Employee Privacy to See Advances in 2023
In line with our recent predictions, this week ADCG will focus on employment trends and concerns in the privacy industry in 2023.
Data privacy of individuals has been a primary consideration amongst consumers and legislators in the last several years. One privacy matter that ADCG believes will be at the forefront of discussion in 2023 is an employee’s right to privacy in and out of the workspace.
As this Information Week article points out, it is “common” for human resources (HR) departments in an organization to “search social media regarding job candidates as part of the hiring process.” This process often times results in many personal details of an employee’s life, unrelated to their role of employment in the organization, being revealed, reported to others within the organization, and, sometimes, documented.
Another practice presenting privacy concerns is the tracking of employee activities that are conducted while they are at work. As Information Week points out, “any employee activity conducted while an employee is at work can be monitored and/or restricted by employers.” This can include “phone calls, emails, computer use, internet and website access, system access, observations throughout facilities and grounds with cameras[.]” Organizations can monitor employee’s online presence by tracking and blocking access to certain websites through the use of system controls. Likewise, organizations can physically monitor people’s presence on company grounds by permitting access to certain areas or technologies through the use of “card keys, biometric identification, user IDs/passwords, and cameras.”
Despite the commonality of these workplace practices, Information Week points out that these practices may violate an employee’s “fundamental human right” to privacy as they could be considered a violation of Article 8 of the US Human Rights Act. Under Article 8, “personal information about you (including official records, photographs, letters, diaries, and medical records) should be kept securely and not shared without your permission, except in certain circumstances.” This begs the question — is acceptance of an employment position considered an extension of permission to be monitored, tracked, and surveilled?
If you are an employee in the state of California, the amendments to the California Consumer Privacy Act (CCPA), contained in the California Privacy Rights Act (CPRA)—which became effective on January 1, 2023—provide a clear answer: if you are a California employer, you must notify your employees of any data collection that relates to their personal information.
Additionally, this JD Supra article proposes that in 2023, the answer to that question may be clear to employees outside of the state of California.
According to JD Supra, “[s]tates are trending towards increasing transparency and privacy in the workplace by passing laws that require employers to notify employees if they are monitoring them.” In fact, in 2022, New York, Connecticut, and Delaware each enacted regulations that require private employers to provide employees with written notice of any monitoring practices of the employee’s email, internet access or usage, or telephone conversations. Similarly, Texas law prohibits the monitoring of an employee’s electronic communications beyond their own communication systems, as the state considers it to be “an invasion of privacy.” JD Supra predicts that “it is likely that other states will follow the trend and pass legislation that seeks to limit and/or require notice to employees of monitoring activities taking place in the workplace.”
In light of these legislative shifts across the country, JD Supra notes that it is now more important than ever that a business establish and maintain a “comprehensive and robust privacy policy detailing how an employee’s personal data will be collected, processed, stored and shared.”
Of the many details that should be addressed in your privacy policy, we recommend consideration of the following matters:
Any monitoring that may be conducted relating to an employee, including, but nor limited to, phone calls on work phones and personal phones; internet browser usage; file storage on work computers or personal computers that have access to organizations’ systems; and video monitoring on company devices or in company-owned spaces
Privacy policies for the use of personal devices for work-related matters and personal matters, on company networks or internet connections
Acceptable use policies
The collection of employees’ biometric information
Storage and retention policies for any personal information or data collected from an employee
* * * * * * *
To read our news alerts discussing: new state privacy bills, changes to the European Union’s regulatory oversight process, and fake Chat GPT apps, click here.
This week’s breach report covers breaches of the following companies: JD Sports, Sharp, Motto Mortgage, TruthFinder, and Google Fi. Click here to read each report.
Our Podcast returns this week with EPISODE 85 as we are joined by Violet Sullivan, Vice President of Client Engagement for Redpoint Cybersecurity, and incident response expert. Violet discusses how incident response has changed over the past five years, how ransomware has changed IR plans and how companies respond to attacks, and how cyber insurance has pushed revisions to incident response and much more. Click here to listen.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
84 | Internet Archive Project Related to Russia’s War with Ukraine (With guest Mark Graham)
83 | Geofence Warrants and January 6: Constitutional and Privacy Issues (with guest Matthew Esworthy)
82 | A Look at the Consequences of the Uber and Twitter CISO Cases (with guest Ron Raether)
To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.