Should An Expectation Of Employee Privacy Exist?

Continuing our previous discussion on U.S. Supreme Court case on a data privacy issue related to whether or not an employee has a reasonable expectation of privacy for personal messages sent on devices owned by an employer, we have to ask, does it matter that employees know that personal information will be captured and monitored by employers?

David Hill

January 8, 2010

7 Min Read
Network Computing logo

Continuing our previous discussion on U.S. Supreme Court case on a data privacy issue related to whether or not anemployee has a reasonable expectation of privacy for personal messagessent on devices owned by an employer, we have to ask, does it matter that employees know that personal information will be captured and monitored by employers? If a person who is a member of a golf club speaks too loudly in the club restaurant and is overheard by others, that person has no one else to blame if that information is used to cause negative consequences. Just as the loud speaker could have spoken more softly as well as more carefully, so a user of electronic communications tools should recognize that others may see what he or she regarded as private. So logically, a user of an electronic communications channel may very well want to assume that any communications that are made could very be made public.

That does not mean that personal communications would necessarily be exposed. A business may or may not choose to search the data. For example, data on a desktop that is used at home for at least some business use may be protected by being backed up to remote storage and the employer may pay for the protection. In the process, personal information may also be protected. The employer may be protecting the data only so that it can be restored in the case of an emergency and never plans to look at it. However, by residing within the company's data repository that information could be included in an eDiscovery request.

A more typical case is that an authorized representative scans the information that has been collected so that the organization can meet any requirements for knowing what data is available and where it is located. This scan could be made with software, but the analytical capabilities of software are nowhere close to what visual inspection can reveal. Though this statement drifts into speculation, it would seem that both the capture (i.e., scan) of the data and the visual inspection of the data are reasonable.

But how can personal data revealed in this way be appropriately used? Assume that no illegal or otherwise unsavory behavior is revealed in a communication. Still, the examiner of the personal data, which may be an employee's supervisor, unavoidably brings his or her belief system and value judgments to the table in examining these communications. The employer's examiner may form an opinion that the personal communication is morally reprehensible, reflects inappropriate political opinions, or is some other way unacceptable. That may result in direct or indirect consequences for the employee. For example, termination for an employee who admitted smoking in a company that does not tolerate smoking would be a direct consequence. Indirect consequences may be more difficult to prove but could have negative connotations, such as denial of a promotion or unpleasant work assignments.

Although the exposure of what an employee would have liked to keep private is undesirable to the employee, the employee could have avoided the consequences in one of two ways. The first is to exercise discretion and caution in communications that the employee knows may be examined by others, such as a supervisor. The second is to choose channels of communication that are not the responsibility of or captured by the employer. Although, as we have seen that some personal communications may be appropriately commingled with business communications, that does not mean that the individual does not have access to alternative communication channels such as personally buying a cell phone that uses a different carrier than the cell phone used for business. Even though the worker could use such a device for business purposes -- such as calling in sick -- that is not its typical use.So, does a company have the right or even a responsibility to capture employee data that is generally personal, only incidentally used for business purposes, is not part of a normal business process or has other intended uses? Ostensibly, the business might have a legitimate business concern, such as preventing the leakage of confidential information or to capture data that would be necessary to respond to eDiscovery requests should they occur.

Now this my personal opinion, but I suspect that businesses would be on very shaky legal ground if they captured such information. Yes, a worker may do things that are inappropriate or illegal related to the company, but if they do so on their own time and through private communication channels that is and remains their responsibility. The process of eDiscovery for ESI for businesses relates only to normal business processes. If a company suspects that an employee is using company data, such as revealing trade secrets, outside those normal business processes, the company should turn to law enforcement authorities to help address the issue rather than attempting a broad, surreptitious sweep of information where only a small portion of communications could conceivably be of importance and a number of individuals could risk having their private communications exposed.

Does that mean that a business could not sometimes collect that data reasonably and legally? No. For example, the company could ask employees to allow them to collect that data. Union and public sector employees could probably tell them no, but "at will" employees might feel that their jobs are at stake and consent only because of that threat. Whether such coercion is legal, I don't know. However, say that a third party had a confidentiality arrangement with the employee for private matters totally unrelated to the employer, such as health-related matters, and the employer revealed that information. Once again, this is only my opinion, but the third-party employee might have a very good case to receive damages from the employer. The bottom line is that businesses probably should collect private communications only as an unavoidable byproduct of their normal business processes. When they stray from that, they may be taking on unnecessary and unexpected risks which far exceed any benefits they might gain from capturing that information.

As a non-attorney and one more or less unfamiliar with constitutional law, including the precedents, I cannot pretend to understand in depth the complex reasoning that goes on in any Supreme Court decision. People tend to like or dislike particular decisions based upon their political perspectives without fully comprehending the legal issues surrounding the conflict between two principles where only one can prevail. However, as an industry analyst familiar with the technologies of ESI and with a strong business background, I have tried to frame the issues from at least a business perspective. The key points are:

  • Collecting personal communications in a central business storage repository can very well be an unavoidable byproduct of normal business processes where a particular electronic device is used for the creation of both personal and business communications.

  • The difficulty of determining what is truly personal means that the business may inadvertently visually scan and read what were meant to be strictly personal communications.

  • Denying an organization this ability could prove to be technically infeasible and could conceivably expose it to both business and legal risk.

  • Even if the data can be separated (such as through the use of virtualization) and a business wants to take a laissez faire stance respectful of employee privacy, is the business still at risk for not having done enough?

  • Can businesses thus decide to try and collect personal business communications that are not part of a normal business process? One risk is in not doing enough and the other risk is in trying to do too much.

While the Supreme Court may choose to rule very narrowly, and only on some of what is contained in the first point, a broader ruling would help businesses explicitly understand what is and what is not permissible, which would have the laudable effect of reducing future litigation. In any event, the upcoming case and eventual ruling may be under the radar for most businesses but needs to be watched quite closely. Depending on the Court's ruling, some businesses may want to take a more proactive stance to avoid significant negative consequences.

About the Author(s)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights