Want to Read More? To continue reading this article, please Log in or Register Now

Employee Privacy: Federal

Employee Privacy requirements by state

Author: Jason Habinsky, Haynes & Boone


  • Employers may generally monitor employee workplace activities or activities engaged in while using employer-owned equipment and devices. Employers need to decide what goals are to be achieved by monitoring employees and then determine the most effective and efficient way to achieve those goals. See Monitoring and Protecting Employee Privacy.
  • Some federal and state laws limit an employer's ability to monitor employee activities and electronic communications. See Limitations on the Right to Monitor Employees.
  • Employers should manage employee privacy expectations through employment policies that notify employees that workplace activities and electronic communications may and will be monitored. See Managing Employee Privacy Expectations.
  • Employers may monitor employees in many ways, including using a variety of technology available to monitor computer and internet use. See Types of Monitoring.
  • Employers should make sure to implement and enforce policies and procedures regarding employee use of social media and the employer's right to monitor social media use when using the employer's computer equipment and networks. See Monitoring Use of Social Media Networks.
  • Employers should be aware of the federal and state laws covering background checks and preemployment testing, and be sure not to compromise applicant privacy rights. See Application/Interview Inquiries and the Right to Privacy.
  • Employers may generally perform drug and alcohol testing on applicants and employees. It is permissible to administer a drug and alcohol test to an applicant if:
    • The applicant has been given notice that testing is a condition of employment (preferably, in writing on the job application);
    • The applicant has been extended a job offer; and
    • All applicants are similarly tested. See Testing of Employees.
  • If employers want to test employees after hiring, employers should develop a standardized drug and alcohol policy that is well publicized to all employees, in order to eliminate surprises. See Testing of Employees.
  • Employers should be aware of the federal and state laws requiring them to safeguard employees' records and confidential information, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Genetic Information Nondiscrimination Act (GINA). See Recordkeeping and Safeguarding Employee Records and Confidential Information.

Monitoring and Protecting Employee Privacy

In today's modern world there are many ways that employers can and do monitor employee activities such as computer use phone calls, text and instant messaging, etc. The primary question that employers must answer is not whether they may monitor employees, but whether they should. Employers should consider whether and to what extent they have a legitimate business interest in keeping tabs on employees that outweighs the employee right to privacy and any negative impact on employee morale that may result from the monitoring.

There are many compelling reasons to monitor employee activities both on and off employer property. For example:

  • Maintaining a productive workplace. By monitoring the amount of time employees spend on various tasks, an employer can ensure that the workplace is operating efficiently.
  • Quality control of employee work. Regular monitoring can aid in ensuring that employees produce consistent, high quality products.
  • Preventing discrimination and harassment lawsuits. Employees who know they are being monitored may be less likely to engage in harassing or discriminatory behhaavior and such monitoring can provide a defense for an employer facing a meritless lawsuit.
  • Protecting relationships with clients and customers. Employers can protect valuable relationships by ensuring that employees treat clients and customers with courtesy and respect.
  • Maintaining the security of trade secrets and confidential information. Monitoring employee communications and access to confidential information and trade secrets can help ensure that these valuable assets do not end up in a competitor's hands.
  • Protecting employer computers, property and equipment. Monitoring can allow an employer to ensure that its costly equipment is not being used or abused by employees.
  • Protecting employer reputation. By monitoring employee communications, an employer can protect itself from projecting a poor image to potential customers.
  • Preventing employee theft and misconduct. Monitoring can both deter employee misconduct and uncover such misconduct after it has occurred.
  • Cooperating with law enforcement during investigations of suspected illegal activity. By monitoring employee activity under the direction of law enforcement officials, an employer can protect itself from civil or criminal liability based on employees' illegal actions.
  • Saving employers money, time and resources. By uncovering and reducing excessive internet usage or employee theft, among other things, employers may save unnecessary costs.
  • Managing, maintaining and repairing business systems. Employers can detect potential problems early so that repair costs and productivity losses may be minimized.

While there are many reasons to monitor employee behavior, employers must also consider the following potential negative ramifications of monitoring and surveillance:

  • Employee expectations of privacy. While the increased use of technology and surveillance in all aspects of public life has diminished employees' expectations of privacy, employees still expect employers to respect personal privacy. An employer that oversteps these expectations risks creating unhappiness in the workforce.
  • Employee right to engage in protected concerted activity. The right of employees to advocate for improved workplace conditions either along with or on behalf of other employees is protected under federal law. Employers risk violating these rights by disciplining employees for engaging in protected activities discovered through workplace monitoring. See Labor Relations > Unfair Labor Practices; Labor Relations > Employer Liability.
  • Employee right to safeguard personal information. With identity theft on the rise, employees may be rightfully fearful of personal information falling into the wrong hands.
  • Employee right to be free from false publicity or defamatory statements. Employees do not leave the right to be free from defamation or false publicity at the workplace door.
  • Employee morale. An employer that records and reviews its employees' every move or communication does not create a high level of trust and appreciation.
  • High costs. The cost of monitoring may outweigh any benefit received from it. Monitoring can be expensive, especially for small businesses. It may not be worth installing expensive computer software and hardware or surveillance equipment, as well as hiring qualified workers to maintain these systems, if these changes will only result in slight improvements in workplace efficiency.

Limitations on the Right to Monitor Employees

Generally speaking, employees do not have a reasonable expectation of privacy in the workplace when the employer informs them that their activities may and will be monitored. As a condition of employment, employers may require employees to subject themselves to monitoring of daily activities in the workplace and away from the workplace when using employer equipment.

However, if an employer decides to monitor at least some portion of employee activities, the employer must comply with various federal laws that place some limitations on workplace monitoring.

Privacy Act of 1974

The Privacy Act requires public sector employers to protect certain information about employees. +5 U.S.C. 552a

For example:

  • Public sector employers must have security systems in place to prevent the unauthorized release of personal records;
  • Public sector employers must only maintain information about employees that is relevant and necessary to their agency's specific purpose; and
  • Subject to some exceptions, employers may not disclose any employee records without the employee's written consent.

Electronic Communications Privacy Act

The Electronic Communications Privacy Act (ECPA) amended the Wiretap Act to extend restrictions on wiretaps beyond phone calls and to include all electronic communications, including emails and electronic data. +18 U.S.C. 2510, et seq. The ECPA prohibits individuals from intercepting communications while in transit or while stored by a service provider. See Stored Communications Act.

The ECPA, however, contains the following exceptions allowing an employer to monitor employee emails and telephone calls without violating the law:

  • Provider Exception. This exception allows for the provider of a communication service to monitor communications on its service. For example, if an employer provides its employees with an email account, it may monitor the messages employees send and receive using that account.
  • Consent Exception. This exception allows for an individual to intercept an electronic communication if the sender has either expressly or implicitly consented to interception. This means that an employer may review employee communications upon receiving employee consent. Best practices include having a clearly worded policy, which states that employee communications over the employer's systems will be monitored, and having employees acknowledge in writing that they are aware of and agree to this policy. A policy that communications may be monitored, without a written acknowledgement by the employee, may be insufficient to show implied consent.
  • Business Use Exception. Communications may be intercepted for business related reasons. Employers should be wary, however, as this is a narrow exception, especially when it comes to phone calls. Once an employer realizes that an employee is making a personal phone call, the employer must immediately stop monitoring the call.

While the ECPA does not require employers to notify employees that their business related calls will be monitored, many states do. See State Requirements. Best practices include informing employees of monitoring regardless of the employer's state's requirements on this issue. Employers should provide employees with explicit notice in an employee handbook or other policy document that employers retain the right to monitor employee electronic communications. Employers should also notify employees that business related calls may be monitored and that phones should not be used for personal calls. Employers may want to consider providing separate phones for employees to use to make personal phone calls when needed or encouraging employees to use personal cell phones for such calls.

Practical Example

Justin, a disgruntled employee of Acme Insurance, sells insurance policies. Acme discovers that Justin has drafted (but not sent) a letter to Acme's customers, noting that many policyholders are unhappy with Acme and urging them to switch policies. After learning of the letter, Acme investigates Justin's email account on Acme's centralized server to search for other evidence of disloyal conduct. Acme finds further evidence of disloyalty and terminates Justin. Justin's subsequent suit against Acme under the ECPA is unsuccessful because Acme provided the email services to Justin, so it has the right to access communications in its storage systems.

Stored Communications Act

The Stored Communications Act (SCA) is part of the ECPA and generally prohibits an individual from accessing stored electronic communications without proper authorization. +18 U.S.C. 2701, et seq. The same exceptions to the ECPA also apply to the SCA, allowing an employer to enforce a policy that it retains the right to review any communications or information stored on its communication systems and require employees to consent to such policies.

Employers should be aware that the SCA prohibits employers from accessing an employee's personal email account even if the personal email account is maintained by a third party provider, e.g., Gmail, Yahoo. This activity may violate state law as well. Employers that are concerned about employee communications over third party networks while at work should implement a policy prohibiting employees from accessing personal email accounts while at work or on employer issued devices or install an electronic firewall that blocks access to such websites.

Practical Example

Acme Accounting's longtime executive, Melanie, abruptly resigns from her position. A month later, Melanie files a lawsuit against Acme alleging sexual harassment. As part of Acme's investigation into her claims, Acme examines Melanie's company computer and discovers that Melanie frequently checked her personal Yahoo email account. Melanie's account name and password are saved in a cookie on the computer's hard drive, so Acme can access and read her personal emails. Acme's investigators discover emails that the company later attempts to use against her. In addition to her harassment claim, Melanie may now have a claim under the SCA.

Patriot Act

The Patriot Act is important for employers not only because of the limits it places on the ability to monitor employees, but also because it has expanded the government's ability to do so. Employers may be asked to provide law enforcement agencies with access to electronic systems or personnel records to assist in ongoing law enforcement investigations. Employers should notify employees that, if asked, employers may be required by law to turn over to the government a wide range of electronic communications concerning employees, without employee knowledge and consent.

Employers can download Highlights of the USA PATRIOT Act from the Department of Justice.

Employee Polygraph Protection Act of 1988

The Employee Polygraph Protection Act (EPPA) generally prohibits private sector employers from using lie detector tests for preemployment screening or during the course of employment, with the following limited exceptions:

  • Employers may ask an employee to take a lie detector test if the employer has suffered an identifiable, ongoing economic loss. The employee must be given a written statement before the test is administered describing the loss and notifying the employee of the possibility that an adverse action may be taken against him or her based on the test results.
  • Certain job applicants at security services firms or pharmaceutical manufacturers, distributors and dispensers may be required to take a polygraph test.

Unless one of the exceptions applies, private employers cannot require an employee to take a lie detector test, and cannot discharge, impose any discipline, or discriminate in any way against an employee or applicant who refuses to take a polygraph test. +29 U.S.C. 2001, et seq.

National Labor Relations Act

Under Section 7 of the National Labor Relations Act (NLRA), both union and non-union employees have a right to engage in protected concerted activity or collective action to protest or attempt to improve their wages, hours and working conditions. The National Labor Relations Board (NLRB) reviews whether certain rules would be reasonably construed to prohibit or restrict employees from engaging in concerted activities protected under Section 7 of the NLRA, such as discussions of terms and conditions of employment and union organizing. Rules and policies frequently at issue include: confidentiality rules; employee conduct/professionalism rules; third party/media communications rules; logos, copyrights and trademark rules; photography and recording rules; rules restricting employees from leaving work; and conflict of interest rules.

The NLRB reminds employers that a work rule may violate the NLRA if it has a "chilling" effect on an employee's protected activity. Employees are permitted to engage in communications and conduct in connection with protected concerted activity and work rules that have a chilling effect on Section 7 activity may be found unlawful. As such, in drafting and/or amending any workplace policies or provisions with respect to employee privacy to be included in an employee handbook, an employer should be particularly careful not to infringe upon the employee right to engage in protected concerted activity.

Similarly, an employer may not engage in monitoring or surveillance for any unlawful purpose including monitoring, or giving the impression of monitoring, employee union activity and protected concerted activity under Section 7 of the NLRA. The National Labor Relations Act (NLRA) prohibits an employer from conducting surveillance of union activities. Even if an employer is conducting general monitoring of employee activities in accordance with other laws, an employer may violate the NLRA if it captures employees engaging in union activities. Further, the National Labor Relations Board (NLRB) has held that certain types of employee monitoring cannot be implemented without the express consent of the union. See Colgate-Palmolive Co., +323 N.L.R.B. 515 (1997). Monitoring is subject to the terms of any collective bargaining agreement an employer executes with employee unions.


Camera and Video Surveillance;

Labor Relations > Collective Bargaining Process;

Labor Relations > Unfair Labor Practices;

Labor Relations > Employer Liability.

Defend Trade Secrets Act

While it is critical for employees to protect an employer's confidential and proprietary information and trade secrets, under the Defend Trade Secrets Act of 2016, an employee will be immune for the disclosure of a trade secret when reporting a suspected violation of law and/or in an anti-retaliation lawsuit. A trade secret is defined as all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if the owner thereof has taken reasonable measures to keep such information secret; the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public. Specifically, an employee cannot be held criminally or civilly liable under federal or state trade secret law for the disclosure of a trade secret that is made: (i) in confidence to a federal, state, or local government official either directly or indirectly, or to an attorney solely for the purpose of reporting or investigating a suspected violation of law; or (ii) in a complaint or other document filed in a lawsuit or other proceeding, if such filing is made under seal. In addition, if an employee files a retaliation lawsuit against an employer for reporting a suspected violation of law, the employee may disclose the trade secret to his or her attorney and use the trade secret information in the court proceeding, if (i) employee files any document containing the trade secret under seal; and (ii) does not disclose the trade secret, except pursuant to court order. See Terms of Employment: Federal.

Managing Employee Privacy Expectations

No matter how much or how little an employer decides it wants to monitor employees, the employer must make sure that it effectively manages employee expectations of privacy. When assessing the legality of monitoring, courts examine whether the employee had a reasonable expectation of privacy. As discussed above, some federal laws require employers to notify employees of certain types of monitoring. Numerous states have similar or more stringent notice requirements. See State Requirements.

What is considered reasonable varies from state to state, but generally, employees do not have a reasonable expectation of privacy when an employer has clearly informed them that their activities can and will be monitored. See State Requirements.

Employee Handbooks

The primary tool that employers can use to manage employee expectations of privacy is an employee handbook. The handbook should contain policies that describe in specific terms the types of activities the employer can and will monitor. Here are some examples of general policies pertaining to the use and monitoring of electronic communications that employers may use to ensure employees do not have a reasonable expectation of privacy:

  • All electronic and telephonic communications and information systems (including mobile devices) provided by the employer are the employer's property and subject to monitoring by the employer.
  • The employer discourages the use of email for reasons other than for legitimate business purposes.
  • Employees have no right to or expectation of privacy with respect to personal email messages sent over the employer's email system, or text messages sent or received on the employer's cell phones.
  • Employees cannot and should not use the employer's communication and information systems, including email or voice mail systems, to send, receive, or store any messages that employees wish to keep private.
  • The employer reserves the right to monitor, access, review, copy, or delete any communications or documents on its systems, including matters stored on individual employee computers and related media.
  • All communications should be courteous, professional and businesslike. Individuals may not include vulgarities, obscenities, jokes, sarcasm, threats, sexually, racially or otherwise offensive matter, or exaggeration in email messages.
  • Email messages should be transmitted only to those individuals who have a business need to receive them.
  • Do not forward messages from the employer's legal counsel to co-workers without the attorney's authorization.
  • Use of the email system to copy and/or transmit any documents, software or other matter protected by copyright laws is strictly prohibited.
  • It is extremely important that employees take responsibility for periodically purging their saved email messages, and do so in a manner consistent with the employer's document retention policies.
  • Email attachments received from outside of the employer - including ordinary word processing and spreadsheet files - can be infected by viruses. Do not open attachments unless you are sure of the source.
  • Unauthorized access of any other user's messages or files is strictly prohibited.
  • No messages or documents may be sent or stored on the employer's systems in encrypted form unless the method of encryption has been approved by the employer and the employer has all the keys necessary for decryption.

All employees should be required to acknowledge in writing that they have received a copy of the handbook and that they agree to follow the policies contained in it.

Other Notices

Employers should not limit the management of employee privacy expectations to handbooks. Wherever possible, employers should let employees know that activities may be monitored and that by using the employer's equipment, the employee is consenting to such monitoring. For example:

  • Employee Website. Many employers maintain internal websites containing employment policies that are only accessible by employees from the employer's network. This allows employers to update policies as frequently as needed. Employers that use internal websites to disseminate policy information should regularly require employees to acknowledge that they are aware of the policies on the website and agree to comply with them.
  • Computer Log-On Screen. Every time an employee logs in to his or her employer provided computer, a message could appear requesting that the employee acknowledge and consent to the employer's monitoring policy by clicking the OK button.
  • Receipt of Electronic Devices. Whenever an employee receives an electronic device from the employer, the employee should be required to sign a written acknowledgement that the use of the equipment will be monitored and that all information sent and stored on the equipment are employer property.

Types of Monitoring

Searches and Surveillance of Employees and Employee Property

Camera and Video Surveillance

Employers may use video surveillance to monitor the workplace and often do so for a variety of reasons, including as a security measure to prevent theft or to monitor productivity. Federal law does not generally prohibit silent video monitoring, nor does it require employers to notify employees that they will be recorded. Silent video surveillance of employees on an open floor is generally considered reasonable and not a violation of privacy. See Vega-Rodriguez v. Puerto Rico Telephone Co., +110 F.3d 174 (1st Cir. 1997).

If both audio and video are recorded, however, then the laws that pertain to the recording of audio conversations apply. As discussed above, various laws limit the employer ability to record employee conversations. See Limitations on the Right to Monitor Employees.

Video surveillance is also limited in certain areas of the workplace. Some states, for example, forbid an employer from monitoring areas designed for employee health or personal comfort, such as rest rooms, dressing rooms, or locker rooms. See State Requirements. Even in states without such a law, employers must proceed carefully before installing surveillance equipment in any areas in which employees may have a reasonable expectation of privacy.

Further, the NLRA prohibits the use of video surveillance for any unlawful purpose including monitoring, or giving the impression of monitoring, employee union activity and protected concerted activity under Section 7 of the NLRA. Both union and non-union employees have rights under Section 7.

If the employer has unionized employees, the employer must also review the terms in applicable union agreements regarding video surveillance. The NLRB has held that the installation and use of video surveillance equipment is a mandatory subject of collective bargaining agreements. See Colgate-Palmolive Co., +323 N.L.R.B. 515 (1997). Therefore, an employer may not conduct video surveillance of unionized workers without the agreement of the union.


Labor Relations > Collective Bargaining Process;

Labor Relations > Unfair Labor Practices;

Labor Relations > Employer Liability.

Physical Searches

Employers may want to search an employee's body if the employer believes that the employee is harboring contraband or stolen employer property. Federal law does not limit these types of searches, but many states do. See State Requirements. In these types of situations, it is best to contact local law enforcement to search an employee.

Personal Spaces and Belongings

Federal law does not prohibit searches of employee workspaces. Numerous states, however, have placed some limitations on what and where an employer may search. See State Requirements.

  • Locker Searches. Employers should have policies in place that permit the search of employee lockers at any time. It is best to have the employee present during the search, along with at least one other management employee, so there are no questions about what was found during the search. If an employer provides employees with lockers, the employer should provide the locks and prohibit employees from using personal locks. Some courts have determined that employees had a reasonable expectation of privacy in the use of a locker when the employer permitted them to use their own locks. See K-Mart Corp. Store No. 7441 v. Trotti, +677 S.W.2d 632 (Tex. App. 1984).

Similar concerns apply to searches of locked desks and file cabinets or personal belongings like bags and purses.

To best protect itself, an employer should:

  • Establish a written policy to limit employees' expectation of privacy in their personal belongings;
  • Notify employees that personal belongings are subject to search and at the employer's discretion; and
  • Require employees to acknowledge this policy in writing; and inform employees that refusal to allow personal belongings to be searched may result in discipline up to, and including, termination.

Practical Example

Jenna works at Acme Department Store on the first floor in the perfume department. The jewelry department, on the fourth floor, has experienced an unexplained loss in inventory, and management believes that employees are walking out the door with the merchandise. Acme sends an employer-wide email and places signs in all employee common areas stating that all items brought into the store by employees are now subject to search. As she leaves work on the first day of the new policy, Jenna is told that she must allow security to search her handbag. Jenna refuses, since she never goes past the jewelry department during her workday and because she has some personal items (illegal drugs) that she does not want Acme to find. Acme has the right to search Jenna's handbag, and because she has refused, Acme may discipline her consistent with its policy.

  • Vehicle Searches. Vehicles provided by an employer to its employees are the employer property and may be searched at the employer's discretion. Employers may search employee personal vehicles that are parked on employer property if the employer provides notice that, by entering employer property, employees agree that their vehicles are subject to search. Many employers accomplish this by placing signs at all entrances to the parking lot stating that all vehicles that enter are subject to search at the employer's discretion. However, an employer may not break into or otherwise damage an employee's vehicle in order to search it. Also, an employer may not search employee personal vehicles if the vehicles are parked on a public street.

Electronic Monitoring and Surveillance

An employer may monitor employee telephone calls, voice mails, text messages, and emails, and may use a GPS system to track employee movements. Employers should be aware of the limits and restrictions on electronic surveillance and should also keep abreast of applicable state laws. See State Requirements.

Telephone/Voice Mail

Various exceptions to the ECPA allow employers to monitor employee business calls, but monitoring personal conversations is strictly prohibited. Similarly, an employer may not monitor or intercept calls made on an employee's personal cell phone while at work. Employers may, however, prohibit the use of personal cell phones in the workplace.

Employers should also check state laws for any other relevant restrictions. For example, many states require that every party to a phone conversation must receive notice that the conversation will be monitored. See State Requirements.

Text Messaging

The same rules that apply to monitoring employee phone calls apply to text messages sent over an employer-provided phone. The Supreme Court recently upheld a public employer's right to review private text messages sent by an employee using an employer-provided phone because the employer had a legitimate work related purpose for the review. See City of Ontario, Cal. v. Quon, 560 U.S., +130 S. Ct. 2619 (2010).

Email and Instant Messages

All email and instant messages sent and received over an employer's communications network and using an account provided by the employer are and remain the property of the employer and may be reviewed or monitored at any time. See Smyth v. Pillsbury, +914 F. Supp. 97 (E.D. Pa. 1996). Options in an email system that allow an employee to mark certain messages as private do not change the employer's ability to review such emails.

An employer may read or copy employee emails, even after an employee has deleted them. Employers should make it clear in policies, similar to those described above, that the employer retains the right to monitor any such communications. Also, as discussed above, the SCA prohibits employers from accessing an employee's personal, third party email account, e.g., Gmail, Yahoo, even if the employee accesses the account on an employer-issued device.

An employer may not prohibit employees from using their work email system for non-business purposes, including union organizing and NLRA protected communications, during nonworking time. See Purple Communications, Inc. and Communications Workers of America, AFL-CIO, +2014 NLRB LEXIS 952 (N.L.R.B. Dec. 11, 2014). As the NLRB held in Purple Communications, Inc., there is a "presumption that employees who have been given access to the employer's email system in the course of their work are entitled to use the system to engage in statutorily protected discussions about their terms and conditions of employment while on nonworking time." The decision does not require employers to provide email access to employees.

An employer, however, may implement a total ban on nonwork use of email, including NLRA protected communications, during nonworking time by demonstrating that "special circumstances" make the ban necessary to maintain production or discipline. The NLRB cautions that whether special circumstances justify such a ban will depend on the "nature of the employer's business." In the event that an employer cannot justify a total ban of nonwork email during nonworking time, the employer may apply uniform and consistently enforced control over its email system to the extent that such controls are necessary to maintain production and discipline. For instance, an employer may prohibit "large email attachments or audio/video segments" if the attachments interfere with the email system. In addition, an employer may monitor computers and email systems for legitimate management reasons, such as ensuring productivity and preventing email use for purposes of harassment or other activities that could give rise to employer liability.

The NLRB's current position suggests that employers may implement content-neutral restrictions on nonwork email use during nonworking hours only if the employer engages in equal treatment nonwork email, i.e., the employer treats union-related emails identical to the way it treats emails relating to a local Boy Scout troop or fantasy baseball leagues.

GPS Tracking

Employers may have many reasons for wanting to use a GPS unit to track their vehicles used by employees, including:

  • Ensure employees are not using employer vehicles for unauthorized reasons;
  • Track employee locations and the amount of time spent at each location to ensure that employees are not wasting time;
  • Track vehicle usage to schedule regular maintenance; and
  • Track vehicle speed to make sure employees are not violating the law.

An employer is generally permitted to use a GPS device to track employee use of employer-provided vehicles while on or off duty or to investigate misconduct. However, an employer should use caution about using GPS devices to track employees' personal vehicles as this may be viewed as an invasion of privacy. Employers should also be mindful of state laws on monitoring and surveillance. Some states also have laws specifically addressing GPS use. If employers seek to track the movements of employees, equipment and vehicles through the use of GPS devices, employers should establish clear policies informing employees that such activities and travels will be monitored during business hours or while conducting business on behalf of the employer.

Practical Example

Jim is a salesman for Acme Widgets. Acme provides Jim with a company car to use as he travels around the country selling widgets. Acme's policy, which Jim was required to sign, states that the car should be used for employer business and that only incidental personal use is allowed. The policy also states that the car is equipped with a GPS device that the employer may use to track the car's location, speed and mileage.

As the registered owner of the vehicle, Acme receives notification from the Atlantic City police department with a photo that apparently shows Jim's vehicle running a red light. Jim denies that it is his car in the picture (which is a little blurry) and says that he was selling widgets that day in Philadelphia. Suspicious of Jim's story, Acme activates the GPS device in his vehicle and discovers that, instead of being in Philadelphia, where Jim is supposed to be meeting with numerous potential customers; Jim's car has been in Atlantic City for two days. Acme decides to fire Jim for his policy violations.

Computer and Internet Monitoring

There are many ways an employer may monitor employee computer use:

  • Tracking websites visited;
  • Tracking files accessed and data stored;
  • Keystroke monitoring;
  • Monitoring time spent on certain websites; and
  • Monitoring time spent idle on the computer.

In considering the types of activities to monitor, an employer should think about the goals of conducting such monitoring and other means the employer could use to achieve those goals. For example, if an employer is concerned about maintaining the security of confidential information, instead of or in conjunction with monitoring, the employer should consider limiting access to certain documents or limiting the ability of employees to save information on anything other than a centralized server. If the time employees spend on the internet is a concern, employers may block access to certain websites (YouTube, Facebook, etc.) or only allow access to websites needed for employees to perform their jobs. Some courts have held that "the computer is the type of workplace property that remains within the control of the employer even if the employee has placed personal items in it." See United States v. Ziegler, +474 F.3d 1184, 1191 (9th Cir. 2007).

Computer Fraud and Abuse Act (CFAA)

Computer Fraud and Abuse Act (CFAA), 18 USC §§ 1030 et seq., prohibits individuals from knowingly or intentionally accessing a computer without authorization or exceeding authorization provided. It is intended to punish hackers of computer systems and others who damage computer systems and misappropriate confidential and sensitive information about clients and customers without the required approval.

Employers can use the CFAA to bring a claim against an employee for stealing the employer's confidential and sensitive information as well as interfering with or misusing the employer's computer systems. The CFAA permits employers to seek civil damages and also imposes criminal penalties on individuals who access an employer's computer files and systems without authorization in violation of the law.

Bring Your Own Device (BYOD)

A recent, potentially problematic trend in the workplace is referred to as Bring Your Own Device (BYOD). BYOD is the practice of allowing workers to bring in their own devices (laptops, tablets, blackberries, etc.) to use at work and to access employer intranets and information instead of providing the employee with the employer's technology.

Allowing BYOD has potential benefits as it is more cost efficient, it increases company morale (because employees are able to pick and choose their own technology) and there is a chance that employees will take better care of their own technology (especially since they would be in charge of paying for repairs and replacements) than their employers' technology.

However, there are some potential drawbacks to BYOD as permitting employees to bring their own devices greatly increases the risk of a security breach and that the employer's confidential and proprietary information and intellectual property will be compromised. As a result, many employers find that it is more safe and secure not to let confidential and proprietary information sit on the device and prefer to have the employee connect remotely to the employer's network or through a cloud.

Further, employers need to be aware that employees will have a greater expectation of privacy if they own a device that contains personal and confidential information. Employees will also want assurance that their personal information is protected and will remain confidential. In order to avoid invasion of privacy claims, it is advisable for employers to put their employees on notice of any employer monitoring and that that data and information on a personal mobile device may be monitored and discoverable in the context of a lawsuit.

To help avoid problems through the use of BYOD, there are many things employers should consider doing:

  • Implement a BYOD policy that addresses what is expected of employees who are using their own devices to access confidential materials. The policy should also address a variety of issues such as data security, employee safety, monitoring, use of the device for business purposes during nonworking hours and employer reimbursement;
  • Widely distribute the policy to all employees by placing it in the employee handbook and providing training on it to assure safe, responsible and acceptable use by all employees and supervisors;
  • Create detailed requirements for the devices (such as requiring them to have passwords, certain firewalls or a specific technologically advanced software);
  • Create detailed requirements for the employees regarding what websites and applications can be accessed from the device so as not to compromise its safety and security;
  • Perform periodic audits to ensure compliance; and
  • Have means to ensure removal of information and remotely wipe the device of the employer's information at the end of employment.

Wearable Technology Devices

Wearable technology or wearable devices are already having a profound effect on the workplace and the way people work, communicate and interact. Wearable devices are clothing and accessories (e.g., a watch, glasses, etc.) that incorporate computers, cameras and other forms of electronic technologies. While wearables have many of the same capabilities as laptop computers and hand-held devices, they are generally more sophisticated and can even outperform these devices because they have other capabilities such as tracking physiological functions and individual movements and recording the surrounding environment. Whether it is an Apple Watch an employee uses to review work-related emails or a FitBit an employee is wearing as part of an employer-sponsored wellness plan to monitor health and fitness, wearable devices bring many issues to light because while there are significant benefits to it, there are also substantial drawbacks.

Some benefits of wearable devices include enhanced worker communications, increased workplace safety and aid in monitoring employee conduct, productivity and employee training. However, employers must realize that there are risks to this technology including employee access of inappropriate information, loss of employee productivity and concentration, harassment and privacy issues, as well as safety hazards and the potential disclosure of the employer's confidential information.

In order to best protect an employer's interests, it is advisable to implement a wearable technology policy and outline the proper and improper use of such technology in the workplace. The policy should state whether, when and how the employer will monitor the wearable technology and how employees should report violations. It should clearly outline the disciplinary procedure and penalties for violation. All employees should be required to sign a consent form acknowledging that they have reviewed the policy and agree to abide by its terms. The employer should then conduct training on the policy and review potential issues with all supervisors and employees. The policy should be frequently revisited and updated based on the employee's changing needs and this rapidly developing technology. Additionally, an employer should be sure to implement safeguards to protect its legitimate business interests.

Compliance with the National Labor Relations Act

In monitoring employee use of email, computers, the internet, BYOD etc. an employer should be aware that under Section 7 of the National Labor Relations Act (NLRA), employees have a right to engage in protected concerted activity, union organizing and collective action to improve their wages, hours, and working conditions. Employees may be entitled to use the employer's property such as computer, email, internet and social media in the course of protected concerted activity. A work rule prohibiting employees from engaging in protected concerted activity or one that can be reasonably construed as attempting to prohibit protected concerted activity may be found unlawful.

As a result, it is critical for an employer to determine its position on employees' personal use of computers, email, the internet and social media on the employer's equipment and network. Employers should keep in mind the NLRB's decision in Purple Communications, Inc. and Communications Workers of America, AFL-CIO, +2014 NLRB LEXIS 952 (N.L.R.B. Dec. 11, 2014), that an employer may not prohibit employees from using their work email system for non-business purposes, including union organizing and NLRA protected communications, during nonworking time.

In addition, the employer should ensure that any internal policies or procedures that restrict recording in compliance with state law do not have the effect of chilling employees in the exercise of their Section 7 rights under the NLRA (i.e., protected, concerted activity or acting in concert for their mutual aid and protection).

Monitoring Use of Social Media Networks

The rise of social media, such as Facebook and Twitter, has created another arena in which employees may claim workplace privacy rights. Although employees have a right to use social media in their personal lives, employers are permitted to enact policies, monitor social media use and, if necessary, discipline employees with regard to employee use of social media. However, in implementing

Protecting Against Unlawful Conduct

Employers have a valid interest in monitoring social media in order to protect against the following unlawful conduct:

  • Disclosure of confidential and proprietary employer information and trade secrets - employers have a valid interest in holding employees to their non-disclosure and confidentiality obligations even when using social media and online platforms;
  • Harassment and cyberbullying;
  • Pornographic, vulgar and offensive postings;
  • Defamation;
  • Computer crimes and introduction of harmful viruses;
  • Intellectual property rights;
  • Potential lawsuits from third parties.

Encouraging Respectful Conduct

Employers should advise employees that they should respect the privacy and dignity of all individuals when using social media. However, in urging respect, employers should be careful not to impose upon the employee right to complain about and discuss wages, hours and working conditions which is protected under Section 7.

Maintaining a Productive Workplace

Employers have an interest in maintaining a productive workplace. While many employees may log onto social networks during their work day, it is important to keep employees focused on work-related tasks and the employer's business. Further, employers may want to restrict or limit employee use of social media on the employer's computer system as this may have a tendency to slow down the employer's computer network and potentially damage its systems.

Protecting the Employer's Reputation

Even though employees may mark a Facebook page private or for friends only, employers must remind employees that nothing on the internet or social media is really private and employees may be viewed as representatives of the employer. This could potentially impact the employer's relationship with customers, clients and the business community. Employers should therefore hold employees accountable for content placed or sent over social media when it references, discusses or concerns the employer as all comments and other postings by employees have the potential to reflect back on to the employer or may be attributed to the employer. This is true even if the employer did not designate the employee as its representative and even if the employee intended to express only personal views. While an employer may seek to limit damaging employee posts and harmful information that could cause the employer harm, an employer must be mindful of employee rights under the National Labor Relations Act to engage in protected concerted activity. See Social Media and Protected Concerted Activity Under the National Labor Relations Act.

Respecting and Protecting Employee Free Speech

Employers must strike a balance between protecting against the type of information sent over social media and not unduly restricting employee personal free speech. Therefore, in seeking to monitor employee use of social media, employers must be mindful of the First Amendment rights of employees to engage in free speech on issues not related to or connected to employment. Also, some states have laws that prohibit employers from terminating an employee for off-duty activities - which would include activities on social networking sites - absent a showing that the activity has harmed the employer. See State Requirements.

Social Media and Protected Concerted Activity Under the National Labor Relations Act

In monitoring social media, employers must not infringe upon the rights of employees, both union and non-union, to engage in concerted protected activity under the NLRA.

For example, the NLRB has stated that an employee's criticisms of her boss on Facebook or Twitter are protected under Section 7 of the NLRA which provides both union and non-union employees with the right to engage in protected concerted activity to improve working conditions, and as a result, employees cannot be disciplined for such activity. See Hispanics United of Buffalo, Inc. v. Carlos Ortiz, No. 3-CA-27872 (2011). An employee may be less likely to be protected by the NLRA if the comments are concern individual gripes, or are offensive or inappropriate and not related to employment issues. See Lee Enters. Inc. d/b/a Arizona Daily Star, NLRB Div. of Advice, No. 28-CA-23267 (2011).

Knowledge of the NLRA can help employers determine when disciplinary action is appropriate. Under the NLRA, employees, whether unionized or not, cannot be disciplined for engaging in protected concerted activity, i.e., group activities for the purposes of collective bargaining or mutual aid or protection. Employers may violate the NLRA if they discipline employees who criticize the employer along with or on behalf of co-workers regarding pay, benefits or another term or condition of employment on a social networking site. See Labor Relations > Employer Liability.

For example, employees were found to have engaged in protected concerted activity on social networking sites under the following circumstances:

  • In anticipation of a meeting between one employee and management, five employees posted comments on Facebook discussing criticisms against co-workers levied by another employee;
  • A car salesman posted photographs and critical comments on Facebook of a sales event held by his employer where the salesman had previously discussed these same criticisms with co-workers; and
  • Employees of a sports bar complained on Facebook about their employer's failure to correctly deduct taxes from their paychecks.

However, employees have been found to have not engaged in protected concerted activity in these situations:

  • A newspaper reporter posted criticisms of the headlines in his newspaper's sports section and of a local television station from his employment-related Twitter account;
  • A bartender complained about his employer's tipping policy on Facebook, where he did not discuss his posting with co-workers; and
  • An employee who worked for a nonprofit facility for the homeless made disparaging comments about the employer's clients in a Facebook conversation with two non-employees.

Such decisions caution against an employer taking any rash actions against an employee for postings on a social networking site. An employer risks violating the NLRA if the posts can be construed as relating to working conditions and if the employee had discussed the topic of the posts with co-workers. The NLRB has issued additional substantive guidance regarding employee social media use and social media policies as set forth below.

First Report on Social Media

On August 18, 2011, the Acting General Counsel of the NLRB released a report summarizing 14 cases involving social media. The Division of Advice found that the employees were engaged in protected concerted activity in cases in which the employees discussed the terms and conditions of employment with co-workers on Facebook. Contrastingly, the Division found employee activity was not protected in cases in which employees expressed personal gripes or did not elicit co-worker involvement. Additionally, several cases concluded that the employers' social media policies were overly broad.

The report indicates that the NLRB's assessment of social media cases depends upon the following:

  • The content of the statements that were posted;
  • Whether the posts were made available to co-workers; and
  • The nature of the responses, if any, from co-workers.

The NLRB suggested that if the posting concerns an individual gripe or discusses working conditions, but does not attempt to enlist other employees into action, it is generally not protected.

In contrast, employee comments on social media sites will likely be considered protected concerted activity if the posts discuss the terms or conditions of employment and involve or are directed at co-workers to elicit action. Employee postings that are a direct product of previous discussions or complaints are more likely to be deemed protected concerted activity.

Second Report on Social Media

On January 24, 2012, the General Counsel of the National Labor Relations Board released a Second Report concerning employee use of social media. Following up on the earlier report from August 2011, the report provides employers (including non-unionized employers) with guidance and describes recent social media cases reviewed by the General Counsel. The report reiterates two main points:

  • Employer policies should not be so broad that the policies prohibit concerted protected activity under Section 7 of the NLRA such as the discussion of wages, hours or working conditions among employees; and
  • An employee's comments on social media will generally not be protected if the comments are merely individual gripes and complaints of dissatisfaction with the employer not made in relation to group activity or shared concerns among employees.

The report instructs employers that policies should include specific examples of prohibited conduct and language specifically protecting employee rights under the NLRA. It further instructs that policies should not use vague terms like appropriate and professional and sensitive information without providing clear and concise definitions for those terms.

Third Report on Social Media

Following on the heels of the August 2011 report and January 2012 report, on May 30, 2012 the NLRB issued a third report on social media. Unlike the first two reports, which discuss whether an employer violated rights under the National Labor Relations Act (NLRA) when disciplining an employee for social media activity, this third NLRB report focused exclusively on workplace policies addressing employee use of social media.

The report reiterated earlier guidance that an employer violates section 8(a)(1) of the NLRA by interfering with, restraining, or coercing union or non-union employees in the exercise of rights under Section 7 of the NLRA to engage in union activity or protected concerted activity for mutual aid or protection. The NLRB analyzed the legality of numerous social media policy provisions and whether such provisions were overbroad and infringed or could be reasonably interpreted to infringe upon the Section 7 rights of employees to engage in protected activity and discuss wages, hours and working conditions. The provisions reviewed dealt with confidential and proprietary information, disparaging and defamatory remarks and media communications, among others.

The NLRB clarified that it uses a two-step process to determine whether a workplace rule would have the effect of reasonably chilling employees in the exercise of Section 7 rights.

  • First, a rule is clearly unlawful if it explicitly restricts protected activity.
  • Second, if the rule does not explicitly restrict protected activities, it will be deemed unlawful if:
    • Employees could reasonably construe the policy as prohibiting protected activities;
    • The policy was promulgated in response to union activity; or
    • The policy has been applied to restrict protected activity.

The NLRB found many provisions it reviewed to be unlawful as the provisions could be construed to interfere with the right of employees to engage in protected concerted activity and discuss wages, hours and working conditions in a public forum or on the internet. Unlawful provisions included, but were not limited to:

  • Provisions requiring employees to resolve disputes internally rather than airing grievances on online;
  • Provisions requiring employees to avoid harming the image and integrity of the employer;
  • Provisions advising employees not to pick fights or avoid controversial topics;
  • Provisions that used broad, vague and ambiguous language or failed to adequately define terms;
  • Provisions prohibiting employees from making offensive and disparaging remarks without defining those terms;
  • Provisions requiring employees to obtain employer permission prior to posting online;
  • Provisions attempting to police or moderate the tone of online or social media communications; and
  • Provisions prohibiting employees from expressing personal opinions to the public or to the media.

Further, employers were cautioned against using a boilerplate clause stating that the social media policy would be administered in compliance with Section 7 and would not infringe upon the rights of employees to engage in protected concerted activity. The NLRB also encouraged employees to use a disclaimer that an employee's views, positions and opinions expressed on social media are those of the employee and not the employer.

At the conclusion of the report, the NLRB presented a policy which it found lawful in its entirety. In doing so, the NLRB provided substantive guidance as to what types of provisions would be permissible and could not be interpreted as infringing upon Section 7 rights. The NLRB advised that an appropriate social media policy may include:

  • Examples of clearly illegal or unprotected activity that could not be interpreted to extend to protected activity;
  • A prohibition regarding inappropriate postings that were discriminatory or harassing or threatening;
  • A prohibition against using social media on work time or on employer-provided equipment unless it is work-related or authorized by the employer or a supervisor;
  • A requirement that employees be fair, courteous and respectful when posting to the internet and social media websites; and
  • A restriction on disclosing confidential and proprietary information and trade secrets where these terms were adequately defined and examples provided.

Drafting and Enforcing a Social Media Policy

To best protect themselves, employers should develop social media and internet policies. At a minimum, these policies should:

  • Advise employees that there is no reasonable expectation of privacy and that the employer has the right to monitor all social media use during working hours and using employer-provided equipment;
  • Be clear that protected concerted activities covered by the NLRA are not prohibited by the policy;
  • Advise employees that all postings are public, and despite privacy settings, employees cannot always be sure who will view or share such information;
  • Prohibit the transmission of confidential and proprietary information or trade secrets and remind employees of their confidentiality and non-disclosure obligations; However, keep in mind that employers should not prohibit employees from sharing employee information related to wages, hours and working conditions;
  • Advise employees that they should not seek to represent or speak on behalf of the employer unless provided specific authorization;
  • Prohibit discriminatory or illegal conduct, such as defamation, harassment, discrimination, cyberbullying, pornography, etc. but do not infringe upon the right of employees to engage in heated discussions and criticisms of management as part of protected concerted activity;
  • Encourage respectful conduct; and
  • Clearly define acceptable and unacceptable conduct and provide helpful examples.

Once a social media policy is in place, employers should distribute and communicate the policy to all employees. All employees, including supervisors and managers, should be properly trained on the policy. Further employers should obtain the acknowledgement and consent of all employees and supervisors that they have read the policy, understand its parameters and agree to abide by its terms. The policy should be enforced consistently and discipline imposed uniformly. However, employers must use extreme caution when disciplining employees for social media use so as not to violate the right of both union and non-union employees to engage in protected concerted activity. See Social Media and Protected Concerted Activity Under the National Labor Relations Act.

As technology is constantly changing and laws are evolving, employers will need to regularly update and revise social media polices to comply with new laws and court decisions. Employers should be aware of any changes in state or federal law which would require employers to update the policy and impact its validity. For example, the U.S. Congress is considering legislation prohibiting employers from requesting or requiring that employees and applicants provide social media account user names and passwords. A handful of states are considering similar legislative measures. See State Requirements.

Further, employers should be very careful in drafting and enforcing social media policies and to avoid any language or discipline which could be reasonably construed as infringing upon the right of employees to engage in protected activity and discuss workplace conditions. The guidance provided by the NLRB is helpful as it provides employers in both union and non-union workplaces with an example of what provisions should and should not be included when drafting a social media policy. Further, it illustrates that policies including specific examples of prohibited conduct or disclosures are more likely to be found lawful and not interfere with Section 7 rights. Moreover, employers must remember that their social media policy and its implementation must be specifically tailored to the employer's own specific business needs to adequately address issues in each particular workplace.

Be Careful About Asking Employees for Information Related to Personal Social Media Accounts

Employers should be extremely cautious when it comes to requesting or requiring that employees or job applicants provide user names, passwords and account information for personal social media accounts. There is a growing trend at the state and federal level to introduce legislation specifically prohibiting employers from demanding this information and prohibiting employers from disciplining or retaliating against those individuals who refuse to provide it. The purpose of the proposed laws is to prevent employers from accessing private and personal information through social media activity of employees and applicants and using this as the basis for an adverse employment decision. It also prevents employers from monitoring the off-duty, private social media activity of already-hired employees.

Maintain Ownership of Social Media Accounts for Work-Related Purposes

Employers should make sure that their social media policy clearly states that all social media accounts created for business, networking or marketing purposes on websites such as Twitter and Linked shall remain the property of the employer at all times and all information in connection therewith shall be returned to the employer at the termination of employment. Employers should make sure that all employees consent to these terms before creating or accessing business-related social media accounts and are reminded of these obligations at the time of termination. Additionally, an employer may want to consider changing the password at the time of termination in order to avoid confusion.

Application/Interview Inquiries and the Right to Privacy

Background Checks

Today, more than ever, there are many reasons why both private and public employers have a reasonable interest in conducting a background check on potential employees.

  • An employer may want to protect itself from liability because of employee conduct while on the job.
  • New fears about terrorism and heightened security measures provide another reason to screen applicants.
  • Depending on the employer's industry, an employer may also need to comply with new federal corporate finance laws regarding executives, officers, and directors, or federal regulations mandating background checks for individuals working with children. Dodd-Frank Act, P.L. 111-203; Securities Exchange Act, +15 U.S.C. 78a, et seq.; National Child Protection Act of 1993, +42 U.S.C. 5119a.

Background checks can vary greatly. Some checks are as simple as verifying an individual's social security number. Others involve examining a detailed account of an applicant's credit history. When conducted properly, background checks do not violate an individual's right to informational privacy.

Employers do not, however, have unlimited access to investigate an applicant's background and personal life. Employers must ensure that any information requested from job applicants is relevant to the job for which they are applying. Job applicants have a right to privacy in certain areas, and if that right is violated, an applicant may take legal action. See Recruiting and Hiring > Preemployment Screening and Testing.

Examples of areas in which a job applicant has a right to privacy include the following:

Further, employers must ensure that the information is reliable before using it. State laws also may impose more stringent requirements on employers with respect to background checks and permissible and impermissible areas of inquiry for employers. See State Requirements.

Fair Credit Reporting Act

The Fair Credit Reporting Act (FCRA) sets forth the national standards for employment screening performed by outside companies - consumer reporting agencies - and does not apply when an employer conducts a background check itself. +15 USCS § 1681b.

Before taking any adverse action against an applicant or employee under FCRA, based on a consumer credit report obtained from a consumer reporting agency, an employer must first provide the individual with a Summary of Consumer Rights Under the Fair Credit Reporting Act Form. An employer must also provide the summary of rights within three days of requesting an investigative consumer report from a consumer reporting agency. +15 USCS § 1681b.

Effective September 21, 2018, the Consumer Financial Protection Bureau (CFPB) has an interim final rule updating the Summary of Consumer Rights Under FCRA form and its Summary of Consumer Identity Theft Rights Form form.

The updated disclosure forms stem from the Economic Growth, Regulatory Relief and Consumer Protection Act, which requires consumer reporting agencies to provide national security freezes to consumers at no cost. As a result, a new security freeze form must be provided to consumers informing them of their rights to obtain a security freeze on their credit report, which will prohibit a consumer reporting agency from releasing information in the credit report without the consumer's express authorization. +15 USCS § 1681c-1.

Therefore, effective September 21, 2018, whenever an individual is required to receive a Summary of Your Rights Under the Fair Credit Reporting Act, an employer must also provide a notice of an individual's rights regarding the right to obtain a security freeze on his or her credit report. The security freeze prohibits consumer reporting agencies from releasing information in the credit report subject to various exceptions. +15 USCS § 1681c-1

Under the interim final rule issued by the Consumer Financial Protection Bureau, an employer may use its new model notice, which incorporates the new required security freeze notice of rights, or a combination of the 2012 forms along with a separate page that contains a summary of the security freeze rights that is provided in the same transmittal. The comment period for the final rule regarding the model notice closes on November 19, 2018.

See Preemployment Screening and Testing: Federal.

Medical Testing and Physical Examinations

Under the Americans with Disabilities Act (ADA), an employer cannot require that a job applicant submit to a medical or physical examination prior to offering the applicant a job. Once a job offer has been extended, but prior to the employee beginning work, an employer can require that the applicant take a medical or physical examination, but only if the employer requires such examinations of all applicants for the position, not just those who have or are perceived to have a disability. An employer does not need to show a business need for such an examination, but if the employer denies the applicant a position based on the results of the medical examination, the employer will need to show that the denial was job-related and based on business necessity. +42 U.S.C. 1201, et seq.

Practical Example

Acme Factory requires that all applicants take a preemployment strength test after a conditional offer of employment is extended. The idea behind the test is to make sure that an employee can withstand difficult tasks and will not be susceptible to injury. If most women who take this test fail, so that the test has a disparate impact on female applicants, Acme Factory must show why the test is necessary to perform the job. If Acme cannot show a correlation between test results and ability to do the job, it cannot require applicants to take the test.

Once an employee begins work, the employer's right to conduct a medical test or physical examination is usually limited to situations in which an employee exhibits objective indications that he or she cannot perform essential job functions. See Testing of Employees. State laws also apply various restrictions on an employer's ability to require medical testing or physical examinations. See State Requirements; Recruiting and Hiring > Preemployment Screening and Testing; Employee Management > EEO - Discrimination.

Drug and Alcohol Testing of Applicants

Employers that require preemployment drug and alcohol testing must be aware of the federal and state law limitations on when, how, and whether drug and alcohol testing can be performed. See State Requirements.

A preemployment drug test is not considered a medical examination under the ADA, and the ADA does not cover a job applicant who currently uses illegal drugs. Employers may generally test applicants for illegal drugs if:

  • The applicant has been given notice that drug testing is a condition of employment (preferably, in writing on the job application);
  • The applicant has been extended an offer; and
  • All applicants offered the same positions are also tested.

A test to determine an applicant's blood alcohol level is considered a medical examination under the ADA, and so this can only be required after a job offer has been extended. See When Drug and Alcohol Testing Is Permissible.

If it is an employer's policy to conduct drug or alcohol testing, and a job applicant who has received an offer refuses to submit to a test, the employer has the right not to hire that individual. See Recruiting and Hiring > Preemployment Screening and Testing.

Employers should also be wary of asking applicants about the use of illegal drugs. In general, employers may inquire about an applicant's current use of illegal drugs, which is not protected by the ADA, but employers may not inquire about an applicant's past use, as the ADA protects an applicant who is recovering from a drug addiction.

Examples of questions an employer may ask about drug use include:

  • Do you currently use any illegal drugs?
  • How often, if at all, do you smoke marijuana or use any other illegal substance?
  • What, if any, illegal substances do you currently use?
  • Do you use illegal substances on a weekly basis or only on occasion?

Examples of questions an employer may not ask an applicant about drug use include:

  • Have you ever been addicted to illegal drugs in the past?
  • Are you recovering from an illegal drug addiction?
  • Have you ever been in a drug rehabilitation program?
  • Have you ever been treated in any way for drug abuse or addiction?
  • How often did you use illegal drugs in the past?

*An employer may ask these questions after an offer has been extended to a job applicant and if consistent with business necessity.

Practical Example

Dan applies for a position as a bank teller. The bank conditions its job offers on passing a drug test. Dan says he will accept the offer, but refuses to take the test. The bank has a right to rescind the job offer because he refuses to take the test.

Arrest and Conviction Records

State law varies with regards to whether, and to what extent, a private employer can consider an applicant's criminal history in making employment decisions. In some states, employers can only consider criminal history if the crimes are relevant to the duties of the specific job for which the applicant is applying. Other states only allow employers to consider criminal histories for specific positions. For example:

  • Law enforcement personnel;
  • Security guards;
  • Childcare workers; or
  • Nurses.

Employers generally have more freedom to consider an applicant's conviction records versus an applicant's arrest records. See State Requirements; Recruiting and Hiring > Preemployment Screening and Testing.

Testing of Employees

Drug and Alcohol Testing

There are many reasons an employer may want to require employees to submit to drug and alcohol testing:

  • Avoid financial losses caused by decreased productivity;
  • Avoid absenteeism and general tardiness;
  • Prevent high exposure to potential liability for employee misconduct;
  • Prevent higher workers' compensation insurance premiums;
  • Avoid extensive medical bills of employees;
  • Avoid problems related to employee off duty conduct;
  • Encourage employees to live a healthy lifestyle;
  • Provide a safer workplace for employees;
  • Instill consumer confidence in the employer;
  • Deter job applicants with a propensity for using drugs or alcohol from applying to the employer; or
  • Identify early employees who have drug problems and refer them to treatment.

While there are many reasons why an employer may want to test employees for drug or alcohol use, employers must be cautious when doing so. Imposing a mandatory drug or alcohol testing policy can have negative implications for the employer that include:

  • High costs for drug and alcohol testing;
  • Risk of violating employee privacy rights;
  • Risk of violating disability discrimination laws;
  • Lost time for which employees must be compensated; and
  • Lower employee morale because employees may feel that their employer does not trust them.

When Drug and Alcohol Testing Is Permissible

An employer may test current employees for drug use in some circumstances. Generally, an employer must demonstrate a legitimate need for requiring the test.

The most common situations in which drug testing of current employees is permitted are when:

  • The job is high risk and safety sensitive. For example, private employers in transportation and other safety sensitive industries that are regulated by federal agencies, like the Federal Aviation Administration, the US Coast Guard, or the Federal Highway Administration, test their employees regularly for drug and alcohol use as required by the Omnibus Transportation Employee Testing Act of 1991, +31 U.S.C. 1353; +49 U.S.C. 301; +49 U.S.C. 306; +49 C.F.R. 382.101, et seq. The Department of Transportation implements and enforces these regulations. The employer reasonably believes, based on objective evidence such as physical evidence or employee behavior that the employee's job performance is suffering because of drug use.
  • The employee has recently completed a drug rehabilitation program. The employer can require the employee to take random drug tests to ensure that the employee is no longer using illegal drugs. While recovering drug addicts are protected by the ADA and an employer cannot discriminate against an employee who is in recovery, current users of illegal drugs are not protected by the ADA.
  • The employee is injured on the job or involved in work related accident where drug use is suspected. In such situations, the employer may need to determine whether the injury was caused by working conditions or substance abuse.

Employers cannot generally subject employees to alcohol testing after employees have begun working, unless the test is job related or the employer has a legitimate business interest requiring the test. Employers must have objective evidence that leads them to believe that:

  • The employee's ability to perform essential functions is impaired by alcohol; and
  • The employee poses a direct safety threat because of alcohol use.

Much of this is job specific and depends upon the safety risks associated with the particular position of the employee, and the reasons why the employer believes that the employee poses a direct threat. If the employer has evidence that the employee has been drinking during work hours, or is under the influence of alcohol while at work, the employer may conduct alcohol testing.

States have different laws governing workplace drug and alcohol testing, so employers should be familiar with them. See State Requirements.

Types and Timing of Drug and Alcohol Testing

Before implementing any drug testing program, employers should write a policy explaining:

  • Why drug testing is being implemented;
  • The prohibited substances;
  • The tests to which employees may be subjected;
  • The employer's right to conduct such testing;
  • The events that could trigger a drug test;
  • The manner in which the test will be conducted;
  • The rights of employees to challenge a positive drug test; and
  • The consequences of not complying with the policy and of failing a drug test.

Employers may also want to consider including some form of education for employees about the dangers of substance abuse, and assistance or support for employees who have problems with alcohol or drugs.

There are several different types of drug and alcohol tests that employers may use.

  • Reasonable Suspicion Testing. Employers may test employees when they have a reasonable suspicion of illegal drug use. Supervisors should be trained to recognize the behaviors such as blood shot eyes, extreme grogginess, lateness, irritability that may trigger the need for a drug test under the policy. Employers should establish clear and consistent definitions of what behavior will justify drug and alcohol testing, and should corroborate any employee suspicions with the opinions of other supervisors or managers. Since this type of testing is at the employer's discretion, it is recommended that the employer require comprehensive supervisor training on how to handle drug and alcohol testing.
  • Scheduled Testing. Employers may test employees on a predetermined schedule, such as on an annual or biannual basis, particularly if a job requires a regular physical exam. These tests are usually preferred by employees over random testing because an employee who is using drugs can stop in time to produce a clean test result. This reduces the test's effectiveness at detecting employee drug use.
  • Random Testing. Employees may be tested on an unannounced, unpredictable basis. Usually, employers use a computer or another random process to select the specific employees to test. This type of testing serves as a deterrent because there is no way for an employee to prepare for such a test.

    Employers should be aware of state laws in this area, because some state laws limit or prohibit random, suspicionless drug testing, unless the job requires it. For example, random drug testing may be necessary for safety sensitive positions. See State Requirements.

  • Post-Accident Testing. Property damage and personal injury often result from workplace accidents. Follow-up testing helps determine whether drugs and/or alcohol contributed to the accident. Employers should establish objective criteria for determining whether, by whom, and how a post-accident test will be conducted. Testing should be performed as soon as possible after an accident, so that the test results are relevant. Results should be documented.

    Even though the results of post-accident testing do not technically qualify as a medical record under the ADA, the results should be kept in separate, confidential, medical files just as other types of medical records. See Recordkeeping and Safeguarding Employee Records and Confidential Information; Employee Management > Recordkeeping.

Scope of Testing

Basic drug tests usually screen for amphetamines, canabinoids (marijuana, hashish), cocaine, opiates (heroin, morphine, opium, codeine) or phencyclidine (PCP). More extensive tests may be available to screen for barbiturates, benzodiazepines, ethanol, hallucinogens, inhalants or anabolic steroids.

If an employee tests positive for an illegal drug, the employer should always ask the employee about prescription drug use to verify whether something else may have caused the positive test result. If an employer fires or does not hire an individual based upon a misunderstanding concerning a drug test, the employer may be liable under the ADA. See Legal Issues Surrounding Drug Testing.

Methods of Testing

Urine, blood and breath tests are minimally intrusive procedures in general. However, an employer may face an invasion of privacy issue if other individuals are in the room when the test is performed. If the employer is worried that the employee will tamper with the sample, the employer may have one other individual of the same sex present with the employee during the testing. Employers should consider using a reputable testing facility that understands how to avoid privacy, tampering, and chain of custody issues.

There are several different ways to conduct drug and alcohol testing:

  • Urine Tests can be used to show the presence or absence of residue from drug use. If a urine test is positive, it does not mean that an employee is using drugs at that time. Urine tests detect and measure drug use over a period of several days. In contrast, urine tests are not helpful for detecting alcohol, because alcohol passes rapidly through the system.
  • Blood Tests measure the actual amount of alcohol or other types of drugs present in the employee's system at the time of the test. These tests are a better indicator of recent drug use than urine tests, but there is a much shorter detection window. Most residue from drug use leaves the blood quickly and will not show up in this type of test.
  • Breath Tests are the most common test for determining how much alcohol is in the blood at the moment of the test, i.e., Blood Alcohol Concentration (BAC). Under Department of Transportation (DOT) regulations, a person with a BAC level of 0.02 or higher cannot perform a safety sensitive task for a specific amount of time.
  • Other Types of Tests include testing saliva, hair samples or sweat patches.

Employers must be familiar with the applicable state and municipal laws in this area, which set out the different drug testing methods that may be used by employers and any restrictions on those methods. See State Requirements.

  • Drug-Free Workplace Act of 1988. Under this law, any employer that receives federal grants or contracts must be drug-free or risk losing federal funding. +41 U.S.C. 701 This means that private organizations that receive federal grants must take specific steps to provide a drug-free workplace, including:
    • Publishing and providing employees with a policy statement of the program, which outlines the prohibited substances and the consequences for using such substances;
    • Establishing a substance awareness program so that employees are aware of the dangers of using illegal drugs, counseling options and rehabilitation programs;
    • Notifying employees of mandatory compliance with the policy;
    • Notifying the federal contracting or granting agency if an employee has been convicted of a criminal drug violation in the workplace; and
    • Imposing penalties on any employee who is convicted of a reportable workplace drug conviction.

The Drug-Free Workplace Act, itself, does not require drug testing, but certain federal agencies, like the Department of Defense and the Department of Energy, have regulations that require contractors, grantees and licensees who perform work for them to have drug-free workplace programs with drug testing. See HR and Workplace Safety (OSHA Compliance): Federal.

  • ADA. As discussed above, the ADA limits an employer's ability to make disability related inquiries or require medical examinations of job applicants or current employees. See Medical Testing and Physical Examinations;Drug and Alcohol Testing of Applicants.

    Once an employee begins work, any disability related inquiry or medical examination must be job related and consistent with business necessity. This means that the employer cannot make an inquiry or require an exam unless the employee's ability to perform essential job functions is impaired or the employee poses a direct safety threat to him or herself or to others. See Employee Management > EEO - Discrimination.

    An employee or applicant who is currently engaging in the illegal use of drugs is not a qualified individual with a disability when the employer acts on the basis of the drug use. +42 U.S.C. § 12114(a). Illegal use of drugs means the use of drugs, the possession or distribution of which is unlawful under the Controlled Substances Act, +21 U.S.C. § 812. The term does not include the use of a drug taken under supervision of a licensed health care professional or other uses authorized by the Controlled Substances Act. +42 U.S.C. § 12111(6)(a); +29 C.F.R. § 1630.3(a)(2). As a result, employers may legally discharge or deny employment to persons who illegally use drugs. +42 U.S.C. § 12114(c)(4).

    Under the ADA, an employer is allowed to test applicants or employees for illegal drug use because the ADA does not consider a test for illegal drug use to be a medical examination. +42 U.S.C. § 12114(d)(1). Therefore, an employer does not have to demonstrate that a test for illegal drug use is job related. +42 U.S.C. § 12114(a).

  • Alcoholics and Drug Addicts. The ADA considers past drug addiction a protected disability. However, it does not cover current use of illegal drugs. The fact that an employee is a recovering addict cannot be used in any employment decision. An individual who currently has an alcohol addiction is protected by the ADA. However, an employer can take adverse action against an employee whose performance is impaired by the use of alcohol, and an employer can prohibit the use of alcohol in the workplace. Employers can hold employees with alcoholism to the same standards as other employees, even if the employee's misconduct or improper behavior was caused by alcoholism.

Because employees recovering from drug or alcohol addiction are protected by the ADA, employers must provide reasonable accommodations for recovery. Examples of possible accommodations include:

  • A leave of absence to obtain treatment;
  • Not requiring the employee to attend events where alcohol will be served;
  • Allowing the employee time off to attend substance abuse program meetings;
  • Allowing the employee to work a modified schedule so that he or she can get treatment.

Employers do not, however, have to provide substance abuse programs.


Employee Management > EEO - Discrimination;

Employee Management > Disabilities (ADA).

Practical Example

Robert is a commercial truck driver. He crashes his truck and is charged with driving under the influence. Robert receives notice that he will be terminated based on this conduct. Robert tells his employer that the accident made him realize that he is an alcoholic and that he is now seeking treatment, and asks to keep his job. Robert's employer may still terminate him because employees may be fired for misconduct caused by alcohol abuse, even if the employee has an ADA protected disability where it poses a health and safety risk to others and impairs his ability to perform his job. Further, in this situation, Robert's employer did not know about Robert's disability until after making the termination decision so it was not a factor in any employment decision.

Practical Example

Larry operates a small clothing store. He generally does not mind if his employees come in late. Donna comes in no later than anyone else, but Larry is convinced that her tardiness is caused by her alcoholism. If Larry terminates Donna because she is late and he does not terminate anyone else, Donna can bring suit against him under the ADA for discriminating against her on the basis of her disability.

  • Medical Marijuana. An increasing number of states allow patients to use marijuana for medical purposes. See State Requirements. A patient who meets the appropriate state criteria cannot be prosecuted for state law crimes relating to marijuana use; however, federal drug laws may still apply.

    On the other hand, some courts have held that the state laws legalizing medical marijuana and the ADA do not prohibit employers from disciplining or terminating an employee for medical marijuana use. See Casias v. Wal-Mart Stores Inc., +764 F. Supp. 2d 914 (W.D. Mich. 2011). However, there is no consensus by the courts as to whether using medical marijuana is an illegal use of drugs that falls outside the protections of the ADA. Because the law is still developing in this area, an employer should be careful about making any employment decisions with regard to employees who use medical marijuana. See Employee Management > EEO - Discrimination; Employee Management > Disabilities (ADA).

  • Department of Transportation (DOT). The Omnibus Transportation Employee Testing Act of 1991 mandates that transportation industry employers with employees in safety sensitive positions, such as commercial drivers, implement drug-free workplace programs that include both drug and alcohol testing. +31 U.S.C. 1353; +49 U.S.C. 301 and +49 U.S.C. 306; +49 C.F.R. 382.101, et seq. The DOT is responsible for overseeing and administering these programs, which cover both public and private sector employees. Private employers in these industries are subject to the same guidelines as public sector employers. Private employers that fall under this Act include commercial trucking companies, commercial airlines, and private energy companies. See HR and Workplace Safety (OSHA Compliance): Federal
  • Wage and Hour Issues. Employers must generally pay for the drug tests they require. The time spent taking a required drug test is usually considered hours worked and employees must be compensated for that time under the federal Fair Labor Standards Act. +29 U.S.C. 201, et seq. See Employee Compensation > Hours Worked.
  • OSHA. In January 2017, OSHA issued a rule indicating its belief that blanket post-injury drug-testing policies deter proper reporting. The rule does not ban employee drug testing, but it does prohibit an employer from using drug testing (or the threat of drug testing) as a form of adverse action against employees who report injuries or illnesses. Therefore, drug testing policies should limit post-injury testing to situations in which employee drug use likely contributed to an incident; and for which the drug test can accurately identify the impairment caused by drug use. For example, it would not be reasonable to drug test an employee when the employee's injury was clearly caused by machinery or tool malfunction.

    Psychological Testing

    Employers that use a psychological test must ensure that the test itself and the reason for using the test are job related. This applies to psychological profiling with respect to job applicants, as well as to the testing of current employees. Psychological tests are often contentious because there is some dispute as to accuracy. As the tests request significant personal information from employees, privacy issues can arise.

    If psychological tests probe too deeply into an applicant's or employee's personality, the tests may violate state and federal antidiscrimination laws prevent employers from asking questions pertaining to gender, religious beliefs, national origin, etc.

    Employers should generally avoid using psychological tests without having a compelling business justification and consulting with legal counsel. See Employee Management > EEO - Discrimination.

    Polygraph Testing

    The Employee Polygraph Protection Act of 1988 (EPPA) prohibits employers from using lie detector tests for preemployment screening purposes. The EPPA also prohibits employers from requiring employees to take polygraph tests during the course of employment with certain limited exceptions. See Employee Polygraph Protection Act.

    Employers should also be aware of state laws that impose greater restrictions on the ability to conduct and administer lie detector tests. See State Requirements.

    Physical Examinations

    Post-offer physical examinations are used to determine the continuing ability of an individual to perform a specific job. Pursuant to the ADA, an employer cannot require a current employee to take a medical or physical examination unless the employer can demonstrate that the employee poses a significant threat to the health and safety of the workplace based on a medical condition.

    The Employment Opportunity Commission's (EEOC's) Pandemic Guidance states that an employer must take direction from the CDC or state/local public health authorities in deciding whether an illness is a direct threat, and the assessment cannot be based on subjective perceptions or irrational fears. At this point, because evidence shows that the Zika Virus cannot be transmitted from person to person in causal contact present in an employment relationship, and can only be spread by sexual contact, there is no direct threat present to justify an employer testing for the Zika Virus.

    The ADA also requires that data from a medical examination be kept in a separate file from the employee's personnel file, available only to those with a demonstrated need to know. This means that the only people who should be checking this separate file are: government officials verifying that an employer is in compliance with the ADA; emergency medical personnel who treated the employee; trained HR personnel; or the employee's supervisor, if the medical condition requires a special accommodation. See Medical Testing and Physical Examinations; Employee Management > Recordkeeping.

    AIDS Testing

    The ADA prevents an employer from testing applicants for AIDS or HIV before making a job offer. An offer can be made conditional upon such a test, but all applicants hired for that position will have to be tested. The employer also will have to justify that the test is job related and consistent with business necessity; in other words, that having AIDS or HIV affects whether the applicant can perform the job. There are very few jobs in which having AIDS or HIV poses a health risk, so this will be difficult for most employers to justify.

    The ADA also prevents employers from asking whether current employees have HIV or AIDS, or requiring employees to be tested for HIV antibodies. HIV testing is only allowed in limited instances if the employer can show that an employee's HIV or AIDS status is relevant to the job and consistent with business necessity.

    Recordkeeping and Safeguarding Employee Records and Confidential Information

    HIPAA Privacy Requirements

    The Health Insurance Portability and Accountability Act (HIPAA) was developed to improve the efficiency and effectiveness of the health care system. +42 U.S.C. 1320D. HIPAA's privacy requirements mandate the adoption of appropriate safeguards to protect the privacy of personal health information, and set limits and conditions on the uses and disclosures of such information. Protected Health Information (PHI) is defined as any information held by a covered entity (e.g., health plans, health insurers, health care clearinghouses or health care providers) concerning health status, provision of health care, or payment of health care that can be linked to an individual - any part of an individual's medical record or payment history. An employer will not be considered a covered entity under HIPAA unless the employer has any kind of health clinic operations for employees or provides a self-insured employee health plan.

    A covered entity may not use or disclose protected health information except:

    • As HIPAA permits or requires; or
    • If the individual who is the subject of the information, or the individual's personal representative, provides written authorization.

    The only situations in which a covered entity may disclose protected health information are:

    • To individuals (or their personal representatives), if such individuals request access to their PHI; or
    • To the Department of Health and Human Services, if it is undertaking a compliance investigation, review or enforcement action.

    Covered entities should follow the law and rely on professional ethics in deciding which permissive uses and disclosures should be made under HIPAA. Employers should also familiarize themselves with any applicable state laws, which may require further consent or authorization. See State Requirements; Employee Management > Recordkeeping.


    The Genetic Information Nondiscrimination Act (GINA) protects individuals from the misuse of genetic information by health insurers and employers. +42 U.S.C. 2000ff, et seq. The types of genetic information protected by GINA include:

    • The individual's family medical history;
    • Carrier testing for a specific disease (e.g., cystic fibrosis, sickle cell anemia);
    • Prenatal genetic, susceptibility and predictive testing (e.g., breast cancer); and
    • Analyses of tumors or other assessments of genes, mutations or chromosomal changes.

    Private employers with 15 or more employees must comply with GINA. GINA also covers certain public sector employees like the US Postal Service and the Library of Congress. GINA does not apply to federal employees enrolled in the Federal Employees Health Benefits program or to veterans obtaining health care through the Veteran's Administration. See Employee Management > EEO - Discrimination.

    Under GINA, employers cannot use an individual's genetic information in making decisions about hiring, firing, job assignments or promotions. Employers may not request, require or purchase genetic information about an employee or an employee's family member. If an employer does have an employee's genetic information, it must treat such information as a confidential medical record. Genetic information is also subject to HIPAA. See HIPAA Privacy Requirements.

    If an employer violates GINA, an employee can recover compensatory damages and punitive damages, as well as back pay, reinstatement and attorney fees.

    Employers should also be familiar with similar state laws, which may afford an employee more protection than federal law. See State Requirements.

    Employers should make sure that any wellness programs and the collection of sensitive genetic and medical information complies with GINA and the ADA and any administrative rules with respect to wellness programs. See EEO - Discrimination: Federal.

    Practical Example

    Heather decides to undergo a BRCA gene test to determine if she is at high risk for developing breast cancer. Heather asks for time off from work for the test, and tells her employer why she is taking the time. When Heather returns to work, she tells some employees that the BRCA test revealed that she has a high risk of developing breast cancer. If Heather's employer terminates her shortly after learning that information, Heather may sue under GINA.

    Protecting Employee Personal and Confidential Information

    Employers should develop and publish guidelines on what is considered confidential information, which employees can have access to that information, and how such information will be securely stored. These steps can help ensure that those who do not have a legitimate need to know cannot gain access to confidential employee information, such as personnel files.

    HR should keep tight control over an employee's personnel information, even when it comes to the employee's own manager. An employee's personnel file may contain information about a protected characteristic (e.g., birth date) that the manager does not have a business need to know. If the manager discovers this information and later fires the employee, the employee could try to claim age discrimination. Employers should also be aware that special guidelines apply to medical records. See Medical Testing and Physical Examinations; Employee Management > Recordkeeping.

    • Release Only for Legitimate and Legal Reasons

      In general, employers should be very cautious about giving out any information regarding current or former employees. Employers should only provide personal information such as the employee's full name, social security number, date of birth and work schedule in accordance with the employer's reference policy or to law enforcement or a government agency with a verified legitimate reason. In some instances, the individual requesting the information might be a new employer seeking job reference information, but the individual may also be a private investigator, debt collector, or someone looking to harass or injure the employee.

    • Investigate All Inquiries for Information

      Employers may want to establish a policy that all outside inquiries regarding employee information are routed through a designated individual (e.g., the owner, a manager, an HR representative), or another individual who is aware of the need to safeguard information about employees. The designated individual should record the date, time, identity of the inquirer, and the purpose of the request. If there is any question about the purpose of the inquiry, the individual should explain that it is not allowed to give out information about current or former employees to individuals outside the employer, but that if the employee signs a written authorization, the employer will provide the requested information.

    • Maintain Records in a Confidential Manner

      Employers can maintain the confidentiality of records by keeping the files in a locked cabinet and by making them available only to those individuals with a legitimate business need to access them. Employers may want to establish a policy that only the HR manager, the individual employee's manager, and the employee have a right to see those files.

    • Store Sensitive Information and Documents in a Protected Manner

      Documents with sensitive information and other confidential documents should be stored in a protected manner. If these are physical documents, such documents should be kept in a locked file cabinet, safe, or off-site storage facility, with only limited access provided to other employees. Employers should develop a policy so that email and other electronically stored data are not carelessly or improperly used. This policy should be detailed in an employee handbook and should explain how the employer protects confidential and sensitive employee information. Employers should also maintain a log of when, and why, any information was accessed, and establish a procedure for informing those affected about any security breaches.

    • Protect Employee Social Security Numbers

      Employers must also protect employee Social Security numbers (SSNs), as indiscriminate public disclosure may implicate the right to informational privacy.

      This means that employees with authorization to access SSNs should be trained on privacy and security responsibilities. Employers should also provide a written explanation to all employees of the disciplinary consequences for misusing or wrongfully disclosing an employee's SSN.

    • Properly Destroy Old Documents

      Employers should consult state and federal laws and regulations that pertain to particular industries to ensure understanding of the employee records that must be kept and for how long. See State Requirements.

      The Fair and Accurate Credit Transactions Act (FACTA) amended FCRA to address growing concerns about identity theft. Under FACTA, employers must take certain measures to properly dispose of confidential employee information. Employers should burn or shred paper documents; electronic data storage devices should be destroyed or erased. A standardized employee policy will help ensure compliance.

    • Be Mindful of the National Labor Relations Act

      In implementing any policy regarding the protection of employee information, an employer should be careful about infringing upon the right of employees under Section 7 of the NLRA to engage in protected concerted activity and to discuss wages, hours and working conditions with fellow employees and nonemployees such as union representatives. A handbook rule requiring confidentiality may be found unlawful if it specifically prohibits the disclosure of employee information regarding the terms and conditions of employment such as wages, hours, benefits and working conditions or employee contact information. However, rules requiring employees not to discuss trade secrets such as recipes, preparation techniques, marketing plans or strategies, customer credits cards or contracts and financial records as well as their employee PIN and other similar personal identification information may be lawful because such rules do not infringe upon Section 7 rights. Similarly, handbook rules prohibiting the disclosure of confidential information belonging to the employer would be lawful if it did not reference employee information or any terms and conditions of employment because employers have a legitimate interest in maintaining the privacy of certain business information.

    Use of GPS Devices

    On January 23, 2012, in United States v. Jones, +2012 U.S. LEXIS 1063 (January 23, 2012), the Supreme Court issued a unanimous ruling that police officers must obtain a search warrant before placing a Global Positioning System (GPS) device on a suspect's vehicle for purposes of tracking the vehicle and the suspect's location. Although the decision applied to government employees, the decision has ramifications for private employers who seek to use GPS systems in employee vehicles, PDAs and laptops to monitor and investigate employee activity. The decision highlights that there is virtually no federal or state legislation regulating location tracking devices by employers or law enforcement. Following this decision, employers may reasonably anticipate legislation on this issue. Further, the decision is notable because in requiring police officers to obtain a warrant the Court is suggesting individuals have a privacy interest in the patterns of private activity that can be derived from continuous location tracking devices regardless of the public nature of their movements. Here, the GPS monitoring presents a comprehensive record of an individual's public movements and provides great details about an individual's familial, political, professional, religious, and sexual associations. This will likely impact the lower courts when confronted with invasion of privacy claims based on an employer's unauthorized monitoring of an employee during non-working hours. In light of this decision, employers may want to consider implementing policies addressing the use of location tracking devices and limit the use of location tracking devices to an employee's working hours. Further, if an employer chooses to use location tracking devices, it should have a legitimate business reason for doing so.

    Trade Secrets

    While it is critical for employees to protect an employer's confidential and proprietary information and trade secrets, under the Defend Trade Secrets Act of 2016, an employee will be immune for the disclosure of a trade secret when reporting a suspected violation of law and/or in an anti-retaliation lawsuit. A trade secret is defined as all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if the owner thereof has taken reasonable measures to keep such information secret; the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public. Specifically, an employee cannot be held criminally or civilly liable under federal or state trade secret law for the disclosure of a trade secret that is made: (i) in confidence to a federal, state, or local government official either directly or indirectly, or to an attorney solely for the purpose of reporting or investigating a suspected violation of law; or (ii) in a complaint or other document filed in a lawsuit or other proceeding, if such filing is made under seal. In addition, if an employee files a retaliation lawsuit against an employer for reporting a suspected violation of law, the employee may disclose the trade secret to his or her attorney and use the trade secret information in the court proceeding, if (i) employee files any document containing the trade secret under seal; and (ii) does not disclose the trade secret, except pursuant to court order. See Terms of Employment: Federal.

    Future Developments

    There are no new developments to report at this time. Continue to check XpertHR regularly for the latest information on this and other topics.

    Additional Resources

    Video Surveillance Policy

    Communication and Information Systems Policy

    Employee Conduct and Discipline Policy

    Social Media Policy

    NLRB Issues Guidance on Social Media Policies

    Dos and Don'ts Regarding Social Media Policies - Chart

    Employers Should Review Social Media Policies in Light of Recent NLRB Report

    Legislatures Aim to Protect Social Media Privacy of Employees and Applicants

    How to Conduct Video Surveillance

    Employee Privacy Rights - Supervisor Briefing

    How to Monitor Employee Use of Email and the Internet

    Acceptable and Unacceptable Internet and Email Use - Chart

    Monitoring Employee Use of Email and the Internet - Supervisor Briefing

    How to Draft and Enforce a Social Media Policy in the Workplace

    Social Media - Supervisor Briefing

    Employee Use of Social Media May Constitute Protected Concerted Activity

    Employers May Videotape Employees in Open Work Spaces

    Employees Do Not Have a Reasonable Expectation of Privacy in Emails Sent Over an Employer's Electronic Communications System

    Employer Retains Ultimate Authority to Consent to Government Search of Employee Office and Computer

    Employers May Monitor Employee Stored Emails When the Employee Has No Expectation of Privacy

    Employer's Unauthorized Access to Employee-Only Social Networking Website Violates Stored Communications Act

    Employer Beware: Not All Information on the Workplace Computer Is Employer Property

    Employers Have Duty to Investigate and Report Illegal Computer Activity in the Workplace

    Employer Access of Employee Personal Email Account May Be Prohibited Under the Stored Communications Act

    Personal Emails Sent Using Employer Computers Are Not Covered by the Attorney-Client Privilege

    Public Employers Retain the Right to Search Employee Electronic Communications

    Employee Acknowledgement and Consent Form for Internet and Email Use

    Acknowledgement and Consent Form for Employee Surveillance