For employees and job candidates, the calculus of privacy has changed, especially with the rise of the internet and social media use. “Employee privacy rights are the rules that limit how extensively an employer can search an employee’s possessions or person; monitor their actions, speech, or correspondence; and know about their personal lives, especially but not exclusively in the workplace,” according to UpCouncil, an online legal platform
It’s common for HR departments to search social media regarding job candidates as part of the hiring process. In that process, many personal details about individuals that are seemingly unrelated to work can be revealed, although the counterargument is that if you're so concerned about your privacy, you shouldn’t post these details to social media.
Then, there is the dilemma of new driving regulations for the transportation industry that were introduced by the federal government in 2015 . Prior to these regulations, drivers could self-determine how many hours they drove in a given day. They had control over where they stopped. Now, truck monitoring technology logs the hours driven so that drivers conform to new safety standards that state that they can drive a maximum of 11 consecutive hours per day. Sensors are placed on engines and brakes where they are monitored by a corporate analytics system. The system grades each driver on driving habits.
Collectively, these technologies have improved driver safety and efficiency, but drivers also experience a loss of privacy. No one knows if this is contributing to the 80,000 driver shortfall of in the US, which is expected to grow to 160,000 by 2030 -- but it could be.
Just how far can companies go in monitoring their employees, and how does technology help them do it?
Employee Privacy at Work
First, any employee activity conducted while an employee is at work can be monitored and/or restricted by employers. This includes phone calls, emails, computer use, internet and website access, system access, observations throughout facilities and grounds with cameras, etc. Access to certain websites can be blocked by employers, and access to specific corporate work areas can be monitored and/or blocked through the use of card keys, biometric identification, user IDs/passwords, and cameras. An abundance of security and monitoring software, as well as IoT sensors, cameras, etc., enables this collection of data.
Given the widespread deployment of these security technologies, it is reasonable for employees to expect that they don’t have much personal privacy when they are at work.
However, that doesn’t mean that companies don't have a responsibility when it comes to employee privacy.
Company Responsibilities in the Area of Privacy
Nationally and internationally, privacy is viewed as a fundamental human right. Article 8 of the US Human Rights Act states that “personal information about you (including official records, photographs, letters, diaries, and medical records) should be kept securely and not shared without your permission, except in certain circumstances.”
Taking the lead from Europe’s General Data Protection Requirements (GDPR), individual US states are developing data protection legislation for their citizens that helps maintain privacy. This effort has been led by California, which implemented the California Consumer Privacy Act (CCPA) in 2018 and the California Privacy Rights Act (CPRA) in 2020. Since then, other states have referenced the California model and are working on their own privacy statutes for citizens.
These efforts are laudable, but they don't give employers or their IT departments much direction when it comes to how far to go with security and monitoring technology. Instead, it is left for companies and their IT departments to decide how to best implement the security technologies they need while also respecting employees’ right to privacy.
Striking that balance isn't easy.
Two employees at a residential children's facility sued for invasion of privacy after a surveillance camera was placed in their office without their knowledge. The court ruled in their behalf, stating that “harm occurs when privacy is invaded in an offensive manner without consent.”
This was back in 2006. Since the law always lags technology, there are still too few legal precedents to follow, so challenges remain as new security technologies get deployed.
With privacy regulations now being determined state by state, and with no universal privacy standard in place for the country, enterprises and their IT departments can take a tip from the 2006 case.
Here, one of the primary issues was that employees weren’t informed that security technology would be placed in the office that they occupied. They also didn’t know that the installation of surveillance equipment had nothing to do with them. Instead, it had been deployed to detect other illicit activities that were under investigation.
In this case, if the IT and HR departments had collaborated to write a formal policy on company security practices and employee privacy expectations at work that these two employees had read and (if needed) agreed to and signed, the implementation of the surveillance would likely have been a moot point. Policy development is what companies and their IT departments should be doing today to reduce the risks of misunderstandings and lawsuits. Just as importantly, communication with employees regarding privacy should be open and transparent.