Evolving Issues in Workplace Privacy
- 1. WHOSE RIGHT IS IT: Evolving Issues in Workplace Privacy Margaret Keane DLA Piper Margaret.keane@dlapiper.com Presented to Lorman Education October 13, 2016
- 2. Agenda 2 I. Overview of Workplace Privacy Issues, Employee Data Governance and Background Check Trends II. Big Brother is Here to Stay: Managing Mobility and Monitoring III. It’s a Social World: Constraints on Access and Use of Social Information IV.Wellness, Big Data and Other Challenges
- 3. Workplace Privacy is a Function of Context 3 Information Used to Source and Hire Talent Employee Information From Third Party Sources, including Background Checks and Social Media Information That Employees Provide Voluntarily Employee Information Obtained from GPS, Wearables, RFID and Other Sensors Employer and Customer Information Entrusted to Employees Company Liability for Inappropriate Use of Employee Information Company Liability for Employee Breaches Different Playing Field for Global Employers
- 4. Is Anyone in Charge? Numerous laws touch workplace privacy, but there is no umbrella Federal Trade Commission (FTC) regulates background checks Department of Labor has significant role, with enforcement responsibility for National Labor Relations Act, ADA and GINA Relevant federal laws include Health Insurance Portability and Accountability Act of 1996 (“HIPPA”), Gramm-Leach-Bliley (“GLB”), Electronic Communications Protection Act (“ECPA”), Stored Communications Act (“SCA”), Fair Credit Reporting Act (“FCRA”), Genetic Information Non- Discrimination Act (“GINA”), Americans with Disabilities Act (“ADA”) State laws may provide constitutional protection of privacy State statutes address “lifestyle information,” medical and genetic information, social media access, background checks, drug tests, social security numbers, biometrics and use of GPS, RFID for surveillance and tracking Related Laws Record Retention Requirements, particularly important for government contractors, medical and financial services sectors – state and federal laws Data Breach Notification Statutes 4
- 5. Employee Data Governance 248382415.2 5 Governance of Employee Data Employee data should be managed from start to finish Key elements of protecting employee data include: • Employee data inventory and data mapping o What types of employee data do you have and where it is stored? o How and where does employee data move internally and externally? • Limit access to applications and databases with employee data • Procedures and standards for handling and transferring employee data • Targeted training for employees handling employee data
- 6. Background Checks: Federal, state and local activity
- 7. EEOC & FTC Issue Joint Background Check Guidance, March 10, 2014 “Background Checks: What Employers Need to Know” Must notify applicant or employee that information may be used to make employment decisions Need written permission before getting background reports from a company in the business of compiling background information Illegal to discriminate based on a person’s race, national origin, sex, religion, disability, or age or genetic information when requesting or using background information for employment Must comply with all FCRA requirements Must keep all personnel or employment records, whether hired or not, for one year, or until case concluded if applicant/employee files charge of discrimination Must securely dispose of background reports “Background Checks: What Job Applicants and Employees Should Know” Not illegal for potential employers to ask someone about their background as long as employer does not unlawfully discriminate Right to review background report for accuracy and explain negative information, if report was basis for denial of job or promotion Source: “Background Checks: What Employers Need to Know,” March 10, 2014. http://www.eeoc.gov/eeoc/publications/background_checks_employers.cfm Source: “Background Checks: What Job Applicants and Employees Should Know,” March 10, 2014. http://www.eeoc.gov/eeoc/publications/background_checks_employees.cfm 7
- 8. FCRA Remedies Cases can be based on failure to use FCRA disclosure and authorization forms, adverse action notices or other practices with disparate impact Minimum statutory damages of $100 to $1,000 for willful violations Class action-friendly cases where standard procedures used Low damages add up when multiplied against large applicant pools Attorney fees to a successful plaintiff No statutory cap on defendant’s exposure 2016 Supreme Court ruling helps employers with standing defenses 8
- 9. State and Local Laws Numerous states restrict an employer’s consideration of criminal history in making employment decisions Common provisions: Workplace posting and notice obligations Sequencing restrictions (when an employer can ask questions) Inquiry restrictions (what employer cannot ask about) Source restrictions (what employer cannot access) “Job-relatedness” requirements (may limit employer’s discretion to screen out applicants) Recent trend to restrict use of credit checks – NY, CA, IL, MD, CT Local restrictions: San Francisco, New York City 9
- 10. Big Brother is Here to Stay : Mobility and Monitoring
- 11. Yours, Mine and Ours: Managing Mobility and Monitoring BYOD: Bring Your Own Device A BYOD program includes: Policies that govern use of personal devices to access corporate services Policies attempt to manage risk associated with storage and transmittal of data using devices that may be outside of the employers control Policies to address impact of mobile devices on existing workplace behavior Balance employer’s needs with employee privacy interests 11
- 12. Setting Up a BYOD Program: A Master Plan for mobile device use in your organization Balance employee’s interests vs. employer’s need for security and protection of IP Need to address challenges of dual use devices, REGARDLESS of whether you adopt a BYOD program BYOD policy should be part of an integrated Information Governance Plan Determine goals and objectives Privacy Considerations Remote wipes Containers/sandboxes Backups 12
- 13. What Happens When Employee Refuses to Produce Device? 13 “The Association does not dispute that the Commissioner properly used the destruction of the cell phone to draw an adverse inference.” NFL v. NFLPA, April 25, 2016 (2nd Circuit)
- 14. I know where you are . . . and what you’re thinking . . . The new world of People Analytics The End of Hiring as We Know it? Big Data and Predictive Analytics tools Other Artificial Intelligence applications Moodometers, monitoring chairs and more 14
- 15. Today’s Tracking Tools Employee tracking sensors Electronic badge is attached to employee Sensors identify tags and report wearer’s location to database System can track employee’s exact location within the office (including restroom) and amount of time spent at each location May record personnel with whom the employee interacts Records face, time, body, and behavior rhythm data Valuable data for defending wage & hour litigation Internet tracking and Artificial Intelligence Records employee’s internet and application usage (including websites visited, screen shots taken, social media, chat and instant messaging, document tracking, and keywords and keystrokes used) 15
- 16. Why Monitor Data? Boost employee productivity Research on 90 call-center workers Data: most productive workers belonged to close-knit teams and spoke frequently with colleagues Action: scheduled workers for group breaks Result: productivity rose by >10% Reveal how workers use office space Office study Complaint: office short on meeting space Data: groups of 3-4 employees gathering in meeting rooms designed for much larger numbers Action: created more and smaller conference spaces designed for small groups 16
- 17. GPS Tracking and the Constitution Why Do We Care Can track the location of a person in possession of a cellphone by GPS or cell tower location GPS can be accurate to within ten meters Case law has developed in search & seizure context US Supreme Court, Grady v. North Carolina, March 2015, recidivist sex offender ordered to wear ankle bracelet with GPS monitor at all times, for the rest of his life. N.C. court held that ankle bracelet was not a search, so therefore not unreasonable search and seizure. Supreme Court held installing the bracelet is a search by “physically intruding on a subject’s body.” US Supreme Court, California v. Riley, July 2014, addressed warrantless search of smartphone seized incidental to arrest. "Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, wallet or purse." Court held warrant was required, not directly applicable to private sector but should inform employers decisions to search employee phones. 17
- 18. Constitutional Implications of Employee Surveillance Tracking United States v. Jones, 565 U.S. __ (2012) Government GPS tracking device on suspect’s car is “search” under 4th Amendment Effect of decision on private sector unclear Laws vary from state to state CA: No person or entity in this state shall use an electronic tracking device to determine the location or movement of a person. NY: GPS in public employee’s personal vehicle lawful to investigate misconduct during working hours NJ: No privacy breach when private investigator placed GPS on plaintiff’s vehicle because no travel to secluded or private area where privacy would be expected TX: GPS on vehicle without owner’s consent is unlawful MO: No privacy invasion if GPS is used on company vehicle Boundaries around GPS in the private workplace still unclear 18
- 19. What’s a Lifestyle Statute? 248382415.2 19 Lifestyle statutes address specific off-duty activity that cannot be considered when an employer makes employment decisions. California, Colorado, New York, and North Dakota, prohibit discrimination based on any lawful activity by an employee off the premises and during non-working hours. Illinois, Minnesota, Montana, Nevada, North Carolina, and Wisconsin have slightly narrower lifestyle statutes that prohibit discrimination based on an employee’s use of “lawful products” or “lawful consumable products.” Approximately 30 states prohibit discrimination based on the use of tobacco, which was the original reason that these lifestyle statutes were enacted.
- 20. Internet of Things A global, immersive, invisible, ambient networked computing environment built through the continued proliferation of smart sensors, cameras, software, databases, and massive data centers in a world- spanning information fabric known as the Internet of Things “Augmented reality” enhancements to the real-world input that people perceive through the use of portable/wearable/implantable technologies Disruption of business models established in the 20th century (most notably impacting finance, entertainment, publishers of all sorts, and education) Tagging, databasing, and intelligent analytical mapping of the physical and social realms Pew Research Center, May 2014, “The Internet of Things Will Thrive by 2025“ Available at: http://www.pewinternet.org/2014/05/14/internet-of-things/ 20
- 21. It’s a social world . . .
- 22. 22 Employer Beware: Password Protection Laws At least 25 states have statutes that prohibit employers from requesting an applicant or employee’s username, password, or other information necessary to access his or her social media accounts. http://www.ncsl.org/research/telecommunications- and-information-technology/state-laws-prohibiting- access-to-social-media-usernames-and- passwords.aspx Some have exceptions for workplace investigations. Employers may be banned from “Shoulder Surfing” and requiring applicants/employees to accept friend requests State definitions of social media may include personal email, blogs, instant and text messages and podcasts
- 23. Restrictions on Accessing Employee’s Personal Social Media Recruiting and HR. Don’t request, require or otherwise attempt (no shoulder surfing) to obtain an applicant’s username or password to a personal social media account. However, password protection laws don’t limit access to publicly available information. Company Social Media. Policies should be clear that accounts used to conduct the employer’s business are not “personal accounts” and the associated passwords are company property. Have a user agreement for Company blogs, Facebook pages, LinkedIn pages, etc indicating agreement that account is not personal and that password belongs to the Company and must be surrendered on termination. 248382415.2 23
- 24. What is Protected Concerted Activity? 248382415.2 The NLRA prohibits discipline against employees who engage in “protected concerted activity” Protected = related to the terms or conditions of employment, unionization, or an on-going labor dispute Concerted = “with, or on the authority of, other employees and not solely by and on behalf of the employee himself.” Meyers Industries, 268 NLRB 493, 497 (1984) Note: Employees in a non-unionized workplace can engage in protected, concerted activity 24
- 25. Is it really Protected Activity? 248382415.2 1. What is the subject matter of the post? Union organizing or exercise of rights under CBA or labor law Work hours, wages, tax administration Job performance or meetings with management 2. Who is participating in the discussion? Only personal friends/relatives or co-workers included? 3. Is the employee expressing only an individual gripe? 4. Are employees acting collectively? Preparing for discussion with management or otherwise acting on behalf of group 5. Are the social media posts a direct outgrowth of prior group discussions? 25
- 26. NLRB’s Latest on Social Media policies Chipotle Services LLC, 364 NLRB No. 72 (Aug. 18, 2016). www.nlrb.gov/case/04-CA-147314 . Chipotles policy was held unlawful, including provisions that: Prohibited employees from posting incomplete, confidential, or inaccurate information and making disparaging, false, or misleading statements. Prohibited employee solicitation during nonworking time in working areas if the solicitation would be within visual or hearing range of customers. Limited the use of the Chipotle name in social media posts Directed employees to avoid exaggeration, guesswork, and derogatory characterizations of people and their motives. Prohibited employees from discussing politics and from using Chipotle name for political purposes. 248382415.2 26
- 27. 2016: Protecting Pay Discussions 1/11/2016 OFCCP issued regulations protecting employee rights to inquire about, discuss or disclose their compensation or that of other employees or applicants 8/25/2016 EEOC Enforcement Guidance on Retaliation and Related Issues, detailing federal protections for asking about or discussing compensation 9/30/2016. Federal Acquisition Regulation (“FAR”), Non-retaliation for Disclosure of Compensation Information States: CA, MD, MA and NY enacted/implemented new Equal Pay Laws with anti-retaliation provisions protecting compensation discussions CA and MA limit employer’s ability to request salary history None of the laws require employers to share salaries of other workers 248382415.2 27
- 28. “A Little Knowledge is a Dangerous Thing. So Is a Lot.” Alexander Pope Knowing when to use social media activity Hiring decisions Responding to requests for leave and accommodation Validating attendance Negative commentary about employer and job Be VERY careful and VERIFY the source Talk to counsel, the obvious answer is not always right 28
- 29. Health, Wellness and a World of Information: Employer Obligations 29
- 30. Genetic Information Nondiscrimination Act of 2008 ⦅GINA⦆ Illegal to discriminate against employees or applicants because of genetic information Employers may not use genetic information in making employment decisions and may not request, require or purchase genetic information Any employer that possesses genetic information about an employee must maintain such information in separate files; and must treat it as a confidential medical record and may disclose it only under very limited circumstances Prohibition on requesting information defines “request” to include “conducting an internet search on an individual in a way that is likely to result in a covered entity obtaining genetic information.” 29 C.F.R. §1635 Safe harbor for inadvertent acquisition applies where employer “inadvertently learns genetic information from a social media platform where he or she was given permission to access by the creator of the profile at issue (e.g., a supervisor and employee are connected on a social networking site and the employee provides family medical history on his page).” 29 C.F.R. §1634 30
- 31. Big Data and Your Health Tools that anticipate disease. Castlight Elevate™ – the first solution that identifies at-risk employees, enables them to make educated behavioral health treatment choices, and instantly access care – all through Castlight’s personalized health benefits platform. New ADA/GINA rules, effective 1/01/2017 Information from wellness programs may be disclosed to employers only in aggregate terms. ADA: employers must give participating employees notice of what information will be collected as part of the wellness program, with whom it will be shared and for what purpose, the limits on disclosure and the way information will be kept confidential. GINA rule includes statutory notice and consent provisions for health and genetic services provided to employees and their family members. 248382415.2 31
- 32. Confidentiality of Medical Information Act CMIA, Cal. Civ. Code § 56, et seq. No health care provider shall disclose or release medical information regarding a patient of the provider without first obtaining authorization Eisenhower Medical Center v. Superior Court, Case No. E058378 (Cal. Ct. App. May 21, 2014) Demographic information (name, birth date, last four digits of SSN, and medical record number) is not medical information within meaning of CMIA Assignment of medical record number does not signify that a person has had medical treatment Demographic or numeric information or mere fact that a person may have been a patient at one time does not reveal medical history, diagnosis, or care 32