Will The U.S. Supreme Court Provide Clarity On Employee Privacy?

The U.S. Supreme Court recently agreed to accept a case on a data privacy issue related to whether or not an employee has a reasonable expectation of privacy for personal messages sent on devices owned by an employer. The legal question revolves around whether or not such personal messages are protected under the Fourth Amendment of the Constitution that prohibits unreasonable searches and seizures. Ostensibly, this is about a narrow situation where a public employee had his pager messages transcribed into text and read by his superior. Practically, it touches a much broader and more important issue of how employee data privacy affects the management of information that organizations, including business, governmental and non-profit entities, need to keep and examine for legitimate purposes, such as compliance with government regulations or discovery related to a court case.

It's easy to understand how a strong stance on behalf of employee data privacy might create significant problems for businesses. As a result, the clarity of the Supreme Court ruling is important so that businesses know what they can and cannot do as related to employee data privacy. Among the issues that will be discussed are the following:

The case is not only about the use of an employee pager, but it also touches the shared personal/business use of electronic devices at various locations and under different ownership models. Today, the use of electronic devices for both personal and business/enterprise use is common. That can include untethered mobile devices that use wireless communications, such as pagers, cell phones, and personal digital assistants (PDAs), as well as those that may also use network connections, such as laptop, notebook and netbook computers. It can also include tethered devices, such as telephones and desktop PCs. The location where electronic devices are used can vary considerably. Many employees work only at employer-owned sites, but an increasing number of workers are permanently or semi-permanently out of the office due to job requirements, telecommuting or travel.

The "owner" (i.e., the purchaser) of a device may vary, too, as either the employee or the employer may own the device (joint ownership is conceivable but less likely). Since the collaboration that electronic devices enable requires a network of some kind, communications costs may be borne either by the employee or the employer or in some combination. For example, a person who works at home may have a single Internet connection that they pay for fully even though the connection is sometimes used for business purposes. On the other hand, the employer may pay, either directly or via reimbursement to the employee via an expense account, for all of an Internet connection although some of it is used for personal purposes.

The overlap of personal and business use of various devices at different locations and with different ownership patterns may sound very complicated, but it has become commonplace. That said, from the perspective of employee data privacy proliferation, location and ownership are general principles that are likely to apply to virtually all of the different possible combinations related to the Supreme Court case.

As a starting point, I've used some of the principles, ideas and concepts discussed in my recent book Data Protection: Governance, Risk Management, and Compliance, builds upon that foundation and is extended to meet the requirements of this particular situation. Even though data protection and data privacy are more or less synonymous in many areas (including the European Union), more generally, data privacy is really a subset of overall data protection. Before considering data privacy however, we must examine the capture of data. Whenever an electronic device generates data, the question is whether or not it can be captured in non-transient form. For example, landline telephone conversations are typically not captured on recording (i.e., storage) media. That means that it could not be reproduced and would be lost forever. No data privacy violation could occur.However, some calls would be recorded with the caller's knowledge and implicit consent. That is the case for phone calls which "may be recorded for quality assurance purposes" and for emergency 911 calls. Other data, such as e-mail, is automatically captured to non-transient media, such as a hard disk. This non-transient media might be called "permanent" as long as one recognizes that media has a finite lifetime and that the data itself may be deleted or damaged for some reason.

Presumably, the data captured in work circumstances or by devices purchased or owned by organizations is generally assumed to be work-related data, and any personal data is simply captured as a byproduct of a normal process. This data may be captured on storage within the physical walls of an enterprise or may be captured by a third party, such as a telecommunications vendor or a cloud service supplier. That said, the capture process should be for valid business purposes. Those business purposes may include, but are not necessarily limited to:

Before we can address the question of whether or not separating business data from personal data captured in the same data store is possible or desirable, we need to examine the different types of data and how they are typically used. Generally, we are dealing with three types: structured, semi-structured, and unstructured data.

Structured data typically relates to or arises from transaction processing, such as those common in retail outlets, financial services and banking where the exchange of information is often transparent to the end user. For example, a person placing an order from a catalog or at a Web site probably unknowingly provides personal information, such as a credit card number, that is legitimately retained by the retailer as business data. Obviously, there are major data privacy issues involved, but regulations regarding the information vary widely. European Union countries have very strong rules on how such personal information can be used. In the U.S., a number of data breech laws can be invoked in cases where personal information is not kept confidential. This is a very important data privacy issue, but is beyond the scope of this discussion.

The data privacy issue can also arise with semistructured data, which is often lumped in with unstructured data. However, doing so is incorrect, and for this analysis the distinction between the two is very important because the content of semi-structured information can be searched, a critical distinction in eDiscovery. In such cases, analytical tools can help separate the relevant from the irrelevant without manual visual inspection that may at best simply be expensive and at worst may be impractical because of the volume. That process does not necessarily eliminate the need for "manual" visual inspection.

Unstructured data can only natively be sensed, (i.e., you have to watch a video or listen to a voice recording). Technology is evolving to put more structure around unstructured data. For example, a voice recording can be reduced to a text transcript with each portion of the transcript identified by the speaker. Surveillance video is system-generated data rather than individual-generated data. That is, the system generates video of an individual when that individual comes into the range of an active camera. The individual does not generate the video, except perhaps by motion detection, and may be entirely unaware that the video, say in a bank or mall, is actually being created.This situation is in contrast with audio where a person, say, initiates a cell phone call and is aware of what they are saying, although they or may not be aware that it is being recorded. Video surveillance has a business use where personal data is involved, such as determining whether a crime or accident occurred or to measure the traffic flow patterns in a store. Now data privacy issues apply to unstructured data but, as with transactions, the personal information is intrinsically interwoven within the business application itself, which could not perform its function without that information. Audio recordings are different. One employee phone call may be completely personal, another may be purely business, and a third might mix personal and business information, but all three might captured in the same data store. This is one place where the employee's personal data privacy issue can arise.

Is separating the business data wheat from the personal data chaff possible? To consider this question, let's take the case where personal data is captured as a by-product of a normal business process. For example, a company may have a policy that all e-mails sent or received must be captured in a central data store. Those e-mails must be retained in an unaltered form until they may or must be deleted according to the organization's data retention policy.

Some organizations may have rigid rules strictly prohibiting employees from putting computers or phones to personal use, such as for personal telephone calls or personal e-mails. There may be good reasons for this prohibition, such as the need for regulatory compliance or strict confidentiality requirements. Any personal use could be subject to stern sanctions or penalties, such as termination of employment. Although some organizations may long to use that draconian an approach at all times to all devices, applying such rules universally is both unrealistic and impractical. Take a mobile employee traveling with a business laptop. Shouldn't that person be allowed to send personal e-mails after his or her workday is through? After all, taking two laptops, one for business and one for personal use,  is impractical.

So how can business and personal data be effectively isolated from one another? One possible way to do this is to "mark" personal data in some way. For example, the word "personal" could be put in e-mail metadata. Software could then isolate data marked "personal" from other data, but marking a communication, such as an e-mail, "personal" does not mean that the communication is, in fact, personal. Improper communications, such as inappropriate contracting and pricing discussions, unauthorized disclosure of a company's intellectual property or secrets, or transmission of reprehensible pictures, could be masked by marking technologies. As a result, a company could come under scrutiny that could result in a lot of negative consequences, including embarrassment if not sanctions and penalties, for not properly monitoring the use of information that had come under their purview even though employees made inappropriate use of an electronic communications channel intended only for business. An important side note is that encryption, even if it could be used, is not an acceptable alternative. An employer would flag encrypted communications as possible hiding of information that would be relevant to the employer.

Can a physical communications device distinguish between personal communications and business communications at time of creation and not send the data onto the business data store? That would mean that the personal data would not be captured at all in the business data store and could therefore not be examined, hence, no possibility of loss of employee data privacy would exist. The answer is theoretically yes. For example, a device could use virtualization technology to separate two logical "personalities"; one for business use and one for personal use, but the technology may not exist yet for most electronic communication devices and, in fact, may never exist for devices using older technologies.So does "logically" separating users from physical devices solve the problem of capturing personal data? The answer, again, is not necessarily so. Some businesses may not want to permit virtualization on a physical device that is used primarily for business reasons if there is a legitimate business reason for not doing so. For example, it may be difficult to ensure that company confidential information has not been transmitted improperly from a virtual machine to an unauthorized target. In such cases, the company may follow a "Caesar's wife" rationale where all implications and temptations of impropriety are eliminated even if the business has confidence that employees would never do anything improper.

Let me note here, however, that some other businesses may take the opposite tack and not want to capture personal communications at all, and they will instead do what they can via rules, codes of conducts, etc. to avoid it. The use of virtualization would go a long way in assuring the separation of personal and business data. If challenged legally, an argument that the business might take is to accept the word of employees on what is and is not personal. If that trust is misused or abused, responsibility and guilt would rest solely on the employee who acted independently and irresponsibly. As a business, the company would appear to have acted responsibly by taking steps to both respect employee privacy and to ensure the confidentiality of key data. The dilemma for businesses is which perspective on virtualization will hold up legally when they risk being sued.

Hopefully, the upcoming Supreme Court decision will clarify, at least to some extent, the validity of the two arguments, i.e. where the company feels active intervention is required to avoid legal risk and where the company assumes a more laissez faire stance toward employee data privacy, which I will continue to discuss in tomorrow's blog on this subject.