Privacy in the Workplace by stephanie busch

Stephanie Busch Professor Ashlee Brand ENG 2151 Fall 2011

k r o

W e

v i r P

y c a

h t in er loy

and

hts

ig eR

loy

p Em

e c pla

ties

esp

R and

ili nsib

orld

lect

e n an

w nic

Introduction With the progression of an electronic world, we have to ask ourselves these questions: Does an employee have a reasonable expectation of privacy when he or she uses the company’s e-mail system for personal use or something as extreme as to harass another employee? Is it reasonable for an employee to assume that messages on the company voicemail system are private? Is it reasonable to assume that the history of internet use on a company computer is private? It is the intention of this report to provide final findings in the following areas: • • • • • •

phone monitoring expectation of privacy -employee expectation of privacy -employer employee offline (out of office) monitoring employer access to workstations email and computer internet usage

Methodology We developed an initial sample of 100 employees that was designed to be broadly representative in terms of race, religion, economic standing, work ethic and longevity within the company. The total research time spent was over a period of 90 days. Each participant was sent a letter of introduction outlining the purpose of the study along with a list of questions (illus 1-1) prior to participating in the study. They were then exposed to a series of video scenarios, in 2 week increments, and asked to summarize their reactions to each. At the end of the study, they were provided the same initial written ‘assignment’. Though some stayed true to their initial stance, we found that the majority had changed their particular views on the employer’s right to ‘invade their space.’ Our research is complete and the results are hereby summarized and submitted for approval.

Acknowledgements and References Dean, John. “Justia :: Employment Law Workplace Privacy and Employee Monitoring.” Justia :: Law & Legal Information for Lawyers, Students, Business and the Public. Web. 14 Oct. 2011. <http://www.justia.com/employment/docs/workplace-privacy.html>. “Electronic Privacy Rights: The Workplace.” The ‘Lectric Law Library’s Entrance & Welcome. Web. 15 Oct. 2011. <http://www.lectlaw.com/files/emp41.htm>. Gross, AllBusiness.com, 7/14/2011, Barrie. “Should Your Employees Expect Privacy in the Workplace? | Labor & Employment Labor Regulation & Policy from AllBusiness. com.” Small Business Advice | Business News & Articles | AllBusiness.com. Web. 18 Oct. 2011. <http://www.allbusiness.com/labor-employment/labor-regulation-policy-employeeprivacy/8518785-1.html>. Liu, Lori. “Expectations of Workplace Privacy.” Buchalter Nemer - A Professional Law Corporation. Web. 15 Oct. 2011. <http://www.buchalter.com/bt/index.php?option=com_content&task=view&id=166& Itemid=1>. “CPSR - Electronic Communications Privacy Act of 1986.” CPSR - Computer Professionals for Social Responsibility. Web. 22 Oct. 2011.

<http://cpsr.org/issues/privacy/ecpa86/> Privacy & American Business. Privacy and the Workplace. Rep. no. Study No. 16224. Harris Interactive/ChoicePoint Inc., 14 May 2002. Web. 20 Oct. 2011. <http://www.diogenesllc.com/privacyandtheworkplacesurvey.pdf>.

Electronic Communications Privacy Act â&#x20AC;&#x153;Only the Electronic Communications Privacy Act of 1986 (ECPA) directly prohibits the interception of e-mail transmissions. The ECPA prohibits the interception by (1) unauthorized individuals or (2) individuals working for a government entity, acting without a proper warrant. The ECPA is mostly concerned with the unauthorized access by employees or corporate competitors trying to find out valuable information. However, while there is nothing specific in the ECPA that prohibits an employer to monitor the e-mail of employees, the ECPA does not specifically exempt employers.â&#x20AC;?

Exceptions The three most relevant to the workplace are (1) where one party consents, (2) where the provider of the communication service can monitor communications, and (3) where the monitoring is done in the ordinary course of business. Exception one- consent, can be implied or actual. Several courts have placed a fairly high standard for establishing implied consent. For example one court held that "knowledge of the capability of monitoring alone cannot be considered implied consent." For an employer to ensure the presence of actual consent, it should prepare, with advice of counsel, a carefully worded e-mail Policy Statement which explains the scope of employer monitoring. This Policy Statement should be signed by the employees. One example of how this Policy Statement needs to be carefully written is that if it states that personal communications will be monitored only to determine whether there is business content in the communications, then this would probably not amount to consent to review the personal communications. Exception two- provider, the ECPA exempts from liability the person or entity providing the communication service. Where this service is provided by the employer, the ECPA has been interpreted as permitting the employers broad discretion to read and disclose the contents of e- mail communications, without the employee's consent. However, employers should not rely on this exception, because it might not apply in all cases, such as to incoming (as opposed to internal e-mail) if the e-mail service is provided by a common carrier (e.g., America Online or MCI mail, which are not provided by the employer). Exception three- use, courts will analyze whether the content of the interception was business or personal and allow the interception of only business-content communications.

Employment Law Workplace Privacy and Employee Monitoring Do employees have any right of privacy in their workplace? May employers read the e-mails, monitor the web browsing histories, or search the desk drawers of their employees? Does the Fourth Amendment protect employees from unreasonable searches and seizures by their employers? While the Fourth Amendment does prohibit unreasonable searches and seizures, it only regulates those conducted by the government. In other words, the Fourth Amendment does not prohibit searches or seizures by private companies or persons.

Reasonable Expectation of Privacy Because employers compensate employees to perform their jobs, courts traditionally have granted employers a the right to monitor their employees’ work performance and productivity provided that such monitoring does not violate an employee’s

reasonable expectation of privacy. Courts usually side with employers when they have engaged in electronic surveillance, such as by monitoring phone lines, e-mail accounts and Internet access, provided that the employer has disclosed its monitoring policy to its employees, this would eliminate any reasonable expectation of privacy in those areas. For example, in Ohio, a business fired an employee for stealing company property after an investigator produced an eBay printout showing that the employee had recently sold items that were identical to those missing from the business. The employee then sued his employer for invasion of privacy and alleged that the employer had obtained the printout by either accessing his password-protected eBay account without permission or searching through his briefcase. The judge dismissed the employer’s motion for summary judgment because there were disputed facts regarding how the employer had obtained the printout. However, the judge did state that if the employer had a computer usage policy that “advised its employees that their computer activities on the office system were monitored,” the employee would have no “reasonable expectation of privacy” in accounts he accessed from the company’s computers.The case is Dwayne Campbell v.Woodard Photographic, Inc., et al., 2006 U.S. Dist. LEXIS 36680. When an employee policy specifically states that an employer will not intercept an employee’s electronic communications, such protections do not apply when an employee sends an e-mail to a supervisor. A federal court in Pennsylvania found that the employee had waived any right of privacy when he voluntarily sent an email to his supervisor over the company network.

“[W]e do not find a reasonable expectation of privacy in e-mail communications voluntarily made by an employee to his supervisor over the company e-mail system notwithstanding any assurances that such communications would not be intercepted by management,” the court said in Michael A. Smyth v.The Pillsbury Company, 914 F. Supp. 97 (E.D. Pa., 1996).

Office Searches While employees may have an increased expectation of privacy to their office, cabinets and personal belongings, an employer may search through those areas and items provided that they possess a work-related reason. In US v Simons, 206 F. 3d 392 (4th Cir., 2000), the Foreign Bureau of Information Services, a government agency, discovered that an employee had downloaded over 1,000 pornographic images, many of which were of children. An agency contractor entered Simons’ office to remove his hard drive. Later a warrant was obtained to do further searches. Since FBIS had a computer use policy, Simons had no reasonable expectation of privacy in his computer, the Fourth Circuit ruled. The court acknowledged that the employee did have an expectation of privacy in his office; however, the agency overcame this expectation because it had “reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of work-related misconduct.” These cases are limited to employer searches, as opposed to law enforcement searches. They show that while your expectation of privacy in the workplace is not nonexistent, it is extremely limited. If a computer use policy is in place, the employer needs no reasonable grounds to examine your hard drive or Internet usage.Your office and desk have more protection but are susceptible to search if the employer has reasonable grounds to suspect misconduct or criminal activity. Even when asked about more specific privacy practices and policies, employees continue to view their employers in a positive light and do not seem overly concerned about the way their personal information is collected or used by employers. While the majority of employees are not aware of an occasion where they felt their employer acted improperly, there are some employees who say that they are aware of at least one such occasion.

Employer Use of Information Nearly a third (30%) of all employees say they are aware of at least one situation where they felt their employer released or monitored their information improperly. However, the majority (70%) say they are not aware of any such occasion. One out of five (19%) employees say their employer monitored their work performance in a way they felt was improper. Additionally, just over one out of ten (13%) feel that the company has improperly monitored their use of email or the telephone, and about the same proportion (12%) says they were asked for personal information that they felt was not needed for employment. Fewer feel that their employer collected information about off-the-job activities or lifestyle (7%) or released personal information improperly (6%). When looking at general concern about the way the company collects and uses employees’ personal information, the overwhelming majority (70%) of employees say they are not very or not at all concerned, with thirty percent (30%) who say they are very concerned, concerned or somewhat concerned. 8

What is it that concerns you the most about the way your employer collects or uses medical or health information about employees? “The storage of this information is inadequate and personal info, when disposed of, is not shredded. It is merely thrown into the trash.” “That information will be released to third parties or will be used against me in promotion/pay raise decisions.” “I worry that poor health might affect future promotions, regardless of the work capabilities.” Please describe the practices at your workplace that you think are improper invasions of employee privacy. (Asked of non-managers) “Phone lines are recorded and monitored – not only the business lines but also the private lines.” “They want to know where you will be after hours on the basis that they want to call you in to work.” “The ability to monitor e-mails, Internet usage, etc.”

Further, employees do not seem overly concerned about the way the company collects or uses medical or health information. Even when asked about information that could be perceived as more sensitive in nature, only a quarter of employees (24%) say they are concerned.

Environment Physical work arrangements are seen as private enough to allow most employees to work effectively. Four out of five (81%) employees feel they get enough privacy at their workstation in order to perform their work effectively. Over half (54%) even feel that their physical work arrangements allow a great deal or a lot of needed privacy.

work station setup

Email and Phone Monitoring When it comes to formal policies about offline and online communication, a sizable number of employees are not sure what these policies state or if we even has such policies in place. While half (50%) of employees understand the current policy about the Internet to allow occasional personal use as long as it does not interfere with work, over one out of five (23%) believes that any personal use is forbidden by policy. However, over a quarter (27%) of employees are not sure what the policy states. Employees do feel that there are certain situations where monitoring policies do not infringe on privacy. When asked if the practice of supervisors monitoring telephone customer calls for quality control purposes should be allowed or banned, the majority of employees (78%) feel such listening-in should be allowed. Only one out of five (22%) feels this practice should be banned. When a similar question was asked at the beginning of the study, sixty percent (60%) then felt that listening-in should be allowed and nearly two out of five (38%) said this practice should be banned.

“My employer opens all employee mail . . . and if deemed necessary keeps it and does not give it to employee.” “Files are not locked and might be looked at by unauthorized people.”

When security is involved, concerns about breaches of privacy also appear to be a non-issue for most employees. When asked whether they would be willing to have an ID card issued by their employer for the purposes of enhancing security that would contain their photo, a biometric identifier such as fingerprints, and other personnel data, the majority of working adults (81%) indicate their willingness to have such a card. Over two out of five (44%) actually say they would be very willing. Only one out of five (19%) employees are unwilling to have such a photo ID card.

“Not enough personal space provided at work…” “Our offices do not have private cubicles per person. If someone makes or gets a call, everyone in the room can hear it, including supervisory personnel.”

HomeSolutions

illustration 1-1

Employee Questionnaire page 1 of 2

Employeee Name:

Employee ID:

Do you know any occasion when your current employer did the following?

Asked you for personal information that you thought was inappropriate, because it was not really needed for employment Yes No Released any personal information about you in a way that you feel or felt was not proper Yes No Collected information about your activities or lifestyle off the job that you feel or felt should not be collected Yes No Monitored your work performance in a way you felt or feel is improper Yes No Monitored your use of the company email or telephone system in a way you felt or feel is improper

Have you ever been given that Privacy Policy to read?

How important is it to you that your employer has and communicates an Employee Privacy Policy to each employee? ___ Not important at all ___ Not very important ___ Somewhat important ___ Very important ___ Absolutely essential

page 1 of 2

Yes

page 1 of 2

HomeSolutions

page 2 of 2

How acceptable is it for employers to use a commercial information service that draws on public records to do the following background checks of job applicants?

Not Acceptable At All

Not Very Acceptable

Somewhat Acceptable

Very Acceptable

Criminal conviction record

____

Whether a job applicant has ever filed ____ for bankruptcy Whether a job applicant’s resume contains false information about educational achievements, employment history, and similar matters ____

____

Records of arrests without conviction

____

Whether the applicant is a party to a civil ____ lawsuit

____

Sexual offender convictions Credit history report

____

Which statement best describes what you understand your current employer’s policy is about employees’ use of the Internet for non-work related purposes? page 2 of 2 ___ Non-work related uses of the Internet on organizational time and using the organization’s computers are absolutely forbidden. ___ Non-work uses can be done if these are occasional and do not interfere with work assignments. ___ I do not know what the policy states.

How concerned are you about the way your employer collects and uses personal information about its employees? ___ Not at all concerned ___ Not very concerned ___ Somewhat concerned ___ Concerned ___ Very concerned

page 2 of 2

HomeSolutions

Employee Questionnaire Results

page 1 of 2

VIEWS OF EMPLOYER INFORMATION PRACTICES Do you know any occasion when your current employer did the following?

Yes No Asked you for personal information that you thought was inappropriate, because it was not really needed for employment 12 88 Released any personal information about you in a way that you feel or felt was not proper 6 94 Collected information about your activities or lifestyle off the job that you feel or felt should not be collected 7 93 Monitored your work performance in a way you felt or feel is improper 19 81 Monitored your use of the company email or telephone system in a way you felt or feel is improper

Have you ever been given that Privacy Policy to read? 82 Yes 11 No 7 Donâ&#x20AC;&#x2122;t know

How important is it to you that your employer has and communicates an Employee Privacy Policy to each employee? 6 Not important at all 10 Not very important 30 Somewhat important 40 Very important 15 Absolutely essential

HomeSolutions page 2 of 2

How acceptable is it for employers to use a commercial information service that draws on public records to do the following background checks of job applicants?

Not Acceptable At All

Not Very Acceptable

Somewhat Acceptable

Criminal conviction record Whether a job applicant has ever filed for bankruptcy

Very Acceptable

Whether a job applicant’s resume contains false information about educational achievements, employment history, and similar matters 8

Records of arrests without conviction

Whether the applicant is a party to a civil lawsuit

Sexual offender convictions

Credit history report

Which statement best describes what you understand your current employer’s policy is about employees’ use of the Internet for non-work related purposes? 23 Non-work related uses of the Internet on organizational time and using the organization’s computers are absolutely forbidden. 50 Non-work uses can be done if these are occasional and do not interfere with work assignments. 27 I do not know what the policy states.

How concerned are you about the way your employer collects and uses personal information about its employees? 28 Not at all concerned 41 Not very concerned 18 Somewhat concerned 6 Concerned 6 Very concerned

illustration 1-2

Employee Acknowledgement Form

HomeSolutions page 1 of 2

This form will be printed, filled out, signed, and sent to your Human Resources Coordinator. Employeee Name:

Employee ID:

Instruction: You, as the employee, are to thoroughly read the below information as part of the Policy and Procedures guide for Home Solutions, Inc. (herein after referred to as ‘the company’. It is your responsibility to adhere to these guidelines. Any violation of any of the policies and/or procedures will result in disciplinary action, up to and including termination of employment.

General Policies

A R

Information contained in the company’s administrative systems (‘Information’) is the property of the company and represents official company records. Employees who have access to this information, in all formats (printed materials, on-line systems, data files) accept responsibility for adhering to certain principles in the use and protection of that information.

1. Employees who have access to information are responsible for maintaining its confidentiality. Information remains under the control of the company, and its data custodians. Any use of this information for purposes other than originally authorized is prohibited. 2. Employees are responsible for understanding the meaning and purpose of the information to which they have access, and may only use this information to support the normal functions of their administrative and academic duties. All information to which they have access, in printed or electronic format, must be maintained and disposed of in a secure manner. 3. Employees may not use information in any manner which duplicates a function reserved by a company data custodian without the permission of that custodian. Examples of reserved functions are reports for government agencies, transcripts, employment verification, financial and budget reports.

4. All company information is governed by data security policies published in the employee manual.

5. Printed information, (e.g., reports, labels, data files) may not be distributed outside the company without approval of the data custodian.

Computerized Information Guidelines

Access to any of the company’s computerized information systems requires the approval of the data custodian responsible for that data. Specific guidelines govern computerized access, and all employees who become authorized users of these online information systems must comply with the following security procedures:

1. 2. 3. 4. 5.

Never disclose your password. Never use another person’s sign-on ID. Always sign off the system when finished; do not leave a terminal unattended while you are logged onto a system. Never allow another employee who does not have an authorized sign-on ID to access any of the company’s online systems. Report all security violations to the Information Coordinator in your department, a data custodian or Information Systems.

Employee Acknowledgement Form page 1 of 2

HomeSolutions page 2 of 2

Enforcement Acts

T F

Any act which may achieve or attempt to achieve the unauthorized use of computer resources or the unauthorized use or copying of data or software owned by or in the care of the company are prohibited. Examples of unauthorized use of copying include attempts to alter systems, attempts to circumvent systems protection features, attempts to alter or destroy data, attempts of unauthorized access or copying of data or software, attempts to release data or software for which the attempter is not the University authorized processor or custodian, and the condoning, approving or directing of unauthorized use or copying. The company regards an unauthorized attempt to use or unauthorized use of computer resources or the unauthorized copying of data or software owned by or in the care of the company as an extremely serious violation of company policy. Violation of policy will result in appropriate suspension or termination from company status as an employee. Violation may also result in civil proceedings, and/or in criminal prosecution.

I have read, understood, and retained a copy of the Acknowledgement, and agree to comply with and bound by the policies and procedures in force by the Home Solutions company as described above.

Signature of Employee

Signature of Hiring Manager

Date of Signature

Signature of Human Resource Manager

Signature of Executive Director

Employee Acknowledgement Form page 2 of 2

Date of Signature

illustration 1-3

HomeSolutions M�� John Q. Employee

From:

S. Busch, Executive Director

RA FT

To:

CC:

M.Doe, Human Resource Director

Date:

October 23, 2011

Subject: Policy and Procedure

As our company grows, our current policy and procedures must grow as well.

In the next few weeks, you will be provided with an updated manual that will cover several areas of interest. The following is a list of topics that are to be included, but not limited to, in the newly adopted manual. phone monitoring

expectation of privacy -employee expectation of privacy -employer

employee offline (out of office) monitoring employer access to workstations

email and computer internet usage

Once the manual is complete, the executive team will be meeting with each of you, individually, to discuss and answer any questions you may have.

Just as you are crucial to the success of the company, so is your input. We would like to hear from you! Attached is a questionnaire that will provide feedback as to any concerns you may have about the current state of affairs at stephBdesigns.

Recommendations 1. Assemble committee to prepare standard operating procedures to include written policies on email, computer and internet usage, acceptable behaviors both in the workplace and expectations outside the office environment 2. Review revisions, edit and submit for final approval 3. Advise employees that a manual is forthcoming (illus 1-3) 4. Distribute manual 5. Conduct one on one interviews with current employees to discuss and answer questions pertaining to the manual 6. Obtain employee written acknowledgment (illus 1-2)

Notes