Kent Schmidt and Jessica Linehan
One of the most significant liabilities that a company in California faces relates to claims that it has invaded an individual’s privacy rights. While many claims are brought by consumers, a significant number of claims are filed every day by employees. It is prudent to consider employee privacy concerns.
As with many privacy analyses, it is helpful to consider the basic framework of the California’s rights to privacy. “Legally recognized privacy interests are generally of two classes: (1) interests in precluding the dissemination or misuse of sensitive and confidential information (‘informational privacy’); and (2) interests in making intimate personal decisions or conducting personal activities without observation, intrusion, or interference (‘autonomy privacy’).” Hill v. National Collegiate Athletic Assn., 7 Cal.4th 1, 35 (1994). Applied to the employee-employer context, those distinct protections and corresponding risks can be understood as follows:
(1) Informational Privacy: Employer’s failure to safeguard confidential information about an employee through allowing files or data to be accessed; and
(2) Autonomy Privacy: Employer’s interference with the private life and activities of an employee through invasive conduct or policies.
Claims by employees are most often brought in one of the following five categories.
Risk Number 1: Medical Examinations and Information
The general rule is that, during employment, an employer cannot subject an employee to a medical examination or demand information regarding an employee’s physical condition. There are exceptions to this which may justify a medical exam under unusual circumstances, where the inquiry is job-related and consistent with business necessity. For example, certain higher risk jobs which may jeopardize employee or public safety may justify medical examinations. If a company is contemplating requiring a medical examination, it should be prepared to provide a justification along those lines.
Once the medical examination is done, the employer should be aware that it now has triggered new liabilities simply by virtue of being a custodian of this information. The Confidentiality of Medical Information Act (Civ. Code §§ 56.20 and 56.35) obligates the employer (and others) to safeguard certain health related information. The CMIA is best understood as the California version of HIPPA (Health Insurance Portability and Accountability Act) but, like many California statutes, the CMIA requirements are broader than the federal law. These risks can be mitigated by ensuring that the employer does not obtain possession of the health information. For example, a third-party provider can simply confirm that the employee passed a physical and is ready to go to work.
Risk Number 2: Drug Tests
In a similar vein, drug testing during employment may be permitted depending on justification (health and safety) and manner of administration—balancing of drug test’s intrusion versus employer’s interest.
There are various factors that would need to be considered to determine whether a drug testing requirement violates an employee’s right to privacy. In particular situations where there are reasonable suspicion of drug use, requiring an employee to undergo testing may be permitted. Similarly, employers may require testing in heavily regulated industries, or in certain narrow job classifications. There is of course a difference between requiring all new employees to undergo testing rather than existing employees.
Whether drug testing is permitted is only the first part of the analysis. Equally important are questions concerning the mannerin which a test is administered. Drug testing is an inherently invasive act and sensitivities should be observed while adhering to basic standards of professionalism. In most cases, it is advisable to retain an outside testing service rather than having the resident Dwight Schrute from The Office take matters into his own hands.
Risk Number 3: Computer Use
The general rule in California is that an employee has no reasonable expectation of privacy when using a company computer and whatever expectation may exist can be further reduced with well written policies. TBG Ins. Services Corp. v. Zieminski, 96 Cal.App.4th 443 (2002). There are some exceptions to this rule. For example, if an employee is communicating with his or her attorney and the company knows that the communications are likely privileged, it should not seek to access or read those communications. Second, if the employee is keeping files or e-mails marked “private” on a computer, an argument exists that, even if the employer
Finally, as reported here, under recently enacted legislation in California, an employer is not permitted to require an employee to turn over a password to social media. Although it is an unanswered question, it may arguably follow that if the employer’s computer is set up for automatic login (such that a password is not required), an employee’s privacy rights may be violated if the employer uses the computer to read private communications on a social media site.
Risk Number 4: Off Duty Conduct Including Romantic Relationships
California law reflects a public policy that prohibits employers from making adverse employment actions based on an employee’s off-duty activities. Cal. Lab. Code Sec. 96(k). To state the obvious, an employer cannot invade an employee’s privacy by insisting that he or she refrain from legal activities or communications on their own time.
There are a few exceptions to this rule. An employer may of course prohibit an employee from running a competing business. An employer may prohibit employee from dating subordinate (Barbee v. Household Automotive Finance Corporation, 113 Cal. App. 4th 525 (2003)). An employer arguably has an interest in discouraging illegal activity. Perhaps the school district does not invade Walter White’s right to privacy by raising concerns about the meth lab he is building with a former student, Jesse Pinkman, on his own time (Breaking Bad reference). Other off duty conduct which is not illegal or directly detrimental to the employer is generally protected.
Risk Number 5: Internal Investigations
Employers must also tread carefully when engaging in internal investigation. Some of these concepts are borrowed from general notions of police protocols that have become the expected norm in dealing with suspects or detainees. In general, the scope and extent of an employer’s internal investigation of employee misconduct must be reasonable and not invade employee’s privacy interests. Use of overzealous investigators who use fraudulent means to obtain information, even if prompted by a reasonable suspicion of wrongdoing by the employee, may expose the employer to liability.
A WORD TO THE WISE . . .
This list is by no means exhaustive and the illustrations provided do not reflect hard and fast rules. Every case is different and likely rises or falls on unique facts with the hallmark of privacy considerations—reasonableness of intrusion versus interest sought to be achieved—at the center. At various junctures and in a variety of contexts, employers should consider whether the information they are seeking or obtaining regarding their employees may create liabilities that might be avoided.
Jessica Linehan’s practice focuses on all aspects of employment law, including the defense of both individual and class action wage and hour claims, discrimination, harassment and wrongful termination actions. She advises clients on a wide variety of matters including employment agreements, non-competition issues, wage and hour compliance, reasonable accommodation under state law and the ADA, and employee discipline and termination.
One thought on “Recognizing Risks Arising from Invasion of Privacy Claims in the Workplace”
Kent, interesting write-up. Regarding the comment (breaking bad reference…good series), “An employer arguably has an interest in discouraging illegal activity. Perhaps the school district does not invade Walter White’s right to privacy by raising concerns about the meth lab he is building with a former student, Jesse Pinkman, on his own time (Breaking Bad reference).”
I would like to understand something a little better. How does this reference relate to a company supporting DoD work? There are certain governmental requirements when holding a security clearance. It seems to me that an employer has an obligation to ensure no integrity violations exist based on the nature of national security. My question is where is the line drawn? Obviously DoD companies can report known issues to Defense Security Services, but for the sake of national security, doesn’t an employer have a moral and ethical obligation (more so than just discouraging) to ensure employee accountability? Again, where is the line really drawn?
Comments are closed.