What Employers Need to Know About Employee Privacy

In an age where anyone can look up almost anyone or anything online, the term “privacy” can be difficult to define. The meaning of the word becomes even more challenging when viewing privacy in the context of the workplace. Many employers struggle with not only identifying what is private protectable information, but also how to safeguard that information while also protecting the company’s own business interests. A rise in remote or hybrid work situations has added another layer of complexity to this challenge. Given the increased costs of litigation, it is critical that employers understand their obligations under the law and how to strike a legally compliant balance between these competing interests.

Employee Records

Neither federal nor New Jersey law specifically regulates an employer’s maintenance and handling of employee personnel records, although there are certain statutes that contain ancillary record-keeping provisions. For example, New Jersey’s Paid Sick Leave Law requires that employers maintain records of hours accrued, used, and carried over by employees for a five year period. Also, employee medical records are afforded separate and greater legal protections pursuant to various federal and state laws.

Generally, however, employers should treat employee personnel files as confidential. They should be stored in a separate, secure location and the information contained therein should only be shared with individuals on a need-to-know basis. Interestingly, New Jersey employees do not have a statutory right to their personnel files. When and how an employee may gain access to this information is generally governed by company policy, or court order in the event of litigation.

Employee Electronic Communications

A growing number of employers are tracking their employees’ electronic communications. Employers primarily cite productivity as the reason for employee monitoring, i.e., to ensure that their employees—especially remote workers—are actually working during working hours. In doing so, however, employers need to be mindful of the Electronic Communications Privacy Act of 1986 (ECPA). Initially, the ECPA appears to prohibit the interception of electronic communications, but the act contains several exceptions, two of which are significant to employers. First, the business purpose exception allows employers to monitor electronic communications to fulfill a legitimate business purpose. Second, the consent exception allows employers to monitor electronic communications provided they have their employees’ consent to do so.

Most challenges to electronic monitoring, however, are common law invasion of privacy claims. To prevail on an invasion of privacy claim, the employee must typically show that they had a reasonable expectation of privacy regarding their electronic communications while using the employer’s computer systems.

A properly drafted and uniformly enforced electronic communications policy is an employer’s most effective tool in protecting itself against legal liability. The policy should notify employees that they have no expectation of privacy when using the employer’s electronic devices and computer systems, that all information sent, received, or stored on the company’s devices belongs to the company, including but not limited to personal emails, messages, and other materials created or stored on these devices as well as password-protected information transmitted on these devices (i.e., personal email accounts). The policy should clearly identify the purpose of the policy (i.e., to ensure productivity, protect confidential business information, etc.) and advise employees that the employer may, and routinely does, monitor its electronic communication devices to ensure employee compliance. Publishing, circulating, and training employees on an electronic communications policy is the best method to manage employee expectations of privacy and protect against potential legal claims.

Employee Location and Remote Monitoring

With an increased trend in remote or hybrid work arrangements, many employers are extending the monitoring of their employees to outside of the workplace.

Location monitoring involves keeping track of employees’ location and movement through company-owned devices using GPS. While the ECPA excludes “any communication from a tracking device,” and therefore, does not likely apply to GPS tracking, in April 2022 the New Jersey Legislature passed a bill requiring employers to provide written notice to employees if the employer “knowingly makes use of a tracking device in a vehicle used by an employee” when that device is “designed or intended to be used for the sole purpose of tracking the movement of a vehicle, person, or device.” This language supports a narrow reading, which arguably excludes devices capable of tracking location, but that are not solely designed for that purpose. For example, a company-issued smartphone, which has the ability to track location, would fall outside of this definition because of the wide array of functions performed by the device.

Even though the law only requires employers to provide notice to employees when using devices solely for tracking purposes, devices with multiple applications may still lead to privacy concerns because of the ability to intrude into the employee’s personal life or home, even if done so inadvertently. Therefore, if the employer engages in any type of employee tracking, a policy governing those devices, outlining the purpose of the tracking as well as the safeguards in place to avoid overstepping, is critical to protect against liability.

In addition to location monitoring, there has been a significant rise in the monitoring of employees who work remotely or on a hybrid basis. While keystroke and other software programs measuring idle time can be an effective tool for employers to ensure productivity, many argue this type of monitoring extends beyond mere workplace efficiencies and captures unique behavioral and physical characteristics that warrant additional protections. Because this area of the law is evolving, it is recommended that employers using these innovative forms of technology not only place their employees on notice, but also obtain their written consent in advance of implementing these systems.

Employee Off-Duty Conduct

• Identify what is going to be governed, i.e., electronic communications in the workplace, (remote) employees outside of the workplace, employee location, etc.
• Make clear that monitoring may occur at any time, with or without notice, for any legitimate-business purpose.
• Specify that while the company may provide employees with certain electronic devices, those devices are company-property, and that both work-related and personal information sent, stored or received on these devices is subject to monitoring.
• State that communications that violate any company policy (i.e., anti-harassment and anti-discrimination policies) will not be tolerated.
• Advise that employees who are issued smartphones, or any other devices with GPS tracking functions, are subject to location monitoring by the company.
• Prohibit the dissemination of company confidential or trade secret information.
• Explain that violations of the policy may lead to discipline, up to and including termination.
• State that nothing in the policy is intended to preclude employees from engaging in communications concerning the terms and conditions of employment that are protected by the NLRA.

Whether standalone or incorporated into a handbook, employers should get a written acknowledgment from all employees that they have read, understand, and agree to be bound by the terms of the company’s monitoring policy.