Skip to Content

Privacy & Data

With Workplace Privacy, Have a Policy and Follow the Policy

Wendi Lowrey, a speech-language pathologist at an elementary school in Florida, was reassigned to a less prestigious position in August of 2014 after her employers read a post on her personal Facebook page concerning statewide education policy issues. Even though she had not specifically mentioned her employer, Orange County Public Schools, she was penalized for her comments. The Orange County Classroom Teachers Association filed a grievance on her behalf and an arbitrator recently agreed that the punishment violated Ms. Lowery’s First Amendment rights, and that she should be reinstated in her previous role.

But what about her right to privacy? Was that violated as well? Emerging trends and new technologies blur boundaries between work and personal activities and raise complicated questions about privacy rights of employees.

What’s the issue?

Technology has allowed for more novel and expansive employee surveillance and workplace monitoring. It enables institutions to track office interactions among employees, leverage the personal accounts of an employee for the company’s gain, monitor social media for comments about work, and predict health concerns in an effort to reduce insurance plan costs. The growth of technological capability coupled with limited legal protections for employee privacy creates a permissive environment where employee surveillance could grow unchecked. State legislators (and institutions creating model legislation) are looking to formalize and unify the legal landscape of employee privacy. And CDT is working to intervene and create strong privacy-protections for individuals at both the public and corporate level in the increasingly technologically advanced workplace.

CDT Convenes Experts to Develop Answers

We recently convened a working group of experts to discuss models for workplace privacy legislation.  The core questions discussed were:

  • What happens when employees use their personal phones and computers for work?
  • What rules govern personal accounts when they are conscripted for professional use?
  • Should employers be prohibited from viewing publicly available, but potentially pseudonymous, accounts of their employees or applicant?

Following this meeting, we wrote a letter to the authors summarizing our perspective on the complicated role technology plays in the workplace, and the best role for legislation to play in addressing privacy concerns. You can read the entire letter here. In in our letter, CDT proposes that the drafters apply a framework based on likely real-life situations by addressing situational and ongoing access questions differently.

Situational Access to Address Employer Liability

Situational needs for access are most likely to arise when an employer has a liability concern. In these situations, the contents of an employee’s personal online account may be germane to an employer’s’ investigation. Workplace privacy legislation should provide a minimal exception for investigations under specific conditions that the employer’s access be limited to defined pieces of content, rather than an account in its entirety. This requires that the employer have a particular purpose for their investigation (including an expectation that the intent is not to uncover whistleblowing activities) and that they can articulate the location, nature, date, time, or other identifying details of the content in question.

Additionally, the language should prohibit a fishing expedition designed to unearth negative comments that were perhaps made pseudonymously. For example, if the employer finds a reddit thread where a pseudonymous user wrote negative comments about the employer, this is not sufficient evidence to command all employees to turn over their reddit usernames and legislation should not make an exception for this type of situation.

Ongoing Access to Streamline or Augment Workflow

Lean business models have led some businesses to conscript the personal devices or accounts of their employees into professional use. While it used to be common to have a separate phone for work, many individuals now have one device that serves mixed purposes. Shared devices are simpler for employees as well as more economical for employers. The same logic could apply to accounts as well. For example, if the employer pays for an upgrade to a LinkedIn Premium account for the purpose of supporting a recruiter’s efforts to reach talent for the company. In these cases, the employer has a formal stake in the employee’s account or device and might subsequently expect access on an ongoing basis.

These situations are vastly more varied and complicated than a short-term scenario and are not well addressed by legislation. However, at a minimum legislation should require employers who are planning to leverage personal property or accounts to have a policy stating boundaries and expectations for both parties. This policy should be known to applicants and employees and would be binding for both parties. Many online accounts and devices are mixed-use and are used for both professional and personal reasons. Policies should be bounded by the length of time the company pays for the service or technology and  limited to reasonable work hours so that the employee can use their personal account, devices, or other technology for personal purposes during non-work hours.

Advocate for Strong Boundaries Between Work and Home

CDT believes a workplace privacy policy should address several key issues, including: setting formal boundaries between work and personal use, installing a technological ‘off’ switch controlled by employees, and having a process for severing the connection once the employee leaves without damaging the underlying possession. (it’s worth noting that some companies that provide relevant services recognize the sensitivity of how employees use their products and provide technical mechanisms to help them protect privacy. For example, LinkedIn has a list of advice for job seekers looking to keep their process secret from employers.)

The process of creating a workplace policy will be especially helpful for the employer, because the employer is forced to decide what kind of information is essential for efficient work and guarding against employer-liability for employee actions. As more technologies are utilized in the workplace, the policy should be updated and employees notified prior to the installation of the technology. The presence of a clear policy will not only help employees distinguish between activities that are suitable for work or personal devices and accounts, but also empower individuals to leverage data privacy as part of a negotiation in both the course of employment and application for employment.

Employers will continue to utilize digital advancements to make their workplaces more efficient. As technology continues to streamline our life into one identity, the distinction between a work device or online account and a personal device or account will be harder to establish. Legislation can certainly address some of these issues. Where legislation cannot reasonably establish specific boundaries, policies agreed to by both employer and employee should formalize privacy expectations with an organization.