Privacy and Personal Information
The concept of privacy refers to our capacity to keep our private information to ourselves and to manage the consequences of disclosing it to others. Information that can be used to identify a person is considered personal information. For instance, names, addresses, phone numbers, email addresses, pictures, bank account information, tax file numbers, information about superannuation funds, information about a driver’s license, and academic records. Sensitive personal information includes details about a person’s health, sexual orientation, religious beliefs, criminal history, and professional or labor union memberships. A higher standard is imposed for the gathering and handling of sensitive personal information under most privacy legislations.
Workplace Privacy Concerns
The increased use of technology in the workplace has raised new privacy concerns for both employers and employees. The rapid advancement of workplace monitoring and surveillance technology has far outpaced the development of legislation to protect employees’ privacy interests. While employee monitoring is not a new phenomenon, modern technology has provided employers with more advanced and effective methods of employee monitoring. As a result, electronic employee monitoring in the workplace has become far more common in recent years. Employers are not only collecting more data on their employees, but they are also collecting different types of data. An employer can now record every keystroke on the computer, every syllable that is spoken to a customer, and every second spent away from one’s workstation. These enhanced monitoring capabilities do not come cheap: they compromise employee privacy.
Employers are understandably concerned about workplace threats such as theft, data security breaches, identity theft, pornographic viewing, inappropriate and/or offensive behavior, violence, drug use, and others. They strive to reduce these risks, frequently necessitating monitoring of employees at work. Employers may also be concerned about productivity losses caused by employees using office technology for personal reasons while on the job. Organizations must balance the company’s legitimate business interests with employees’ reasonable expectations of privacy. Employers have a legitimate interest in monitoring employee performance to ensure efficiency and productivity. However, employee surveillance frequently goes beyond legitimate management concerns and devolves into simple spying for no legitimate business reason. Employee electronic monitoring has seen the emergence of particularly intrusive and unprecedented levels of workplace surveillance.
Employees Privacy Expectation
People expect some privacy at work, even if they are on the premises of their employer and using the employer’s equipment. It is natural to give up some privacy when working for someone. Employers require basic information about their employees to provide salary and other welfare benefits, as well as to ensure that work is completed efficiently and safely.
However, the possibilities for violating privacy are greater than ever before. Psychological tests, web-browsing records, video surveillance, keystroke monitoring, and genetic testing: the amount of information an employer can have on employees is limitless.
Employers can balance their “need to know” with their employees’ right to privacy, if they ensure that they collect, use, and disclose personal information about their employees for appropriate purposes only.
Respecting Employees’ Privacy
An employer’s need for information should be balanced with an employee’s right to privacy. For almost all personal information — including salary and benefits records, formal and informal personnel files, video or audio tapes, and records of web browsing, electronic mail, and keystrokes — the following basic rules help to establish and maintain that balance:
- The employer should explain why it collects personal information from employees, why it collects it, and what it does with it.
- Personal information should normally be collected, used, or disclosed with the knowledge and consent of the employee.
- The employer should only collect personal information that is necessary for its stated purpose, and collect it fairly and lawfully.
- The employer should normally use or disclose personal information only for the purposes for which it was collected, and keep it only as long as it is needed for those purposes, unless it has the employee’s consent to do otherwise, or is legally required to use or disclose it for other purposes.
- Employees’ personal information must be accurate, complete, and up to date.
- Employees must have access to their personal information and the ability to challenge its accuracy and completeness.
Employees’ Privacy Rights v Employer’s Right to Manage
Employers have legitimate needs for personally identifiable information about their employees. They must know who they are hiring. Performance issues must be addressed as well as ensure the physical safety of their workplace. They may also believe that electronic monitoring and other forms of surveillance are required to ensure productivity, prevent confidential information leaks, and prevent workplace harassment.
As a result, employers are sometimes forced to investigate private matters. However, they can limit the impact on personal privacy by keeping such instances to a minimum. The possibility that one employee may do something harmful does not warrant treating all employees as suspects. The dubious benefit of always knowing what every employee is doing on company time and equipment must be balanced against the cost — including the impact on employee morale and trust. Workplace harassment prevention is an important goal, but it is best accomplished through workforce training and sensitization, explicit anti-harassment policies, and appropriate remedial measures when harassment is reported or reasonably suspected, rather than by depriving everyone of their privacy rights.
Managing Privacy by Policies
Employers must at the very least inform their employees about how personal information will be collected, used, and disclosed. Employers should inform employees about how they manage their privacy through appropriate policies. Employees must be informed if they are subject to random or continuous surveillance. Employers should also ensure that information collected for one purpose is not used for another without the employee’s permission. Employers should provide employees with access to personal information held about them, even if it is not required by law, so that they can verify and challenge its accuracy and completeness.
Employees Waive of Privacy Rights
Employers may be inclined to inform employees or prospective employees that they have no expectation of privacy in the workplace — that losing privacy is a requirement of employment. It could be argued that any individual who agrees to work under these conditions has consented to the unlimited collection, use, and disclosure of their personal information.
Whether this is consent — clear, informed, voluntary consent — is questionable. With this approach, the general principle of collecting only the personal information needed for appropriate purposes is lost. A better alternative is to expressly request that employees consent to the explicit, limited, and justified collection, use, and disclosure of their personal information.
Organizational Privacy Culture
Practices like the ones described above are required by law in many workplaces, and employees have legal recourse to assert their rights. Employees may also have enforceable privacy rights under collective bargaining agreements.
However, good privacy practice is more than just avoiding complaints, grievances, or lawsuits. Whether privacy is protected by law or contract, cultivating a workplace culture that values and respects privacy boosts morale and mutual trust, and it makes good business sense.
The best practice for employers is to tell their employees about:
- what personal data or information do they collect
- the reasons for the collection
- the parties they might share this information with
- the process employees can use to access their personal information
- how to access, and correct their incorrect, out-of-date, or incomplete personal information
Author: Emmanuel K. Gadasu
(Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions)
For comments, contact author firstname.lastname@example.org or Mobile: +233-243913077