As you can see from the prior Draw the Law posts, you as the employer, are responsible for your employees’ health, safety, paying them, and for protecting their information. Today’s Draw the Law (and the next two) will be about protecting employees’ private information.
So a Hawaii employer should think about the following situations when it comes to employee privacy:
- Credit and Background Checks
- Surveillance and Electronic Monitoring
- Searching Personal Property
- HIPAA Privacy
- Job References
- Social Security Numbers
- Other Personal Information
As you can see there are a lot of situations you need to be worried about, so I will be breaking this topic into Part I today, which will cover the first two situations. Part II will handle numbers 3 and 4. Finally, Part III will handle 5 – 7.
Credit and Background Checks
While you may think that the Fair Credit Reporting Act (“FCRA”) applies only to consumer reporting, it actually also applies to employers who obtain and use information from consumer reporting industries for their job applicants or current employees. It applies not only to consumer credit reports, but educational background checks, license checks, employment history and the like when the information is obtained from a entity that regularly puts together these types of reports (even includes private investigators).
As the employer, you must:
- give notice to the person you intend to get a report on;
- obtain their written authorization to that the agree;
- if you take an adverse employment action based on the information received you must also give notice in that situation.
The Reports and Reporting Agency
The Federal Trade Commission is responsible for this law and it only focused on certain types of information to be found in the reports. The following pieces of information are not covered by FCRA:
- criminal or court records, when obtained from the state agency that is responsible for providing the public with this information; and
- drug testing results, when directly provided by the lab to the employee.
The key to this law has to do with from whom you obtain the reports from. This law only cares about if you obtain information from an entity that makes its business from providing the protected information. For example, if you have a job applicant and you directly contact their prior employer for information that does not make their prior employer a consumer reporting agency. Likewise, if the job applicant lists references, their professors, colleagues, and the like are not furnishing you with consumer report.
You, the employer, have to make very specific disclosures to applicants/employees at these time frames:
- before getting the report
- before make an adverse decision (includes denial of employment, transfer, raise, promotion, etc . . . )
- and after taking an adverse action.
A thing to note here, there are two different types of reports: consumer and investigative consumer. They both have different and very specific requirements in terms of disclosure. If you have questions ask an attorney or expert in the matter.
The main thing to take away from this section is you probably want to use these checks sparingly. While, there are all these legal ramifications, sometimes ordering a report can just be more costly compared to a simple call based on the applicant’s reference list. If you do decide to get a report be sure to follow specific procedures of disclosure. Once again, if you are unsure contact an attorney to help you.
Monitoring Your Employees
For those of you have been following my blawg for a while you know that I did a series of posts on Social Media and the Law, well this section is related to that. In general, when you monitor your employees through accessing e-mail, social networks, etc . . . you have a series of laws to watch out for. I am only going to focus on two federal laws, but there are a series of other laws to consider as well.
Electronic and Stored Communications
Electronic Communications Privacy Act (ECPA) governs electronic communications in the workplace that transmit data (this includes the telephone). Specifically, Title I of the act cares about the transmission and interception of the communications. Title II, which is known as the Stored Communications Act (SCA), protects the privacy and is focused on the access of stored electronic information. The main concern for employers is that they should watch themselves when they begin monitoring employees through communication devices.
Employers may have the opportunity to take advantage of three exemptions in the ECPA. They are as follows:
- electronic communications may be monitored if a person gives consent (which an employer should obtain written consent);
- “business extension” situation which applies to an employer that uses telephone extension to monitor employees in the ordinary course of business; and
- the “provider” of the electronic communication service who monitors communications as a “necessary incident” to the providing or service (or to protect its rights or property) may also be exempt.
In general, an intercepted communication may only be used for a stated business purpose. Once you have reasonably determined that the subject of an intercepted communication is not relevant to the business purpose for which monitoring took place the monitoring must cease and the contents of the communication disregarded. Generally, software that merely records e-mail addresses/URLs should be legal under the business extension exception to federal prohibitions against recording without consent.
In general, a lot of the information covered in the Social Media and the Law series talks about more specific concerns employers have when monitoring social media. However, a lot of that is relevant to this matter, as employees use the devices covered by the ECPA and SCA to use their social media accounts.
The main thing to takeaway from all this is to use NOTICE AND CONSENT. The laws only protect a reasonable expectation of privacy held by employees. The employee no longer as a reasonable expectation if you notify them you intend to monitor telephone calls, they have given you the right of access to their e-mail, text messages, and internet transmissions, etc . . . . Basically, consent will cut off any claims of violating ECPA or privacy common law. This is why having a comprehensive policy that deals with electronics, their use, and what rights employees have regarding them is important. As stated in the Social Media and the Law, you should seek out an attorney or expert to help craft your policies or review them periodically to make sure that your procedures are in compliance.
Next time, I will focus on searching employees’ personal property (think of it like what was discussed today, but now in physical space) and HIPAA regulations with regard to employee information. If you liked this post or any of my other series please “Subscribe” to this blawg to receive e-mail updates. In addition, follow me on Twitter and “Like” me on Facebook. If you need to contact me directly, please e-mail me at Ryankhew@hawaiiesquire.com.
*Disclaimer: This post discusses general legal issues, but does not constitute legal advice in any respect. No reader should act or refrain from acting based on information contained herein without seeking the advice of counsel in the relevant jurisdiction. Ryan K. Hew, Attorney At Law, LLLC expressly disclaims all liability in respect to any actions taken or not taken based on the contents of this post.