  Employee Privacy and Social Media