1 / 68

WHAT STATE AGENCIES CAN DO

WHAT STATE AGENCIES CAN DO. To Protect Employee Privacy During Investigations of Workplace Misconduct. Overview. Four Rules Relevant Cases and Statutes. Four Rules. Rule 1 : Have an Appropriate Acceptable Use Policy and Disseminate it Properly

malia
Télécharger la présentation

WHAT STATE AGENCIES CAN DO

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WHAT STATE AGENCIES CAN DO To Protect Employee Privacy During Investigations of Workplace Misconduct

  2. Overview • Four Rules • Relevant Cases and Statutes

  3. Four Rules • Rule 1: Have an Appropriate Acceptable Use Policy and Disseminate it Properly • Rule 2: Have an Appropriate User Responsibility Policy and Disseminate it Properly • Rule 3: Where at all possible, avoid providing VPN access to users via their home computers (as opposed to state-issued computers) • Rule 4: When investigating workplace misconduct make sure that searches of employee offices, and employee hard drives, disks, and other IT equipment used only by the individual employees are: • Justified in their inception • Permissible in their scope

  4. Rule 1 Have an Appropriate Acceptable Use Policy and Disseminate it Properly

  5. Scope: all Commonwealth IT Resources Applicability: all users of Commonwealth IT resources (don’t limit to employees, contractors, elected officials, unpaid interns, etc.) Failure to observe results in discipline Defines acceptable and unacceptable uses of Commonwealth IT Data confidentiality IP protection Computer viruses Network security Email use No expectation of privacy Use of system is consent to policy An Appropriate Acceptable Use Policy

  6. All ANF Agencies are subject to the ANF AUP (Unless they adopt a similarly protective agency policy) ANF Policy available at http://mass.gov/portal/index.jsp?pageID=agcc&agid=eoaf&agca=policiesinitiatives&agcc=otherpolicies

  7. Proper Dissemination • Post it on your agency intranet and internet sites • Provide to all IT resource users • Incorporate in contracts • Mail link to users annually • Update periodically • Document dissemination

  8. Rule 2 Have an Appropriate User Responsibility Policy and Disseminate it Appropriately

  9. A Proper User Responsibility Policy • Explains why the user has been granted Log-in IDs for systems and networks • States that user must keep Log-in ID confidential • Limits choice of passwords • Notifies that use of Log-In ID is a privilege that may be revoked • Sole responsibility of user

  10. Proper User Responsibility Policy • Report to ISO if compromised • Data release only consistent with law • Remote access issues • Discipline including termination for violation • Reiterate acceptable use • Current monitoring and potential screening • Contact information for ISO • (OER Review)

  11. Proper Dissemination • Same as dissemination of AUP, but instead of disseminating as policy to all, at hire or first engagement with agency, require all non-union users to sign an agreement incorporating the policy, stating date on which they received it and had chance to review • Provide hard copyof policy to all union employees

  12. Rule 3 Avoid VPN Access for Users via their home computers

  13. Avoid VPN access for users via their home computers • Administrators have access to home computers while VPN session is open • Employees have a higher degree of privacy rights in personally-owned home computers • Others in household who share the PC also have privacy rights • When investigating employee misconduct, do not under any circumstances conduct a warrantless search of a telecommuter’s personal PC through your VPN connection

  14. Rule 4 When investigating workplace misconduct make sure that searches of employee offices, and hard drives, disks, and other IT equipment used only by the individual, or any other areas in which the employee may claim a privacy right: Justified in their inception Permissible in their scope

  15. Justified at Their Inception means… • There are reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of work-related conduct: • Example: Technician exploring firewall capabilities enters term “sex” in firewall database and discovers that government employee user has accessed a number of sex sites using his government issued computer in his government office, in violation of agency policy • Example: Technician in government employee’s office installing network connection on network computer sees pornography files on employee’s screen in violation of workplace policy

  16. Permissible in their scope means… • Measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of the nature of the misconduct: • Example: Following agency’s discovery of sex site visit evidence on firewall log, • Supervisor remotely reviews information on user’s computer, and only after finding further evidence of visits to pornographic sites forbidden by agency policy • Only thereafter enters employee’s private office and takes hard drive and disks.

  17. Permissible in scope, cont. • Example: Following discovery of technician installing network connection that user has pornography on government employee’s government issued computer, in violation of agency policy, employer conducts full search of employee’s computer and disks.

  18. Relevant Statutes and Case Law

  19. The Commonwealth Falls into Two Legal Categories • The Commonwealth as an employer • The Commonwealth as a government entity

  20. Government as Employer • Faces the same legal landscape as all employers • Statutes and Case law

  21. As Government Entity • State is subject to Fair Information Practices Act • Fourth Amendment search and seizure issues.

  22. Statutes Affecting All Employers • State Privacy Act, Mass. Gen. L. ch. 214 • State Wiretap Law, Mass. Gen. L. ch. 272, sec. 99 • Federal Wiretap Statute, 18 U.S.C. sec. 2511 et seq. • Data privacy laws • Federal Stored Communications Statute, 18 U.S.C. sec. 2701

  23. State Privacy Act • “A person shall have a right against unreasonable, substantial, or serious interference with his privacy”. M.G.L. ch. 214, sec. 1B • Restuccia v. Burke Technology, Inc., 1999 WL 1329386 (Mass. Super. 1996): Genuine issue of fact regarding whether employee had reasonable expectation of privacy in email that he had sent to supervisor at the supervisor’s company email address that later resulted in termination.

  24. Garrity v. John Hancock Mutual Life Insurance Company, 2002 WL 974676 (D. Mass. 2002) • Plaintiffs: 2 employees and husband of one employee • Sexually explicit emails sent from husband to both employees at company email addresses • Two employees distribute these emails to other employees over company email • Employee plaintiffs fired after investigation including employer review of emails contained in backup system

  25. State Privacy Law Claim • Invasion of privacy (no citation to state privacy statute, but either state statute or tort of privacy invasion appear to be basis of claim) • Holding: no privacy violation

  26. Court quotes from Hancock’s Well-disseminated Email Policy, which Explicitly Said: • Obscene, profane, sexually oriented emails prohibited • Violators would be subject to disciplinary action up to and including termination • All information stored, transmitted, received or contained in company email systems systems was the employer’s property • Business or legal reasons might require company review of email messages and other documents

  27. Court’s Reasoning • No reasonable expectation of privacy in the emails among the plaintiffs because • Evidence that employee’s husband, and employee plaintiffs, assumed the emails would be forwarded to others at the company • Citation to Pennsylvania District Court case to the effect that even without an email policy, no privacy expectation in emails sent over company email system (but PA case was about privacy expectations of employees, not outsiders)

  28. Court’s Reasoning, cont. • Even if there was a reasonable expectation of privacy in the emails, Hancock’s legitimate business interest in protecting its employees from harassment in workplace would “likely trump plaintiffs’ privacy interests”. • Both state and Federal anti-discrimination law REQUIRE employer to take affirmative steps to maintain workplace free of harassment , investigate incidents of harassment and take prompt action

  29. Based on State Privacy Law and Hancock… • Private sector employers whose email policy forbids use of email system for certain activities do not violate state Privacy Act when reading employee emails during investigation of employee policy violations that are also violations of state or federal law. • Probable that even without an email policy, employee in a private sector company may have no privacy rights under the Privacy Law with respect to emails created or received in the workplace.

  30. Privacy of State Employee Emails • State employees have an even weaker argument for the privacy of most of their emails because the Secretary of State has ruled that emails created or received by an employee or a government unit are public record. DSPR Bulletin 1-99 2/16/99.

  31. Hancock leaves open the question: • Where there is no evidence that the non-employee sending email to an employee at his work email address knew that his email would be distributed to others in the company, are the sender’srights under the State Privacy Act violated when, without the sender’s consent, the employer reads his email? Sender may not have as much reason to be aware of the public record nature of emails sent to the state.

  32. State Wiretap Law • Prohibits secret interception of wire and oral communications • Doesn’t apply if both parties to communication have consented to interception • Doesn’t apply to possession or use of an intercommunications system which is used in the ordinary course of owner’s business

  33. Raised by plaintiffs in Hancock because. . . • Hancock, following complaint by fellow employee regarding sexually explicit email transmitted by plaintiffs over company email system, commenced investigation • Investigation included reading backed up emails created, received or transmitted by plaintiffs. Plaintiffs claim the reading of such emails was an “interception” that violated the state wiretap law

  34. Court: No violation of State Wiretap Because: • State wiretap law applies only to interception of communications in transit; Hancock read only stored email • Even if the reading itself were a form of interception, the backup system was not an interception because fell under “ordinary business exemption “ of wiretap statute. (See also Restuccia).

  35. Application of State Wiretap Act to State Agencies: • Reading backed up employee emails not a violation • Screening incoming emails for viruses and spam, and screening outgoing emails is not a violation because it is “ordinary course of business” for state agencies because of data privacy laws • Intercepting incoming emails from a known source of harassing emails is not a violation

  36. State Wiretap Act Summary: Screening Incoming Emails • State agency intercepting all incoming emails on shakier legal ground: • No legal requirement under data privacy laws or discrimination laws imposed on employers to screen incoming email. • Screening all incoming email may not constitute acting in the ordinary course of business

  37. State Wiretap Act Summary: Screening incoming email • Unlike most businesses that receive email from customers, Commonwealth citizens have legitimate reasons for emailing messages to state agencies that contain words that may be picked up by screening software • Example: Citizens seeking health information may use slang terms for body parts • Citizens reporting discrimination to state agencies, quoting offensive language. • Citizens using strong language to criticize state officials

  38. Federal Wiretap Statute • Similar to state statute; does not apply to stored email communications • But only one party to communications needs to consent. 18 U.S.C. sec. 2511(2)(d). • AUP that states that users of IT resources consent to monitoring probably creates requisite consent • And provider of electronic communications service can intercept to protect the rights or property of the provider. • Screening all emails for harassing content would appear to be a means of protecting the employer’s rights to maintain a non-discriminatory workplace

  39. Under Federal Wiretap Statute • Agencies that have and disseminate an acceptable use policy stating that use of IT system is consent to monitoring and viewing of messages are not in violation of Federal Wiretap Law if they monitor both incoming and outgoing email for any purpose. • Even without an AUP, agencies monitoring all incoming and outgoing email for purposes of preventing violations of Federal or state law, reducing spam or maintaining network security are probably not in violation of the Federal Wiretap Act.

  40. Data Privacy Laws • Health Insurance Portability and Accountability Act • Gramm-Leach-Bliley

  41. Federal Stored Communications Act • Prohibits unauthorized access to electronic communication while it is in electronic storage. 18 U.S.C. sec. 2701 • An employer’s accessing of backed up emails on its own email system does not violate this act because it is not “unauthorized”.

  42. Query, however… • When employee has VPN access through home computer , absent a written agreement with employee, systems administrator’s viewing of non-work related files on the computer during a VPN session may not be “authorized” and may therefore be a violation of the SCA. • Administrator’s viewing of files of household members of employees during VPN session probably violates the SCA because such intrusions are certainly not authorized.

  43. GOVERNMENT AS GOVERNMENT EMPLOYER • Fair Information Practices Act • Fourth Amendment

  44. Fair Information Practices Act • State Fair Information Practices ActProtects personal data (data clearly linked to an individual that is not public record) held by a “holder” agency • Most information about employees held by state agency employers is public record. • Personal data about employees (evaluations, paternity information) can be accessed by the agency’s employees during a legitimate workplace misconduct investigation without violating FIPA but dissemination outside the agency restricted by FIPA.

  45. Fourth Amendment • Fourth Amendment to U.S. Constitution, made applicable to states via 14th Amendment • Parallel rights under State Constitution • Where state employee has an objectively reasonable privacy expectation in a place, the state cannot search that place while investigating a workplace policy violation unless it obtains a warrant or an exception to the warrantless search rule applies.

  46. What happens if state violates this rule when investigating employee misconduct? • If the employee is later tried for violation of criminal law, evidence collected in violation of the Fourth Amendment can be suppressed. • “Bivens” action against state actors for civil money damages

  47. Scope of our discussion • NOT a discussion about legal or illegal use of warrants the state obtains during a criminal investigation by state police; • RATHER Non-criminal, warrantless searches a state agency might conduct for the purpose (but not necessarily the sole purpose) of investigating an instance of employee workplace misconduct that may also constitute a crime.

  48. O’Connor v. Ortega, 480 U.S. 709 (1987) • Fourth Amendment prohibits unreasonable searches and seizures by government employers or supervisors

  49. Government employees • Have a reasonable expectation of privacy in their offices or in parts of their offices, such as their desks or file cabinets. O’Connor. • But office procedures, policies or regulations may reduce legitimate privacy expectations. O’Connor.

  50. Even if state employee establishes a privacy interest in the area that you search, your search may be covered by an exception to warrantless search requirement for government employers • Government employer’s interest in the efficient and proper operation of the workplace may justify warrantless work-related searches. • Government agency investigations of violations of workplace misconduct fall under this rule. • This exception can apply even if the employer is a law enforcement agency and the agent conducting the search is aware that the information collected could later be used for criminal prosecution

More Related