When can companies legally spy on employees?

IT has access to a lot of information about the company and its employees. That means IT can be a valuable asset when a manager wants to investigate a member of his or her staff. But too much snooping can lead to a violation of employees’ privacy. 

Here are some of the employee privacy areas in which companies often get tripped up:

Personal email

It should be clear to all employees that what they say using their employer’s email system won’t remain private. But can companies monitor employees’ personal email?

Often, that depends on whether or not the company has gotten consent to monitor Internet use. If the organization has a policy stating that anything done using company-owned IT equipment is subject to monitoring — and employees sign off on it — then it would be difficult for employees to claim they had a reasonable expectation of privacy, even if they’re using a personal email account.

But even without such a policy, courts have ruled in favor of companies that read employees’ personal email. One example was a case in which an employee remained logged in to a personal account on a shared computer, after which her boss read a personal message she had sent. The judge sided with the company, claiming the employee had no reason to expect her account to stay private if she remained logged in.

Mobile devices

Organizations are normally in the clear to monitor employee activity using company-owned equipment. However, things can get more complicated when companies implement BYOD programs and allow employees to work with personal devices.

One court case that went all the way to the Supreme Court (Ontario v. Quon) involved a police department’s right to read personal text messages sent using devices issued by the department. Messages were searched through when employees went over their allotted limit adding to the phone bill paid by the employer.

The ruling went the employer’s way when the Court decided the employees didn’t have a right to privacy when using employer-owned devices and a cellular service paid for by the police department. The justices also noted that the police department had a legitimate reason to search through the messages.

But do the same rules apply when employees are using devices and services that they’re paying for on their own? While the question is trickier, most experts say companies can still do some monitoring — as long as the company takes reasonable steps to avoid unnecessarily exposing personal information.

Again, companies need to make sure they’ve properly notified employees about what monitoring might occur when begin participating in the BYOD program. Otherwise, employees may assume that everything on their devices will remain private.

GPS tracking

Some companies with employees who drive company cars or use their own vehicles for work-related travel use GPS devices to track employees’ locations — not necessarily to spy on their workers, but to track the progress of jobs or deliveries, or gather information to help increase efficiency.

Of course, that data can also be used to catch employees who aren’t doing their work or break other rules.

Some states, including California, Connecticut, Delaware and Texas, have laws forbidding companies from using GPS device to track employees’ locations — unless employees give their consent.

In other places, courts have mostly agreed that employees have no reasonable expectation of privacy when driving a company-owned vehicle.

With personal vehicles, however, employers may need to get consent from employees before tracking their locations. Exceptions have been made in situations in which the company was conducting a legitimate investigation of an employee suspected of serious policy or legal violations.

Social networking

The issue of employee privacy on social networks became a hot topic recently after several states began passing laws forbidding organizations from demanding social media passwords as a condition of employment.

Last year, several states, including California, Illinois, Michigan, New Jersey, Maryland, Delaware and Washington, passed those laws.

But even without legislation, companies can get in trouble for accessing content an employee meant to keep private.

In one court case from last year, an employee sued for a violation of privacy after her boss forced a co-worker she had friended on Facebook to log into the site and show him the employee’s page.

A judge refused to dismiss the case, ruling that the employee’s right to privacy may have been violated because she never expected her supervisor to be able to read the content she had posted to the social networking site.

As with the other areas mentioned above, companies can typically monitor social networking activity that takes place at work using company-owned equipment. But demanding a password or otherwise cracking into a protected account is normally off limits.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy