Understanding Workplace Privacy: What you need to know as an employee

Data Privacy
Written By Guest User

Anytime you apply for a job or become employed someplace, you have to provide personal information.

At a minimum, you’re providing sensitive information such as Social Security Number to confirm eligibility for the work conditions of the position you’re applying or being hired for. In general, businesses are allowed to collect basic contact information such as your name, address, phone number, and email address. However, depending on the industry and the position, additional information may also be required.

Certain institutions such as financial firms or government agencies may be required to perform special background checks or obtain credit reports as a condition of employment.

Many employment history, education and training, performance evaluations, and medical information (when required for job-related reasons). Specifically, once you’re employed your information may be collected and stored with data about workplace behavior (ex. attendance or disciplinary records). This information is typically only used or shared to evaluate job performance or enforce compliance with organization policy.

Compliance with Employment Laws

There are good reasons for employers to collect and preserve your sensitive information, especially when it comes to enforcing compliance with employment law. There are a multitude of laws governing the relationship between a company and an individual for purposes of work, and compliance with those laws requires some sort of logging to be maintained in accordance with applicable requirements.

Work Eligibility

Companies may be required to collect your data to make sure you’re eligible to work in the country you’re being employed in. This can include sensitive documentation such as birth certificate, social security card, tax forms, etc. They may be required to report on this through the duration of your employment, and for a number of years for recordkeeping purposes after your employment ends with them.

It's important to note that employers are only allowed to collect information that is relevant and necessary for employment purposes. Collecting information that is not related to job performance or that could be considered discriminatory is generally prohibited by law.

Recordkeeping

Laws that may require employers to collect certain types of information include the Fair Labor Standards Act (FLSA), which requires employers to maintain records related to wages and hours worked, and the Occupational Safety and Health Act (OSHA), which requires employers to maintain records related to workplace injuries and illnesses. Both laws are examples of prescriptive recordkeeping requirements that make companies keep your sensitive information for a number of years; this does not allow them to use that data for other purposes.

Companies have a responsibility in collection of this information to ensure it’s only used for the reasons prescribed under employment law, and is not accessible or usable for other reasons.

For example…

A company maintaining health-related information on disabilities that impact the workplace for specific individuals to comply with required reporting for employment laws cannot utilize that data as a consideration for targeting those employees with marketing for certain services or products they partner with third parties to offer their employees.

Employment Contracts and Data Collection

Employment contracts play a crucial role in governing how employers collect and use data in the workplace. These contracts typically outline the terms of employment, including job responsibilities, compensation, and benefits. They may also include provisions related to data collection and use.

For example:

Consent to Data Collection

Employment contracts may include language that requires employees to consent to the collection and use of their personal information as a condition of employment.

It's important for employees to understand what information is being collected and how it will be used.

Use of Company Devices

If an employee is provided with a company device, such as a laptop or smartphone, the employment contract may include provisions related to the use of these devices.

Employers may reserve the right to monitor employee activity on these devices, which may include emails, messages, and internet usage.

Confidentiality / Non-Disclosure Agreements

Many employment contracts include provisions related to confidentiality and non-disclosure of sensitive information, such as trade secrets or customer information.

Employees should be aware of these provisions and understand their obligations to maintain confidentiality.

In addition to employment contracts, certain laws provide employees with rights related to data collection and use at work.

National Labor Relations Act (NLRA)

  • Protects employees’ rights to engage in “concerted activity”, such as wages and working conditions being discussed amongst coworkers

Equal Employment Opportunity Commission (EEOC)

  • Prohibits employers from discriminating on the basis of race, color, religion, sec, or national origin in the collection and use of personal information

Expectation of Privacy on Company Devices

If your company provides you with a device, you should not expect to have privacy related to the utilization of that device.

Most companies who provide devices have a decent amount of administrative privilege and records of logs related to the devices they hand out. Here are a few examples of why they do this:

  • Lost device: Your car gets broken into, and your work laptop is stolen. You report it to your IT department, and they use their administrative privileges to remotely access the device and wipe its contents.

  • Automated timecards: Your company has a lot of hourly employees and find themselves adjusting timecards frequently due to forgetfulness to clock in or out. They decide to implement a policy where hours are automatically logged when you turn your work laptop on in the morning and turn it off in the afternoon, and track the logs from each device to know when that occurs.

The reasons why employers may monitor employee activity on company devices vary, but they generally include protecting company assets and ensuring compliance with company policies. Additionally, employers may monitor communications on company devices, such as emails or texts, for generally the same reasons.

Remember when you’re using a company device as well that they usually don’t have a way to filter any of the logging they do. This is important because that means that whatever is being used to track the activity on that device can probably log detailed information about your personal accounts should you use your company device for that purpose.

We strongly discourage ever using a company device, phone number, or email to conduct any personal business. Even if you think you’re comfortable with what you believe they can see, they might be able to see more than you expect.

Companies are generally not required to notify you that they’re monitoring you on company devices, but may choose to do so. Additionally, comprehensive privacy laws that include employee data in their definition of Personal Information may change the practice for notifying individuals about monitoring practices.

It’s important to understand that as an employee, you do not have an expectation to a right of privacy when utilizing a company device, and should only use that device for work related activity.

By staying informed and vigilant, employees can protect their personal information and ensure that it is being collected and used appropriately in the workplace.

Guest User
Previous

Attacking & Protecting Against XML External Entity (XXE) Attacks
Next

Common Mistakes People Make Architecting for DynamoDB That Lead to Cost Overruns