Specific Legal Limits on Workplace Surveillance

Legal limits on workplace surveillance fall into the categories of constitutional protections and specific laws.

Constitutional Protections

If you're concerned about the privacy of your conversations at work, you're marginally better off if your employer is a government agency or department (see the discussion in Chapter 6 on the legality of searches). At least in theory, a government is barred by the Fourth Amendment (either directly, in the case of the federal government, or indirectly, in the case of state and local governments) from conducting unreasonable search and seizures against its employees. Since the Fourth Amendment does not apply to private employers, they are under no such constitutional constraints, although they may be subject to state constitutional and statutory limitations.

For some years now, civil libertarians have worried that the Rehnquist Court was intent on gutting the Fourth Amendment in an effort to reduce the possibility that obviously guilty defendants would walk free due to a search-and-seizure technicality. Those fears were allayed to some degree by the Court's recent ruling in Kyllo v. United States, in which the Court held that police could not use thermal imaging technology to "see" inside a house to determine whether someone was using heat lamps to grow marijuana. ^[6]

Nonetheless, when it comes to places of employment, the Fourth Amendment is not much of a shield. The lead case in this area is O'Connor v. Ortega, which dealt with a university hospital physician who sued the hospital and assorted individuals after they conducted a search of his desk and file cabinets while he was out of the office. ^[7] Hospital management justified the search on the grounds that they were looking for evidence to support or refute a claim of wrongdoing against the physician.

The Supreme Court's decision was split, but a majority of the justices agreed on a few general principles. First, the Court declared that public employees can in fact have an expectation of privacy at their workplace. However, the Court also said that determining whether a search of a government employee's workspace is reasonable depends on the context of the search. In addition, the employee's legitimate expectation of privacy must be balanced against the government's interest in supervision, control, and the smooth operation of the workplace.

The Court concluded that it would seriously disrupt the operation of the workplace if a government employer was required to get a search warrant every time it wanted to enter employee workspace for a work-related purpose. Likewise, the Court held that imposing the traditional "probable cause" standard for this type of workplace search would also be inherently unreasonable.

The Ortega decision helped lead to the somewhat ironic situation that in terms of workplace searches and seizures, an employer's best course of action is to make it clear to employees from the outset that they have little or no right to privacy in the workplace. In Schowengerdt v. General Dynamics Corp., a later decision that relied on Ortega, the U.S. Court of Appeals for the Ninth Circuit held that the privacy rights of an employee at a secret weapons facility were not violated when the employer searched his office, desk, and credenza. ^[8] Specifically, the court found that the employer had clearly warned employees that due to the sensitive nature of the work being done at the facility, both scheduled and random searches would be conducted. As a result, the Ninth Circuit said the employee had no reasonable expectation of privacy.

Similarly, when a police officer who was suspected of misconduct challenged the reasonableness of a search of his desk, a state-owned vehicle, and a locked briefcase, the U.S. Court of Appeals held that the police department was entitled to weigh the interests of the public when deciding whether to conduct the search. ^[9] The court concluded that there was little question that the searches of the office and the vehicle were justified. While an officer has a greater expectation of privacy in a locked briefcase than in his department-issued patrol car, the court nonetheless agreed that under the circumstances, opening the briefcase was reasonable.

Not every privacy case brought by a disgruntled public employee has resulted in a ruling in favor of her employer, but the majority have. However, the difficulty that public employees have in protecting their privacy in the workplace, despite the nominal aid of the Fourth Amendment, helps to underscore how tenuous privacy is in the private workplace.

The National Labor Relations Act

As we saw in Chapter 2, the struggle to unionize has been one of the more violent and confrontational themes in our nation's history. Particularly in the tumultuous years at the end of the nineteenth century, the battles between employers and employees were so frequent and so pitched as to nearly constitute a second civil war.

Unions hit their high-water mark over a twelve-year period beginning in 1935, when the National Labor Relations Act (NLRA) was passed, and 1946, when membership in unions hit its highest level of 30 percent of all workers. Since that time, union membership has fallen to less than 15 percent of the workforce, and business organizations have steadily chipped away at the provisions of the NLRA and other proemployee statutes.

Nonetheless, most of the core provisions of the NLRA remain intact, and one of the issues they directly address is the issue of surveillance of employees. Specifically, the Act bars employers from spying on employees engaged in union activity. Forbidden types of spying include eavesdropping on employee conversations; taping, filming, or photographing employees; tapping phones; and/or monitoring attendance at union functions. It is important to note that the NLRA does not require evidence that an employer actually engaged in surveillance of union activities; it is sufficient to show that the employer created the impression that such surveillance was taking place, and that the impression of surveillance intimidated employees from engaging in union activity.

In addition to establishing standards of conduct for employers, the National Labor Relations Act also established the National Labor Relations Board (NLRB) to serve, among other things, as the arbiter of employer/ employee disputes over surveillance of union activities. In determining whether a particular type of surveillance is permitted, the NLRB looks at two main factors: the purpose of the surveillance and the locations being observed. If the employer can articulate a legitimate purpose for the surveillance and the location of the surveillance was not chosen in an effort to discourage union participation, then the NLRB will generally permit it.

Not surprisingly, video surveillance has been a particularly contentious issue for the NLRB. In 1994, unionized employees at a Colgate-Palmolive facility in Indiana discovered hidden cameras in an exercise room and company bathrooms. The company removed the cameras, but asserted that it had a right to conduct hidden surveillance without prior agreement by the union. The union disagreed and asked the NLRB to rule that the use of surveillance cameras was subject to mandatory bargaining between the company and the union. The Board ruled that the use of hidden surveillance cameras was a mandatory subject of collective bargaining because "installation of surveillance cameras is both germane to the working environment and outside the scope of managerial decisions lying at the core of entrepreneurial control." ^[10]

In reaching its decision, the NLRB apparently disregarded an earlier decision in which it accepted a ruling by an administrative law judge that bathroom surveillance was acceptable without union consent. In that case, however, the specific conduct that the company was trying to prevent (tampering with fire alarms) was occurring in the company washrooms. As a result, the administrative law judge concluded that the hidden surveillance was justified.

Overall, hidden surveillance has not been well-received by the Board. Just last year, the NLRB held that even where a union failed to object to hidden surveillance cameras, an employer was still required to bargain over the issue if the union objected to their use at some later date. ^[11]

Monitoring of employee e-mail is also subject to NLRB scrutiny if union activity is an issue. For example, an employer that permits its employees to use the company e-mail system for personal messages cannot then ban union-related e-mails. ^[12]

The Electronic Communications Privacy Act

Belatedly recognizing the fact that technology was making it possible for employers to routinely monitor employee phone conversations and other types of communication, Congress passed the Electronic Communications Privacy Act (ECPA) in 1986. The ECPA is an amendment to the earlier Omnibus Crime Control and Safe Streets Act of 1968, which established basic standards for wiretapping by federal agents. By the mid-1980s, however, it was clear that courts were struggling to apply the wiretap law to new technology. Ironically, the same thing is now happening to the ECPA.

The basic principle of the law is straightforward: It is unlawful (with certain exceptions) to "intercept" any wire, oral, or electronic communication or to access any stored wire or electronic communication. One major problem is that when the ECPA was adopted, e-mail systems were not yet common, particularly in the private sector. In the sixteen years since the ECPA was adopted, of course, e-mail has become a phenomenally popular and common means of communication.

While the law offers greater electronic privacy for most people (since it extended the prohibition against interception from telephone conversations to e-mail and other forms of electronic communication), it can be viewed as a step backward for employees. As a general rule, federal law prohibits eavesdropping or the recording of a conversation unless at least one party to the conversation has given her consent (or the eavesdropping was previously approved by court order). However, the ECPA contains a number of exceptions that weaken the application of that principle in the workplace.

The primary problem is that the ECPA allows a "systems provider" to access electronic communications like e-mail without liability. There is a broad consensus that the provision covers commercial providers like America Online and Yahoo!, but there is some debate over whether it covers so-called employer-providers, i.e., a company that creates and maintains its own internal e-mail system. By and large, however, most legal analysts assume that a business that provides an internal e-mail system is a "systems provider" within the meaning of the statute, and therefore is free to examine e-mail on its system.

As we saw in Chapter 6, surveillance of voice communications is a little trickier for employers, since relatively few companies are providers of telephone systems within the meaning of the statute. However, under the ECPA, businesses can rely on at least two other exceptions to conduct surveillance of employee phone calls.

First, the ECPA contains a provision that allows an employer to monitor conversations in the "ordinary course of business," so long as the company uses equipment typically furnished by a telephone company in connection with phone service. This is the reason you often hear the phrase "This call may be monitored for quality assurance." Second, if an employee has given his consent (either actual or implied), then the employer may also monitor telephone conversations. Your employer can create implied consent for telephone call monitoring through the simple expedient of informing you that your conversations will be monitored and by describing the manner in which such monitoring will take place.

In either case, your employer is required to stop monitoring as soon as she determines that a phone call is personal and not job-related; however, that determination can take a few minutes, which is often all the time an employee spends on a personal call.

As is so often the case, the pace of technology has outstripped Congress. The ECPA was virtually out-of-date when it was passed, and the technological innovations of the last sixteen years have exacerbated the problem. When the law was passed, for instance, the World Wide Web was still a gleam in the eye of Timothy Berners-Lee; communication tools like ICQ, Internet relay chat, and AOL Messenger were still years in the future; and completely unforeseen were technologies like Internet telephony and the rapidly approaching video conferencing.

Clearly, in passing the ECPA, Congress intended to permit the providers of an e-mail system to engage in surveillance to protect their rights and property interests. Frankly, it's unrealistic to expect a pronouncement any time soon from Washington that businesses cannot monitor their employees' e-mail or other forms of online communication—there are too many sound reasons for doing so. But at the very least, Congress could require businesses to tell employees what they're doing and how they're doing it, and prohibit businesses from making any use of nonwork-related information it might obtain.

The Health Insurance Portability and Accountability Act

It is difficult to think of any proposed legislation over the last decade that inspired as much venom and sheer ill-will as the Clinton national health care plan. From the beginning of 1993, when President Clinton appointed his wife, First Lady (and now Senator) Hillary Clinton to head the health care task force, to the bill's ultimate rejection by Congress in late 1994, the debate marked one of the recent low points in political discourse.

Out of the ashes of the Clinton proposal came the Health Insurance Portability and Accountability Act (HIPAA), a more modest health care reform championed by Senators Edward Kennedy (Massachusetts) and Nancy Kassebaum (Kansas). Passed in 1996, the bill is designed to make it easier for employees to change jobs without losing their medical insurance. In addition, HIPAA also sets new standards for the handling of personal health information (PHI), which is defined under the law as:

• Information that relates to the physical or mental health of a person (such as the individual's medical history or particular condition)

• Provision of health care to the individual (including insurance processes such as an individual's insurance case management)

• The payment of health care (including claim payments and coordination of benefits)

Under the terms of the HIPAA, the Secretary of Health and Human Services was authorized to enact standards to insure the privacy of individually identifiable health information if Congress did not pass comprehensive health care legislation by August 21, 1999. For various reasons, Congress did not meet its own deadline, so HHS Secretary Tommy G. Thompson ordered his Department to prepare the necessary standards. A proposed Rule was issued on November 3, 1999, and comments were solicited from the public. The response was enthusiastic: HHS reported that it received over 52,000 comments on the proposed Rule. After reviewing the comments and taking them into consideration, on December 28, 2000, HHS issued "Standards for Privacy of Individually Identifiable Health Information ('Privacy Rule')."

The Privacy Rule is a enormously complex regulation. Nonetheless, absent an extension from HHS, businesses that routinely receive or handle personal health information will be required to comply with HIPAA's privacy provisions by April 14, 2003. As with other types of federal business statutes, small businesses (those with fewer than fifty employees) are exempt. In addition, if a business establishes procedures that help it avoid the receipt of personal health information, then the business is not required to comply with HIPAA's regulations.

HIPAA stipulates that businesses must take the following steps (among others):

• Create the position of chief privacy officer (CPO) to establish procedures for the handling of PHI, and to provide appropriate training to personnel who handle PHI.

• Document all privacy procedures, communications, and plan actions and maintain records for six years.

• Upon request, provide an accounting of all uses and disclosures of information to a member (including the individual or entity receiving the information, a description of the information, and the reason for the use and disclosure).

• Implement new written contracts with claims administrators, utilization review providers, and other business associates assuring they comply with the privacy rules.

• Write a detailed policy notice to employees, in plain English, outlining the plan's practices on privacy of health information.

• Decide whether to require consent forms from employees on specific employer functions.

• Separate health plan administration and PHI from other company functions, to protect the employer from a lawsuit claiming, for example, an employee was fired because her claims were costing the company medical plan too much money.

• Establish a clear, written procedure for addressing complaints and grievances.

• Amend plan documents to include a list of permitted and required uses and disclosures of protected health information with examples, including payment and processing of claims.

• Tell plan participants they may access their PHI, amend the information, receive an accounting of their PHI disclosures, and advise them of the process to address complaints. ^[13]

It's still unclear exactly how businesses will respond. There is considerable concern that the complexity of the regulations and a slow economy will make it very difficult for organizations and businesses to successfully meet the April 2003 deadline. Among other consequences, the regulations are driving the growth of a new software business sector—companies specializing in software for the handling of electronic medical records—because those types of systems can be tied into user authentication devices, including biometrics. Such devices would make it possible for a hospital, for instance, to maintain a log of everyone who accessed a particular patient's file.

^[6]U.S. (2001).

^[7]480 U.S. 709, 107 S.Ct. 1492 (1987).

^[8]823 F.2d 1328 (Ninth Circuit 1987).

^[9]Shields v. Burge, 874 F.2d 1201 (Seventh Circuit 1989).

^[10]In re Colgate-Palmolive, 323 NLRB 515 (1997).

^[11]In re National Steel Corp., 335 NLRB No. 60 (2001).

^[12]In re E.I. Dupont DeNemours & Co., 311 NLRB 893 (1993).

^[13]"Employee Medical Info Protected: New HIPAA Law Imposes Constraints on Employers," Barney & Barney, LLC (August 23, 2002).