Employee Privacy: What Data Employers Have No Right to Obtain

In our digital age, information is the top value. Unseen elaborate algorithms follow our every click online to build our detailed portrait for targeted advertisements. Social media know and can tell about us more than we are comfortable to admit. Even our employers may track everything we do inside the office walls - and sometimes outside too.

In 2022, an American accountant lost his job after participating in the World Naked Bike Ride. His hobby was not related to his career; he was off the clock while riding and didn't post any photos of himself online. Yet, his boss still decided to fire him after seeing a familiar face on the image posted by another participant.

This case is not unique. Employees may gather vast data about their employees, from basic contact details and past work experience to health information and political views. Collecting essential data is necessary for payroll, performance management, or other legitimate business purposes. Gathering other personal info and making managerial decisions based on it is illegal and unethical, but where is the line?

This article attempts to draw this line and delve into the critical question of what data employers have no right to obtain. Ultimately, our goal is to provide a starting point for understanding the boundaries employers must respect when collecting employee data.

The limits of what data an employer can collect are dictated by privacy and labor legislation. However, these laws may significantly vary around the world. In this article, we will briefly explore only a few key jurisdictions. To learn about the legal peculiarities of your area, we recommend consulting your lawyer.

It is worth noting that most privacy laws do not specifically cover data collection in the workplace. Instead, they set general requirements for handling personal data, which should be later interpreted for employer-employee relations. For the purpose of this article, we will describe these laws using the terms "employer" and "employee".

• Health Insurance Portability and Accountability Act (HIPAA) is the key law protecting employee health information. It restricts employers' access to employee medical records and states they can be used and disclosed only for specific purposes and with the patient's authorization.

• Americans with Disabilities Act (ADA) protects individuals with disabilities from discrimination. This act also restricts the employer's access to employee medical information. Particularly, the employer can get medical information only if it is job-related, or if the employee needs specific accommodation for their disability.

• Fair Credit Reporting Act (FCRA) regulates how employers collect, use, and disclose employee credit information. Employers generally need a permissible purpose (like a background check) and written consent from the employee before obtaining credit information.

• National Labor Relations Act (NLRA) protects, in particular, employees' rights to discuss working conditions with each other, including through social media. However, it doesn't guarantee complete privacy on social media, and employers might have some latitude to discipline employees for posts deemed disruptive or threatening to the workplace.

• Privacy Act of 1974: This law primarily applies to how federal agencies handle personal information, but it offers some insights. It establishes principles like "fair information practices," requiring agencies to be transparent about data collection and limit its use to legitimate purposes.

These are only a few key regulations concerning data protection. Additionally, there are a few state laws, such as the California Consumer Privacy Act (CCPA) that grant employees certain rights regarding the collection of their personal data by employers.

The General Data Protection Regulation, or GDPR, is the main regulation governing data protection and privacy in the EU. It sets a high bar for privacy rights, limiting the scope of data employers can collect and giving employees significant control over their data collected by employers.

Although GDPR does not clearly state what personal data can and cannot be collected, it obliges employers to adhere to the principles of transparency and necessity. In other words, they must have a valid legal basis for collecting each type of information, for example, contractual necessity, workplace security, or performance assessments. Besides, employers must be open with the employees about what data is collected, how it is used, and how long it is stored.

The GDPR requires employers to implement appropriate technical and organizational measures to protect employee data from unauthorized access, disclosure, alteration, or destruction.

In case of a data breach that poses a high risk to employee rights and freedoms, employers must notify the relevant data protection authority and potentially affected individuals.

Brazil's Lei Geral de Proteção de Dados (LGPD) is a recent comprehensive privacy law modeled after GDPR and taking effect in 2020.

Much like GDPR, LGPD does not indicate employee data that employers cannot gather. However, it establishes a framework for how employers should collect, use, and store employee personal information. Employers are obliged to acquire employees' consent for gathering their data. They can collect only the data strictly necessary for fulfilling the employment contract, ensuring workspace safety, investigating misconduct, or other legitimate business purposes. They must ensure that the collected data is stored securely and protected from unauthorized access, disclosure, alteration, or destruction. Finally, in case of a data breach that poses a high risk to employee rights and freedoms, employers must notify the Brazilian National Data Protection Authority (ANPD) and potentially affected individuals.

Personal data in China is protected by the Personal Information Protection Law (PIPL). The PIPL defines "personal information" broadly as any data that can identify a person, either alone or when combined with other information. This information includes employee data like name, contact information, employment history, performance evaluations, and health records (with additional restrictions).

According to PIPL, employers can collect and process employee data only after receiving their consent. The law also allows for other legal grounds, including contractual necessity, compliance with legal obligations (cases when data collection is required by Chinese law), and legitimate interests.

Similar to GDPR and LGPD, PIPL obliges employers to be transparent about data collection practices, in particular, by providing a clear and accessible privacy policy and implementing reasonable security measures to protect employee data from unauthorized access, disclosure, alteration, or destruction.

The described regulations seemingly give employers the freedom to collect almost any personal data as long as they can explain it with business purposes. However, in practice, it is not true.

Employers have no right to collect certain data without a legitimate justification and employee consent. This data generally falls into the following categories:

Sensitive data refers to personal information that can be used to discriminate against an individual or reveal private aspects of their life. This data includes but is not limited to race and ethnicity, religion, philosophical beliefs, sexual orientation, gender identity, and political opinions.

Collecting and using this data can lead to discrimination in hiring, promotion, or other managerial decisions. It can also create an uncomfortable or hostile work environment for employees.

Many jurisdictions restrict employers' access to employee health information. However, there are a few exceptions:

• The employee provides written consent.

• The information is necessary to administer a health plan or for workplace safety reasons (e.g., fitness for duty evaluations or arranging special accommodations for the disability).

• The disclosure is required by law (e.g., workers' compensation claims or requests for leave).

There is no legitimate reason for employers to collect extensive financial data on employees beyond basic information for payroll and tax purposes. Off-limits data, in this case, includes bank account details, credit scores, and investment holdings.

While employers may have a legitimate interest in monitoring employee conduct, they cannot extend their monitoring to personal social media accounts. For example, employers cannot require employees to friend them on social media or access private accounts because employees have a right to privacy in their social media use.

The employee's right to privacy protects them from the employer's monitoring during their time off. Employers' monitoring generally extends to work hours and work-related activities only. Collecting data on employees' off-duty activities is restricted in most jurisdictions unless there is a legitimate business justification and it doesn't violate privacy rights.

According to the Harvard Business Review, 67.6% of North American companies with 500+ employees track employee work activity with special software. Another research summarized by WifiTalents states that nearly 96% of surveyed organizations use some form of employee monitoring technology.

By its nature, employee monitoring software can collect extensive data about employees. Its most common features include email monitoring, Internet activity monitoring, screen recording, app usage tracking, and even video and sound surveillance. Employee monitoring pursues noble goals, such as ensuring proper business communication, preventing security threats, and improving productivity. However, it may occasionally collect off-limits personal data if not implemented with legal and ethical considerations in mind.

The legality of employee monitoring practices may vary depending on location. Some regulations, such as GDPR, dictate stricter employee privacy rights, limiting the allowed monitoring scope. That is why employers should study and understand the applicable laws in their area before implementing any kind of employee monitoring.

From an ethical point of view, the principles of transparency, proportionality, and justification should guide the usage of employee monitoring software. Employers must limit data collection to strictly necessary aspects and balance data collection with employee privacy rights. The best way to do it is to choose adaptable employee monitoring solutions that can easily be tailored to avoid collecting excessive data.

In this case, you can disable unnecessary tracking features to avoid collecting excessive data and adhere to the applicable regulations.

Also, consider monitoring programs that allow employees to start and stop monitoring manually. This option lets employees protect the data they do not want to be recorded. It will be especially helpful for remote employees or those who use personal devices for work.

Understanding privacy rights is vital not only for employers but also for employees. It empowers them to take control of their personal data in all spheres of their lives, including the workplace. The specific rights granted to employees and the relevant laws will vary depending on their location. For example, GDPR, LGPD, and PIPL grant employees several important rights regarding their data:

The right to access: Employees can request access to their personal data held by the employer.

The right to rectification: Employees can request corrections to inaccurate or incomplete data.

The right to erasure (also known as the "right to be forgotten"): In certain circumstances, employees can request the deletion of their personal data.

The right to restrict processing: Employees can restrict how their data is used.

The right to data portability: Employees can request to receive their personal data in a structured, commonly used format and have it transferred to another employer (if technically feasible).

It's important to note that these are just general examples. We encourage employees to consult with legal resources or privacy professionals to understand their specific rights regarding data privacy in the workplace.

The digital age has blurred the lines between work and personal life. Employers can collect and access vast employee data, raising critical questions about privacy and ethical boundaries. Employers' legitimate business interests, such as security, productivity, and legal compliance, should not cross the line between the necessity and employees' private lives. Companies should understand the legal boundaries and balance their interests with respect for employee rights.

For businesses, we recommend consulting with legal counsel to ensure your data collection practices comply with relevant laws. Consider implementing clear and accessible privacy policies that outline the types of data you collect, how it is used, and employee rights regarding their data.

For employees, we advise familiarizing yourself with your data privacy rights in the workplace. Many jurisdictions grant employees rights to access, rectify, or even delete their personal data. Don't hesitate to seek legal counsel or consult with privacy professionals if you have concerns about your data being collected by your employer.