When Does Legitimate “Need-to-Know” Cross the Line?
Businesses have valid interests in accessing potentially sensitive employee information as long as that access is reasonably necessary to maintain workplace safety and security. On the other hand, companies must respect worker privacy on matters that are irrelevant to administration and operations.
Clear, comprehensive written policy is essential to mark the line between legitimate company access and inappropriate intrusion into worker’s actions, communications, internet usage, data storage, and property possession and usage. For example, if a policy adequately defines the valid circumstances when management may require an employee to submit to a drug or alcohol detection process, then a worker does not have a reasonable expectation of privacy on such matters. Considerations in creating a proper employee privacy policy include:
1. Such a policy should begin with the company’s commitment to protecting employee identities and other private information except where other valid interests reasonably outweigh nondisclosure or non-inquiry. The policy should confirm the company takes employee privacy matters seriously;
2. Of course, it is essential to ensure the policy is consistent with applicable state and federal laws. For example, there are legal standards for the non-disclosure of employee social security numbers and medical information;
3. The policy should provide complaint procedures and disciplinary standards for alleged and confirmed privacy violations respectively;
4. Human resources personnel should ensure the secure storage of employees’ personal information, for example medical information;
5. The policy should specify that unauthorized persons cannot access stored personal employee information, including on any computer system;
6. The policy should include a “clean desk” provision requiring personnel to clear out or otherwise secure confidential personal information whenever they leave their work area; and
7. The privacy policy should include regular shredding of all documents and deletion of soft copy files containing personal employee data that are no longer needed and no longer within the legally required storage period. The policy should authorize human resources personnel to conduct this periodic process.
Experienced and capable labor and employment counsel can and should assist on developing an employee privacy policy that fits a particular business and its work force.