Post on 22-Jan-2018
WHOSE RIGHT IS IT:
Evolving Issues in Workplace Privacy
Margaret Keane
DLA Piper
Margaret.keane@dlapiper.com
Presented to Lorman Education
October 13, 2016
Agenda
2
I. Overview of Workplace Privacy Issues, Employee Data
Governance and Background Check Trends
II. Big Brother is Here to Stay: Managing Mobility and
Monitoring
III. It’s a Social World: Constraints on Access and Use of
Social Information
IV.Wellness, Big Data and Other Challenges
Workplace Privacy is a Function of Context
3
Information Used to Source and Hire Talent
Employee Information From Third Party Sources, including
Background Checks and Social Media
Information That Employees Provide Voluntarily
Employee Information Obtained from GPS, Wearables, RFID
and Other Sensors
Employer and Customer Information Entrusted to Employees
Company Liability for Inappropriate Use of Employee Information
Company Liability for Employee Breaches
Different Playing Field for Global Employers
Is Anyone in Charge?
Numerous laws touch workplace privacy, but there is no umbrella
Federal Trade Commission (FTC) regulates background checks
Department of Labor has significant role, with enforcement responsibility for
National Labor Relations Act, ADA and GINA
Relevant federal laws include Health Insurance Portability and Accountability Act of 1996 (“HIPPA”), Gramm-Leach-Bliley (“GLB”), Electronic Communications Protection Act (“ECPA”), Stored Communications Act (“SCA”), Fair Credit Reporting Act (“FCRA”), Genetic Information Non-Discrimination Act (“GINA”), Americans with Disabilities Act (“ADA”)
State laws may provide constitutional protection of privacy
State statutes address “lifestyle information,” medical and genetic information, social media access, background checks, drug tests, social security numbers, biometrics and use of GPS, RFID for surveillance and tracking
Related Laws
Record Retention Requirements, particularly important for government contractors, medical and financial services sectors – state and federal laws
Data Breach Notification Statutes
4
Employee Data Governance
248382415.2 5
Governance of Employee Data
Employee data should be managed from start to finish
Key elements of protecting employee data include:
• Employee data inventory and data mapping
o What types of employee data do you have and where it is stored?
o How and where does employee data move internally and externally?
• Limit access to applications and databases with employee data
• Procedures and standards for handling and transferring employee
data
• Targeted training for employees handling employee data
EEOC & FTC Issue Joint Background
Check Guidance, March 10, 2014
“Background Checks: What Employers Need to Know”
Must notify applicant or employee that information may be used to make employment decisions
Need written permission before getting background reports from a company in the business of compiling background information
Illegal to discriminate based on a person’s race, national origin, sex, religion, disability, or age or genetic information when requesting or using background information for employment
Must comply with all FCRA requirements
Must keep all personnel or employment records, whether hired or not, for one year, or until case concluded if applicant/employee files charge of discrimination
Must securely dispose of background reports
“Background Checks: What Job Applicants and Employees Should Know”
Not illegal for potential employers to ask someone about their background as long as employer does not unlawfully discriminate
Right to review background report for accuracy and explain negative information, if report was basis for denial of job or promotion
Source: “Background Checks: What Employers Need to Know,” March 10, 2014. http://www.eeoc.gov/eeoc/publications/background_checks_employers.cfm
Source: “Background Checks: What Job Applicants and Employees Should Know,” March 10, 2014. http://www.eeoc.gov/eeoc/publications/background_checks_employees.cfm
7
FCRA Remedies
Cases can be based on failure to use FCRA disclosure and authorization
forms, adverse action notices or other practices with disparate impact
Minimum statutory damages of $100 to $1,000 for willful violations
Class action-friendly cases where standard procedures used
Low damages add up when multiplied against large applicant pools
Attorney fees to a successful plaintiff
No statutory cap on defendant’s exposure
2016 Supreme Court ruling helps employers with standing defenses
8
State and Local Laws
Numerous states restrict an employer’s consideration of
criminal history in making employment decisions
Common provisions:
Workplace posting and notice obligations
Sequencing restrictions (when an employer can
ask questions)
Inquiry restrictions (what employer cannot ask about)
Source restrictions (what employer cannot access)
“Job-relatedness” requirements (may limit employer’s discretion
to screen out applicants)
Recent trend to restrict use of credit checks – NY, CA, IL, MD,
CT
Local restrictions: San Francisco, New York City
9
Yours, Mine and Ours: Managing
Mobility and Monitoring
BYOD: Bring Your Own Device
A BYOD program includes:
Policies that govern use of personal devices to
access corporate services
Policies attempt to manage risk associated with
storage and transmittal of data using devices that
may be outside of the employers control
Policies to address impact of mobile devices on existing
workplace behavior
Balance employer’s needs with employee privacy interests
11
Setting Up a BYOD Program:
A Master Plan for mobile device use in your organization
Balance employee’s interests vs. employer’s need for security
and protection of IP
Need to address challenges of dual use devices, REGARDLESS
of whether you adopt a BYOD program
BYOD policy should be part of an integrated Information
Governance Plan
Determine goals and objectives
Privacy Considerations
Remote wipes
Containers/sandboxes
Backups
12
What Happens When Employee
Refuses to Produce Device?
13
“The Association does
not dispute that the
Commissioner properly
used the destruction of
the cell phone to draw
an adverse inference.”
NFL v. NFLPA, April 25,
2016 (2nd Circuit)
I know where you are . . . and what
you’re thinking . . .
The new world of People
Analytics
The End of Hiring as We
Know it?
Big Data and Predictive
Analytics tools
Other Artificial Intelligence
applications
Moodometers, monitoring
chairs and more
14
Today’s Tracking Tools
Employee tracking sensors
Electronic badge is attached to employee
Sensors identify tags and report wearer’s location to database
System can track employee’s exact location within the office (including restroom) and amount of time spent at each location
May record personnel with whom the employee interacts
Records face, time, body, and behavior rhythm data
Valuable data for defending wage & hour litigation
Internet tracking and Artificial Intelligence
Records employee’s internet and application usage (including websites visited, screen shots taken, social media, chat and instant messaging, document tracking, and keywords and keystrokes used)
15
Why Monitor Data?
Boost employee productivity
Research on 90 call-center workers
Data: most productive workers belonged to close-knit teams and spoke
frequently with colleagues
Action: scheduled workers for group breaks
Result: productivity rose by >10%
Reveal how workers use office space
Office study
Complaint: office short on meeting space
Data: groups of 3-4 employees gathering in meeting rooms designed
for much larger numbers
Action: created more and smaller conference spaces designed for
small groups
16
GPS Tracking and the Constitution
Why Do We Care
Can track the location of a person in possession of a cellphone by GPS or
cell tower location
GPS can be accurate to within ten meters
Case law has developed in search & seizure context
US Supreme Court, Grady v. North Carolina, March 2015, recidivist sex offender
ordered to wear ankle bracelet with GPS monitor at all times, for the rest of his life.
N.C. court held that ankle bracelet was not a search, so therefore not unreasonable
search and seizure. Supreme Court held installing the bracelet is a search by
“physically intruding on a subject’s body.”
US Supreme Court, California v. Riley, July 2014, addressed warrantless search of
smartphone seized incidental to arrest. "Modern cell phones, as a category,
implicate privacy concerns far beyond those implicated by the search of a cigarette
pack, wallet or purse." Court held warrant was required, not directly applicable to
private sector but should inform employers decisions to search employee phones.
17
Constitutional Implications of
Employee Surveillance Tracking
United States v. Jones, 565 U.S. __ (2012)
Government GPS tracking device on suspect’s car is “search” under 4th
Amendment
Effect of decision on private sector unclear
Laws vary from state to state
CA: No person or entity in this state shall use an electronic tracking device to determine the location or movement of a person.
NY: GPS in public employee’s personal vehicle lawful to investigate misconduct during working hours
NJ: No privacy breach when private investigator placed GPS on plaintiff’s vehicle because no travel to secluded or private area where privacy would be expected
TX: GPS on vehicle without owner’s consent is unlawful
MO: No privacy invasion if GPS is used on company vehicle
Boundaries around GPS in the private workplace still unclear
18
What’s a Lifestyle Statute?
248382415.2 19
Lifestyle statutes address specific off-duty activity that cannot
be considered when an employer makes employment
decisions.
California, Colorado, New York, and North Dakota, prohibit
discrimination based on any lawful activity by an employee off
the premises and during non-working hours.
Illinois, Minnesota, Montana, Nevada, North Carolina, and
Wisconsin have slightly narrower lifestyle statutes that prohibit
discrimination based on an employee’s use of “lawful products”
or “lawful consumable products.”
Approximately 30 states prohibit discrimination based on the
use of tobacco, which was the original reason that these
lifestyle statutes were enacted.
Internet of Things
A global, immersive, invisible, ambient networked computing
environment built through the continued proliferation of smart sensors,
cameras, software, databases, and massive data centers in a world-
spanning information fabric known as the Internet of Things
“Augmented reality” enhancements to the real-world input that people
perceive through the use of portable/wearable/implantable technologies
Disruption of business models established in the 20th century (most
notably impacting finance, entertainment, publishers of all sorts, and
education)
Tagging, databasing, and intelligent analytical mapping of the physical
and social realms
Pew Research Center, May 2014, “The Internet of Things Will Thrive by
2025“
Available at: http://www.pewinternet.org/2014/05/14/internet-of-things/
20
22
Employer Beware: Password
Protection Laws
At least 25 states have statutes that prohibit employers from requesting an applicant or employee’s username, password, or other information necessary to access his or her social media accounts. http://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-prohibiting-access-to-social-media-usernames-and-passwords.aspx
Some have exceptions for workplace investigations. Employers may be banned from “Shoulder Surfing” and requiring applicants/employees to accept friend requests
State definitions of social media may include personal email, blogs, instant and text messages and podcasts
Restrictions on Accessing Employee’s
Personal Social Media
Recruiting and HR. Don’t request, require or otherwise
attempt (no shoulder surfing) to obtain an applicant’s username
or password to a personal social media account. However,
password protection laws don’t limit access to publicly available
information.
Company Social Media. Policies should be clear that
accounts used to conduct the employer’s business are not
“personal accounts” and the associated passwords are company
property. Have a user agreement for Company blogs, Facebook
pages, LinkedIn pages, etc indicating agreement that account is
not personal and that password belongs to the Company and must
be surrendered on termination.
248382415.2 23
What is Protected Concerted Activity?
248382415.2
The NLRA prohibits discipline against employees who
engage in “protected concerted activity”
Protected = related to the terms or conditions of
employment, unionization, or an on-going labor dispute
Concerted = “with, or on the authority of, other employees
and not solely by and on behalf of the employee himself.”
Meyers Industries, 268 NLRB 493, 497 (1984)
Note: Employees in a non-unionized workplace can
engage in protected, concerted activity
24
Is it really Protected Activity?
248382415.2
1. What is the subject matter of the post?
Union organizing or exercise of rights under CBA or labor law
Work hours, wages, tax administration
Job performance or meetings with management
2. Who is participating in the discussion?
Only personal friends/relatives or co-workers included?
3. Is the employee expressing only an individual gripe?
4. Are employees acting collectively?
Preparing for discussion with management or otherwise acting on behalf of group
5. Are the social media posts a direct outgrowth of prior group discussions?
25
NLRB’s Latest on Social Media
policies
Chipotle Services LLC, 364 NLRB No. 72 (Aug. 18, 2016).
www.nlrb.gov/case/04-CA-147314 . Chipotles policy was held
unlawful, including provisions that:
Prohibited employees from posting incomplete, confidential, or
inaccurate information and making disparaging, false, or misleading
statements.
Prohibited employee solicitation during nonworking time in working
areas if the solicitation would be within visual or hearing range of
customers.
Limited the use of the Chipotle name in social media posts
Directed employees to avoid exaggeration, guesswork, and
derogatory characterizations of people and their motives.
Prohibited employees from discussing politics and from using
Chipotle name for political purposes.
248382415.2 26
2016: Protecting Pay Discussions
1/11/2016 OFCCP issued regulations protecting employee rights to
inquire about, discuss or disclose their compensation or that of other
employees or applicants
8/25/2016 EEOC Enforcement Guidance on Retaliation and Related
Issues, detailing federal protections for asking about or discussing
compensation
9/30/2016. Federal Acquisition Regulation (“FAR”), Non-retaliation
for Disclosure of Compensation Information
States: CA, MD, MA and NY enacted/implemented new Equal Pay
Laws with anti-retaliation provisions protecting compensation
discussions
CA and MA limit employer’s ability to request salary history
None of the laws require employers to share salaries of other
workers
248382415.2 27
“A Little Knowledge is a Dangerous Thing.
So Is a Lot.” Alexander Pope
Knowing when to use social media activity
Hiring decisions
Responding to requests for leave and accommodation
Validating attendance
Negative commentary about employer and job
Be VERY careful and VERIFY the source
Talk to counsel, the obvious answer is not always right
28
Genetic Information
Nondiscrimination Act of 2008 ⦅GINA⦆
Illegal to discriminate against employees or applicants because of genetic
information
Employers may not use genetic information in making employment decisions
and may not request, require or purchase genetic information
Any employer that possesses genetic information about an employee must
maintain such information in separate files; and must treat it as a
confidential medical record and may disclose it only under very limited
circumstances
Prohibition on requesting information defines “request” to include “conducting
an internet search on an individual in a way that is likely to result in a
covered entity obtaining genetic information.” 29 C.F.R. §1635
Safe harbor for inadvertent acquisition applies where employer “inadvertently
learns genetic information from a social media platform where he or she was
given permission to access by the creator of the profile at issue (e.g., a
supervisor and employee are connected on a social networking site and the
employee provides family medical history on his page).” 29 C.F.R. §1634
30
Big Data and Your Health
Tools that anticipate disease.
Castlight Elevate™ – the first solution that identifies at-risk employees,
enables them to make educated behavioral health treatment choices, and
instantly access care – all through Castlight’s personalized health benefits
platform.
New ADA/GINA rules, effective 1/01/2017
Information from wellness programs may be disclosed to employers only in
aggregate terms.
ADA: employers must give participating employees notice of what
information will be collected as part of the wellness program, with whom it
will be shared and for what purpose, the limits on disclosure and the way
information will be kept confidential.
GINA rule includes statutory notice and consent provisions for health and
genetic services provided to employees and their family members.
248382415.2 31
Confidentiality of Medical Information Act
CMIA, Cal. Civ. Code § 56, et seq.
No health care provider shall disclose or release medical information regarding a patient of the provider without first obtaining authorization
Eisenhower Medical Center v. Superior Court, Case No. E058378 (Cal. Ct. App. May 21, 2014)
Demographic information (name, birth date, last four digits of SSN, and medical record number) is not medical information within meaning of CMIA
Assignment of medical record number does not signify that a person has had medical treatment
Demographic or numeric information or mere fact that a person may have been a patient at one time does not reveal medical history, diagnosis, or care
32