Posts Tagged ‘Workplace Privacy’
Social Media and the Workplace
Thursday, June 14th, 2012
No one wants to lose his or her job over a Facebook post. However, most employees also do not think twice before griping about a boss in a status update, or posting a picture from last Friday night on a coworker’s wall. While free speech has historically been protected in the United States, there can also be negative repercussions for exercising that right.
By Alice Cheng
Does it violate the law to fire someone over social media activity? Possibly, depending on whether the post is determined to be a “protected concerted activity” or not. Generally, the National Labor Relations Board (NLRB) has determined that Section 7 of the National Labor Relations Act permits “concerted activity,” which involves employees talking jointly about terms or conditions of employment (i.e., coworkers discussing a disliked supervisor on Facebook), and is permissible in order to protect employees against employer retaliation. Section 8(a)(1) is related and prohibits interfering with employees rights under Section 7.
For example, merely “venting” on a social network about a workplace condition is generally not enough to constitute protected concerted activity. Protected posts usually must involve, at a minimum, initiating or inducing coworkers to action (i.e., generating discussion among coworkers on Facebook).
Last month, the Acting General Counsel of the NLRB issued his third report on social media, including an analysis of seven recent social media cases, focusing on employers’ social media policies and rules. The report mentions that rules explicitly restricting Section 7 activity would be clearly unlawful. If the rule does not explicitly do so, it may still be unlawful under Section 8(a)(1) upon a showing that: “(1) employees would reasonably construe the language to prohibit Section 7 activity; (2) the rule was promulgated in response to union activity; or (3) the rule has been applied to restrict the exercise of Section 7 rights.” Although the cases within the report do not represent “the law,” they still provide helpful general guidance for employers seeking to design appropriate policies.
Avoid broad and ambiguous language. Policies which tell employees to not use “offensive” or “demeaning” comments should be backed with a specific example (such as offensive posts meant to discriminate based on race, sex, religion, or national origin) so that reasonable employers would not construe such language to cover protected activities. The Board has also long held that any rule requiring an employee to obtain the employer’s permission prior to engaging in protected activity is blatantly unlawful. Similarly, policies cannot require posts to be “completely accurate and not misleading” and should not limit discussions of work so that any discussion would be virtually impossible.
Rules requiring employees to maintain the confidentiality of trade secrets and private and confidential information are permissible, as employees have no protected right to discuss these matters. Generally speaking, employees have few rights to workplace privacy. However, there are limits on an employer’s ability to limit the use of the employer’s logos and trademarks. For example, an employer cannot prohibit the use of picket signs containing the logos or trademarks.
Savings clauses have no real effect. These clauses generally state that the policy will be administered in compliance with relevant laws. The NLRB has dismissed these as not curing any ambiguities in the overbroad policies.
It is also helpful for employers to place policies in context. The policies should acknowledge the usefulness and appeal of social media, but also remind employees that they are responsible for what they write, to know their audience, and to use their best judgment. The purpose of a social media policy should clearly be to avoid use that would adversely affect job performance or business interests (including harming clients or customers), rather than for the sake of surveillance and retaliation.
Employers should also stay updated on recent developments pertaining to the disclosure of social media passwords. Recently a number of states have considered or implemented bans on “shoulder surfing” or mandatory disclosure of private accounts.
NJ Assembly Passes Bill Requiring Deletion Of Stored Information On Photocopy Machines And Scanners
Wednesday, May 30th, 2012
NJ Assembly Bill A-1238 requires the destruction of records stored on digital copy machines under certain circumstances in order to prevent identity theft
By Alice Cheng
Last week, the New Jersey Assembly passed Bill-A1238 in an attempt to prevent identity theft. This bill requires that information stored on photocopy machines and scanners to be destroyed before devices change hands (e.g., when resold or returned at the end of a lease agreement).
Under the bill, owners of such devices are responsible for the destruction, or arranging for the destruction, of all records stored on the machines. Most consumers are not aware that digital photocopy machines and scanners store and retain copies of documents that have been printed, scanned, faxed, and emailed on their hard drives. That is, when a document is photocopied, the copier’s hard drive often keeps an image of that document. Thus, anyone with possession of the photocopier (i.e., when it is sold or returned) can obtain copies of all documents that were copied or scanned on the machine. This compilation of documents and potentially sensitive information poses serious threats of identity theft.
Any willful or knowing violation of the bill’s provisions may result in a fine of up to $2,500 for the first offense and $5,000 for subsequent offenses. Identity theft victims may also bring legal action against offenders.
In order for businesses to avoid facing these consequences, they should be mindful of the type of information stored, and to ensure that any data is erased before reselling or returning such devices. Of course, business owners should be especially mindful, as digital copy machines may also contain trade secrets and other sensitive business information as well.
Mobile Device Policies
Thursday, April 12th, 2012
Companies are increasingly allowing their employees to use their own personal mobile devices, such as laptops, tablets, and smartphones, to remotely access work resources.
This “bring your own device” trend can present certain security and privacy risks for companies, especially in regulated industries where different types of data require different levels of security. At the same time, companies need to also be mindful of employee privacy laws.
Most individuals now have personal mobile devices, and companies are finding it increasingly convenient to allow employees (and in certain situations, independent contractors) to access company data and networks through these personally owned devices. However, when an organization agrees to allow employees to use their own personal devices for company business, it loses control over the hardware and how it is used. This creates security and privacy risks with regards to the proprietary and confidential company information stored or accessible on those devices, which can lead to potential legal and liability risk. Similarly, when employees use the same device for both personal and professional use, determining the line between the two becomes difficult. If your company is considering letting its employees use their personal devices in the workplace, you should consult with an attorney to craft a policy that’s right for your business.
RFID and Workplace Privacy
Sunday, February 12th, 2012
The Use of RFID In The Workplace Sparks Privacy Concerns
By Aaron Messing, Esq., CIPP
I recently had the opportunity to speak with Karen Boman of Rigzone about RFID technology and workplace privacy. Although the article focuses on the oil industry, the best practices of openness and transparency are generally applicable to most workplaces. The entire article can be found here, and makes for an engaging and informative read.
RFID technology in and of itself does not pose a threat to privacy – it’s when the technology is deployed in a way not consistent with responsible privacy information security practices that RFID becomes a problem, said Aaron Messing, associate with Union, N.J.-based OlenderFeldman LLP. Messing handles privacy issues for clients that include manufacturing and e-commerce firms.
Legal issues can arise if a company is tracking its employees secretly, Messing noted, or if it places a tracking device on an employees’ property without permission.
He recommends that clients should follow basic principles of good business practices, including making employees aware they are being monitored and getting written consent.
“Openness and transparency over how data is tracked and what is being used is the best policy, as employees are typically concerned about how information on them is being used,” Messing commented. “We advise clients to limit their tracking of employees to working hours, or when that’s not feasible, they should only access the information they want to track, such as working hours.”
The clients Messing works with that use RFID typically use the technology for tracking inventory, not workers. Messing can see where RFID would have legitimate uses on an oil rig. In the case of oil rigs, RFID tracking can be a good thing in case of emergency, as RFID makes it possible to determine whether all employees have been evacuated or how evacuation plans should be formed, Messing commented.
“It really depends on what the information is being used for,” Messing commented. However, employers that don’t have legitimate reasons for tracking workers can result in loss of morale among workers or loss of workers to other companies.
Workers who have RFID lanyards or tags can leave their tags at home once the work day is over to avoid be tracked off-hours. However, employees generally don’t have a lot of rights in terms of privacy while on the job. ”Since an employee is being paid to work, the expectation is that employers have a right to track employees’ activities,” said Messing. This activity can include monitoring phone conversations, computer activity, movements throughout a building and bathroom breaks.
However, companies should try to design monitoring programs that are respectful of employees.
“Companies that do things such as block personal email or certain websites and place a lot of restrictions on workers may do more harm than good, since workers don’t like feeling like they’re not trusted or working in a nanny state,” Messing commented.
Cctv Camera by Colin Russell
Entertainment Weekly Calls On OlenderFeldman For Comments
Tuesday, October 18th, 2011On Tuesday, October 18th, a 40-something year old actress filed a law suit against IMDb and Amazon for publishing her real name and age on IMDb’s website. Entertainment Weekly asked Michael J. Feldman, Esq., CIPP, to weigh in on the merits of the plaintiff’s privacy claim.
Feldman, a partner at OlenderFeldman who is also not involved in the IMDb suit, believes “the most pivotal issue in the case” will be the clarity of IMDb’s Privacy Policy and Subscriber Agreement. According to Feldman, IMDb’s “mistake here is that neither the Privacy Policy nor the Subscriber Agreement are clear as to the purpose for obtaining credit card information, and how that information will be used.” Without that confusion, Feldman speculated that IMDb could have avoided this lawsuit altogether. Still, he agreed that Doe “has numerous hurdles to overcome,” primarily that she “appears to confuse promises made in those agreements concerning security of information provided to IMDb and the privacy rights afforded to subscribers of the website.”
Making the case even less promising, Feldman thinks the $1 million price tag on Doe’s suit is unreasonable: “She will have an extremely difficult time proving damages under the facts alleged.” Added Feldman, a founding member of privacy and data protection consulting firm Acentris: “Even if IMDb is at fault, damages are limited to the total amount [she] paid” as an IMDbPro subscriber.
To read more on this intriguing matter, click here.