Draw the Law: People Issues VII, Protecting Workplace Privacy Part I

As you can see from the prior Draw the Law posts, you as the employer, are responsible for your employees’ health, safety, paying them, and for protecting their information.  Today’s Draw the Law (and the next two) will be about protecting employees’ private information.

So a Hawaii employer should think about the following situations when it comes to employee privacy:

  1. Credit and Background Checks
  2. Surveillance and Electronic Monitoring
  3. Searching Personal Property
  4. HIPAA Privacy
  5. Job References
  6. Social Security Numbers
  7. Other Personal Information

As you can see there are a lot of situations you need to be worried about, so I will be breaking this topic into Part I today, which will cover the first two situations.   Part II will handle numbers 3 and 4.  Finally, Part III will handle 5 – 7.

Unless you are an all powerful all seeing eye that lords over a realm, you are going to have to respect the privacy of your employees and comply with the law in many situations.

Credit and Background Checks

While you may think that the Fair Credit Reporting Act (“FCRA”) applies only to consumer reporting, it actually also applies to employers who obtain and use information from consumer reporting industries for their job applicants or current employees.  It applies not only to consumer credit reports, but educational background checks, license checks, employment history and the like when the information is obtained from a entity that regularly puts together these types of reports (even includes private investigators).

Typically, a job applicant submits an application, the employer wants to check it out through a reporting agency, but before they do that they must notify and get approval from the applicant.

As the employer, you must:

  1. give notice to the person you intend to get a report on;
  2. obtain their written authorization to that the agree;
  3. if you take an adverse employment action based on the information received you must also give notice in that situation.

The specifics of when to give notice.

The Reports and Reporting Agency

The Federal Trade Commission is responsible for this law and it only focused on certain types of information to be found in the reports.  The following pieces of information are not covered by FCRA:

  1. criminal or court records, when obtained from the state agency that is responsible for providing the public with this information; and
  2. drug testing results, when directly provided by the lab to the employee.

The court and drug testing labs are NOT consumer reporting agencies for the purposes of this law.

The key to this law has to do with from whom you obtain the reports from.  This law only cares about if you obtain information from an entity that makes its business from providing the protected information.  For example, if you have a job applicant and you directly contact their prior employer for information that does not make their prior employer a consumer reporting agency.  Likewise, if the job applicant lists references, their professors, colleagues, and the like are not furnishing you with consumer report.

You, the employer, have to make very specific disclosures to applicants/employees at these time frames:

  1. before getting the report
  2. before make an adverse decision (includes denial of employment, transfer, raise, promotion, etc . . . )
  3. and after taking an adverse action.

A thing to note here, there are two different types of reports: consumer and investigative consumer.  They both have different and very specific requirements in terms of disclosure.   If you have questions ask an attorney or expert in the matter.


The main thing to take away from this section is you probably want to use these checks sparingly.  While, there are all these legal ramifications, sometimes ordering a report can just be more costly compared to a simple call based on the applicant’s reference list.  If you do decide to get a report be sure to follow specific procedures of disclosure.  Once again, if you are unsure contact an attorney to help you.

Monitoring Your Employees

For those of you have been following my blawg for a while you know that I did a series of posts on Social Media and the Law, well this section is related to that.  In general, when you monitor your employees through accessing e-mail, social networks, etc . . . you have a series of laws to watch out for.  I am only going to focus on two federal laws, but there are a series of other laws to consider as well.

Electronic and Stored Communications

The ECPA is concerned about the sending and interception of information and the SCA is focused on the storage of data. You are the employer sitll be concerned about both.

Electronic Communications Privacy Act (ECPA) governs electronic communications in the workplace that transmit data (this includes the telephone).  Specifically, Title I of the act cares about the transmission and interception of the communications.  Title II, which is known as the Stored Communications Act (SCA), protects the privacy and is focused on the access of stored electronic information.  The main concern for employers is that they should watch themselves when they begin monitoring employees through communication devices.

Employers may have the opportunity to take advantage of three exemptions in the ECPA.  They are as follows:

  1. electronic communications may be monitored if a person gives consent (which an employer should obtain written consent);
  2. “business extension” situation which applies to an employer that uses telephone extension to monitor employees in the ordinary course of business; and
  3. the “provider” of the electronic communication service who monitors communications as a “necessary incident” to the providing or service (or to protect its rights or property) may also be exempt.

The two main exemptions pf EC{A employers should care about are: (i) consent and (ii) the oridnary course of business situations.

In general, an intercepted communication may only be used for a stated business purpose.  Once you have reasonably determined that the subject of an intercepted communication is not relevant to the business purpose for which monitoring took place the monitoring must cease and the contents of the communication disregarded.  Generally, software that merely records e-mail addresses/URLs should be legal under the business extension exception to federal prohibitions against recording without consent.

In general, a lot of the information covered in the Social Media and the Law series talks about more specific concerns employers have when monitoring social media.  However, a lot of that is relevant to this matter, as employees use the devices covered by the ECPA and SCA to use their social media accounts.

Last Word

Notice and consent are the two big concepts, if anything you should take away from today's post.

The main thing to takeaway from all this is to use NOTICE AND CONSENT.  The laws only protect a reasonable expectation of privacy held by employees.  The employee no longer as a reasonable expectation if you notify them you intend to monitor telephone calls, they have given you the right of access to their e-mail, text messages, and internet transmissions, etc . . . .  Basically, consent will cut off any claims of violating ECPA or privacy common law.  This is why having a comprehensive policy that deals with electronics, their use, and what rights employees have regarding them is important.  As stated in the Social Media and the Law, you should seek out an attorney or expert to help craft your policies or review them periodically to make sure that your procedures are in compliance.

Next time, I will focus on searching employees’ personal property (think of it like what was discussed today, but now in physical space) and HIPAA regulations with regard to employee information.  If you liked this post or any of my other series please “Subscribe” to this blawg to receive e-mail updates.  In addition, follow me on Twitter and “Like” me on Facebook.  If you need to contact me directly, please e-mail me at Ryankhew@hawaiiesquire.com.

*Disclaimer:  This post discusses general legal issues, but does not constitute legal advice in any respect.  No reader should act or refrain from acting based on information contained herein without seeking the advice of counsel in the relevant jurisdiction.  Ryan K. Hew, Attorney At Law, LLLC expressly disclaims all liability in respect to any actions taken or not taken based on the contents of this post.


One thought on “Draw the Law: People Issues VII, Protecting Workplace Privacy Part I

  1. Pingback: Draw the Law: People Issues IX, Protecting Workplace Privacy Part III « The Blawg of Ryan K. Hew, Attorney At Law

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s