Though not as flashy as the 1997 hit movie I’m punning, HR professionals handle protected personally identifiable information and private health information daily. They also wield an odd power to investigate employee conduct and “snoop” on employees’ workplace activity through access to company email and security systems. However, with this odd power comes a lot of confidentiality questions, and many employers have reached out to me lately about various employee privacy concerns. So, let’s tackle a couple of these issues:
Scenario: You find out a newly terminated employee has been sending personally identifiable employee information (Social Security numbers, dates of birth, etc.) to his personal email address from his work computer. You are immediately concerned about this data breach. What should your organization do?
Resolve: In NC, the Identity Theft Protection Act provides protections and requires certain actions from employers in the event of breaches (see specifically § 75-65). If necessary, employers should report the breach to local law enforcement and through the NC Department of Justice’s website, but must at least provide notice to the affected employees. The Federal Trade Commission also offers guidance on how to respond to a data breach or how to best protect employee privacy and your business from data leaks.
Scenario: Your employee, Frankie Fightstarter, has been having major performance issues. Coworkers complain that he is operating a personal business during company time using company assets. Frankie’s coworker even submits a recording she made on her cell phone of a conversation she had with Frankie about his on the clock personal business work. You speak to Frankie, and he admits nothing. So, per your company policies, you review security video footage of Frankie’s open seating work area, the coworker’s mobile recording, and Frankie’s company email for evidence of these activities. When confronted with your investigation's findings, Frankie says the company has violated his privacy by utilizing these various methods. Did the company do anything illegal?
Resolve: In NC, Frankie’s coworker, as a party to the conversation, was within her right to record their conversation, as NC is a one-party consent state. As such, the company could utilize this conversation in its investigation with the coworker’s consent. NC also allows recording of public common areas (without sound), and NC courts have not extended as “reasonable” an employee’s expectation of privacy in an open office environment (or hallways, break rooms, or other common areas). Additionally, as Frankie was utilizing the company’s computer and email network for his personal purposes, the company has a right to review those assets. As always, it is best to provide employees notice of your company’s intent to monitor communications and assets within your employee handbook policies and to receive an acknowledgement of such.
For more information about confidential information or workplace privacy, please contact your Advice and Resolution team, CAI's Pre-Paid Legal Services Plan, or peruse myCAI for excellent articles, documentation, and training materials.