Employee Privacy to See Advances in 2023

Written By Haley Metteauer

Employee privacy will likely be at the forefront of discussion in 2023.

As this Information Week article points out, it is “common” for human resources (HR) departments in an organization to “search social media regarding job candidates as part of the hiring process.” This process often results in personal details of an employee’s life—unrelated to their role of employment in the organization—being revealed, reported to others within the organization, and, sometimes, documented. 

Another practice presenting privacy concerns is the tracking of employee activities that are conducted while they are at work. As Information Week points out, “any employee activity conducted while an employee is at work can be monitored and/or restricted by employers.” This can include “phone calls, emails, computer use, internet and website access, system access, observations throughout facilities and grounds with cameras[.]” Organizations can monitor employee’s online presence by tracking and blocking access to certain websites through the use of system controls. Likewise, organizations can physically monitor people’s presence on company grounds by permitting access to certain areas or technologies through the use of “card keys, biometric identification, user IDs/passwords, and cameras.” 

Despite the commonality of these workplace practices, Information Week points out that these practices may violate an employee’s “fundamental human right” to privacy as they could be considered a violation of Article 8 of the US Human Rights Act. Under Article 8, “personal information about you (including official records, photographs, letters, diaries, and medical records) should be kept securely and not shared without your permission, except in certain circumstances.” This begs the question — is acceptance of an employment position considered an extension of permission to be monitored, tracked, and surveilled? 

If you are an employee in the state of California, the amendments to the California Consumer Privacy Act (CCPA), contained in the California Privacy Rights Act (CPRA)—which became effective on January 1, 2023—provide a clear answer: if you are a California employer, you must notify your employees of any data collection that relates to their personal information. 

Additionally, this JD Supra article proposes that in 2023, the answer to that question may be clear to employees outside of the state of California. 

According to JD Supra, “[s]tates are trending towards increasing transparency and privacy in the workplace by passing laws that require employers to notify employees if they are monitoring them.” In fact, in 2022, New York, Connecticut, and Delaware each enacted regulations that require private employers to provide employees with written notice of any monitoring practices of the employee’s email, internet access or usage, or telephone conversations. Similarly, Texas law prohibits the monitoring of an employee’s electronic communications beyond their own communication systems, as the state considers it to be “an invasion of privacy.” JD Supra predicts that “it is likely that other states will follow the trend and pass legislation that seeks to limit and/or require notice to employees of monitoring activities taking place in the workplace.” 

In light of these legislative shifts across the country, JD Supra notes that it is now more important than ever that a business establish and maintain a “comprehensive and robust privacy policy detailing how an employee’s personal data will be collected, processed, stored and shared.” 

Of the many details that should be addressed in your privacy policy, we recommend consideration of the following matters: 

  • Any monitoring that may be conducted relating to an employee, including, but nor limited to, phone calls on work phones and personal phones; internet browser usage; file storage on work computers or personal computers that have access to organizations’ systems; and video monitoring on company devices or in company-owned spaces 

  • Privacy policies for the use of personal devices for work-related matters and personal matters, on company networks or internet connections 

  • Acceptable use policies 

  • The collection of employees’ biometric information 

  • Storage and retention policies for any personal information or data collected from an employee 

Haley Metteauer
Previous

Practical Guidance: TikTok Bans
Next

State of the Union Discusses Privacy