Federal Privacy Requirements

From: Staffing

Federal Privacy Requirements


This article reviews some of the methods employers may use and some of the restrictions imposed on the use of these methods to gather information in the workplace on job-related concerns. The contrast between employees’ expectations of personal privacy and employers’ understandable desire to collect and use employee information for efficient management has increased tension over workplace privacy issues.

Although public attention has been focused on drug and alcohol testing in the workplace, this testing is not the only privacy issue. Employers are using an increasing number of screening devices and investigative tools to ensure that potential and current employees are honest, loyal, and productive, and many of these devices and tools intrude on what employees consider their personal space.

Not all states have recognized a constitutional right to privacy. Most states have, however, recognized the right of a person to be left alone, to be free from unwarranted publicity, and to live without unwarranted interference by the public. However, the workplace is not generally considered to be a private place and reasonable investigations of suspected misconduct and other job-related concerns are not generally considered intrusions into employees’ privacy.

Some exceptions to employer intrusions into employee privacy do exist. In the employment context, invasion-of-privacy personal-injury claims are usually made for the following actions of employers:

  • Publicizing the private affairs of an employee.
  • Intruding into an employee’s private activities in an outrageous way or in a way that causes mental suffering, shame, or humiliation to a person of ordinary sensibilities.

Investigative Methods


Public sector employees are protected by the Fourth Amendment to the U.S. Constitution. The Fourth Amendment’s protections include the right to be secure “against unreasonable searches and seizures” by the government. Because the Amendment only prohibits action by the government, it is not usually applicable to searches and seizures by private employers.

A key factor courts use to determine whether searches of employee desks and lockers and similar property were proper searches is whether the employee had a reasonable expectation of privacy concerning that property. Obviously, employees have a greater expectation of privacy with respect to searches of their persons and their personal belongings such as purses or briefcases than they do of searches of their desks and lockers.

Company policies and notices regarding searches may influence a court’s determination of whether there was a reasonable expectation of privacy. Employers should inform employees that lockers and desks are company property and thus, subject to searches. Information on the likelihood of desk and locker searches should be distributed as part of the company’s policy manual and by notices posted throughout the workplace. Common-sense guidelines for conducting workplace searches include the following:

  • Do not search an employee without a reasonable reason for thinking the employee has engaged in wrongdoing.
  • Do not conduct intrusive body or strip searches.
  • Make certain that searches are conducted by two agents of the management, at least one of which is of the same gender as the employee being searched.
  • Limit the search to necessary areas and persons.
  • Treat similar situations similarly.


Employers should consult legal counsel before instituting any surveillance of employees. While today’s employers have access to increasingly sophisticated ways to monitor employees, the law imposes limits on when and how monitoring techniques may be used. Employers should generally obtain employee consent for surveillance and treat acceptance of reasonable surveillance as a condition of employment.

Employers may conduct surveillance of employees to investigate or defend against a personal injury or workers’ compensation claim. Employers in these situations would typically have another employee or a private security agency conduct surveillance of the employee making the claim as a way to investigate the validity of the claim. For the most part the courts have held that reasonable and unobtrusive surveillance of an employee during a claims investigation does not constitute an invasion-of-privacy. This surveillance should, however, be done without audio.

Employers may also monitor aspects of employees’ work performance. For example, an employer might monitor the number of key strokes of a clerical employee or monitor when the employee logs on or off. Employers might also use an electronic security system to determine when an employee has been on company premises. Information obtained from such work-performance monitoring may generally be used in evaluating or discharging employees. To avoid potential claims, however, employers should obtain employee consent for such monitoring.

Monitoring Telephone Conversations

With few exceptions, state and federal wiretapping laws prohibit interceptions or recordings of phone or other verbal communications without prior consent from at least one of the parties to the communication. The Omnibus Crime Control and Safe Streets Act of 1968, more commonly known as the Federal Wiretapping Act bans the interception of any wire, verbal, or electronic communication without the express or implied consent of a party. An employee’s knowledge of the employer’s intention to monitor a phone conversation is not considered implied consent. Employers must obtain written consent from employees to monitor wire or phone communication. Criminal and civil penalties may be imposed for violating this requirement. In addition, many states allow employees and other individuals to sue for invasion-of-privacy for eavesdropping on phone conversations by unauthorized phone taps.

Monitoring Email and Computer Use

In 1986, Congress amended the Wiretapping Act with the Electronic Communications Privacy Act to include electronic communications within its scope. Employers should also obtain written consent from employees to monitor electronic mail and other computer activities. Employers who have not obtained this consent may be subject to civil and criminal penalties for violating federal wiretapping laws or invading an employee’s privacy. In certain circumstances, restricting emails or monitoring employee accessing of known Web sites may be asserted as a violation of the National Labor Relations Act (NLRA).

Video Surveillance

Employers may conduct video surveillance of employees. However, unless an employer has obtained employee consent, the surveillance should be done without audio to prevent violating wiretapping laws. These laws prohibit interception of verbal communication, but do not apply to videotaping. Employees can sue for invasion-of-privacy based on videotaping so video surveillance should not be done in areas where employees can reasonably expect privacy, such as bathrooms. The National Labor Relations Board (NLRB) has determined that in dealings with unions, employers must bargain over video surveillance.

Drug and Alcohol Testing

Some states prohibit or restrict suspicionless drug and alcohol testing — such as random testing or automatic post-accident testing — unless the employee is in a safety-sensitive position because of a right of privacy that is recognized in that jurisdiction, either by constitution, statute, or case law. Such states include California, Minnesota, Massachusetts, and New Jersey, among others.

In one case, for example, the New Jersey Supreme Court upheld random drug testing, but only for employees in highly safety-sensitive positions. Recognizing that employee privacy rights under the state’s constitution or common law are affected by drug-testing programs, the New Jersey Supreme Court held that the reasonableness of a drug-testing program will be determined by balancing the employer’s and employee’s respective interests. In the case at issue, workplace safety was found to outweigh the employee’s privacy interests where an “employee’s duties are so fraught with hazard that his or her attempts to perform them while in a state of drug impairment would pose a threat to co-workers, to the workplace, or to the public at large . . ..” As a lead pumper at an oil refinery (Coastal), the plaintiff employee supervised and instructed “gaugers,” whose duties included blending gasoline with additives and managing the flow of gasoline products through the refinery. The employee’s job required him to make precise calculations, interpret orders, and convey them to the gaugers, and to keep accurate records for the next shift’s lead pumper. Errors in the lead pumper’s judgment or calculations could result in product overflow, which in turn could cause a fire or explosion. In sum, New Jersey’s highest court agreed with the intermediate court that “[b]ecause the safety-sensitive nature of Hennessey’s employment raises the potential for enormous public injury, the public policy supporting safety outweighs any public policy supporting individual privacy rights.”

The court’s decision, however, contained guidelines for employers conducting random testing to minimize the impact on privacy. These issues can and should be addressed in a comprehensive substance abuse policy and included the following:

  • Using the least-intrusive testing measures necessary to determine drug use.
  • Maintaining confidentiality of the results.
  • Giving employees notice of the drug-testing program’s implementation.
  • Detailing employee selection methods.
  • Warning employees of the lingering effect of drug use.
  • Explaining how the sample will be analyzed.
  • Notifying employees of the consequences of testing positive or refusing to a drug test.

Polygraph Testing

The Employee Polygraph Protection Act of 1988 (EPPA) covers most private employers as follows:

  • Prohibits most private employers from using lie-detector tests to screen applicants.
  • Prohibits most private employers from requiring an employee to take a lie-detector test.
  • Permits private security firms and drug companies to use polygraph tests with applicants and employees.
  • Exempts federal, state, and local governments from the law and allows the federal government to test private consultants and experts.
  • Authorizes civil suits by the Secretary of Labor, employees, and job applicants and gives federal courts power to prohibit further testing and to award relief such as employment, reinstatement, backpay, and fines up to $10,000.

The federal law does not pre-empt any state or local law or collective-bargaining agreement that prohibits lie-detector tests or that is more restrictive than federal law.

Honesty Testing

The EPPA does not apply to paper and pencil tests. Unless prohibited by state laws, employers may use honesty tests to attempt to identify individuals likely to engage in dishonest behavior. Employee groups have questioned the reliability of these tests and have claimed the tests are an invasion-of-privacy.

To minimize legal challenges, employers giving honesty tests should adhere to the following guidelines:

  • Use only professionally developed tests administered by qualified personnel.
  • Use each test only for the purpose for which it was designed.
  • Administer tests under the same conditions and to all applicants.
  • Do not disseminate test data.
  • Avoid entering test scores into unsecured databases.
  • Have applicants sign an informed-consent agreement before they take the honesty test.

Honesty tests are subject to the Americans with Disabilities Act as medical examinations and, therefore, may not be used to inquire into an individual’s health or medical condition.

Consumer Credit and Character Reports

The Fair Credit Reporting Act (FCRA) of 1970 regulates the use of credit information and investigative consumer reports for employment purposes. Recent amendments to the act took effect in late 1997, so employers should ensure they are complying with the current law. Briefly, employers that use an outside third party to investigate an applicant or current employee’s background, including criminal history and reference checking, must notify the individual and obtain consent before obtaining the report. Before taking any adverse employment action, the individual must be notified of rights under the FCRA and be given a copy of the report. After taking adverse action, the employer must notify the individual, provide the name, address, and telephone number of the consumer reporting agency, provide a statement that the consumer reporting agency did not make the decision to take adverse action and is unable to provide specific reasons why the actions was taken; provide the report and notify the individual of the right to obtain a copy of the report from the agency, and explain to the applicant how to dispute the accuracy of the report. Employers should review with legal counsel the specific requirements of this law for conducting background checks through third parties. Some states, such as New York, have their own fair credit reporting acts, which also should be consulted where applicable.


An efficient recordkeeping system can be an effective way to reduce vulnerability to claims by applicants and employees of invasion-of-privacy. Employers should take the following steps to ensure they have an efficient recordkeeping system:

  • Limit the collection of applicant/employee information to that which is strictly relevant to the business decisions to be made (such as hiring, disciplining, and terminating).
  • Limit the number of sources through which employee information is collected and stored.
  • Verify information through reliable sources before it is made part of an employee’s record.
  • Periodically review all employee records to remove inaccurate, outdated, or unnecessary materials.
  • Maintain separate employee personnel files for the following:
    • Routine personnel information (such as job performance or discipline).
    • Medical information.
    • Restricted information, that is, information not available to the employee such as records of investigations or letters of reference.
  • Limit access to personnel files only to those persons with a legitimate business need to know.
  • Obtain applicant/employee consent, where feasible, before releasing any information concerning the applicant or employee.

Federal Contractors, Privacy Training, and Personally Identifiable Information

Effective January 19, 2017, the Department of Defense, General Services Administration, and National Aeronautics and Space Administration issued a final rule amending the Federal Acquisition Regulation to require privacy training for contractors whose employees have access to a system of records or handle personally identifiable information. The rule ensures that contractors identify employees who handle personally identifiable information, have access to a system of records, or design, develop, maintain, or operate a system of records. These identified employees are required to complete initial privacy training and annual privacy training thereafter. A contractor who has employees involved in these activities is also required to maintain records indicating that its employees have completed the requisite training and provide these records to the contracting officer upon request. In addition, the prime contractor must apply the training requirements to all applicable subcontracts.

The minimal privacy training requirements must include all the following:

  • A revised definition for personally identifiable information.
  • The requirement for foundational as well as more advanced levels of privacy training.
  • The requirement for there to be measures in place to test the knowledge level of the employee.
  • The requirement for role-based privacy training.

Read the specifics about the rule here.

A Note on Privacy and Employees’ Private Behavior

Occasionally the private behavior of employees may become a concern for employers. Romantic relationships may develop between co-workers, for example, and this may concern employers, especially when the relationship is between a supervisor and a subordinate. An employee’s off-duty conduct may be seen or reported as offensive and this could become a concern for an employer.

The standard generally applied by courts is that an employer has a legitimate concern with an employee’s private conduct only when the employer can establish a connection between the private conduct and the employer’s business interests. Employers who discipline or terminate employees for their private conduct are required to apply the same standards to men and women, particularly in the area of sexual conduct.