workplace privacy between coworkers

© 2007 Wiley Periodicals, Inc.Published online in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/ert.20158

107

Workplace Privacy Between Coworkers

Lynn Lieber

Workplace privacy can be a challenging topic for both employeesand employers. Much of the discussion, legislation, and litigationhas focused on trying to define the boundaries of privacy be-tween an employer and its employees. Most employees are awarethat their employers may monitor their communications insideand outside the company and that, when they use company-provided electronic equipment and systems, what they do andsay is subject to recording and review by the company. But howmany employees think about the fact that their own colleaguesmay have access to their communications or other personalinformation?

Recently, a Wal-Mart systems technician was fired from Wal-Mart for allegedly recording telephone conversationsbetween the corporation’s public relations employees and a NewYork Times reporter using company-provided equipment. He alsoallegedly intercepted text messages, without authorization,involving persons who were not Wal-Mart employees. The situa-tion raises some intriguing questions for human resources profes-sionals about an employee’s obligation to protect the privacyrights of coworkers. Most employees are aware of their generalobligation not to reveal private information about coworkers.However, most employees are not aware of when they cross aline and expose themselves to possible liability for disclosure ofthat information.

WHAT ARE EMPLOYER RESPONSIBILITIES IN PROTECTINGEMPLOYEE INFORMATION?

Employers must comply with a variety of laws intended to pro-tect the confidentiality of certain types of employee information.

Questions—and Answers

ert342_12_20158.qxp 6/26/07 2:31 AM 07

Employment Relations Today

In addition to being required generally to maintain the privacy of employeefiles, employers must also comply with legal requirements to protect the pri-vacy of employee medical information and personal information, such asemployee names coupled with Social Security numbers or driver’s licensenumbers. In fact, a few states no longer allow employers to use Social Secu-rity numbers as part of any system password login or as part of employeeidentification numbers. These numbers also must be removed from mostother employment-related paperwork.

Employers have recently struggled with laws that have onerous andexpensive notification requirements where there is an actual or suspectedbreach of data security. The breaches can result from intentional criminalactivity or from the unfortunate theft of a company laptop that was left in a car. In 2002, California became the first state to enact a data-breach-notification statute to address the issue. As of January 1, 2007, 33 otherstates had enacted notification laws. Some of the laws allow private prose-cution by the victims, and others limit prosecution to the state attorneygeneral, and even more are silent about whether or not private lawsuits arepermitted. Regardless, it is clear that employers must comply with the lawsand take appropriate precautions to protect employee information frominappropriate disclosure. But many of these laws also implicate legal claimsbetween employees where personal information is accessed without autho-rization and/or misused.

ARE EMPLOYEES REQUIRED TO PROTECT COWORKER INFORMATION AS CONFIDENTIAL?

The answer depends on the circumstances, the type of information, whoused the information and how it was used, and the particular laws that may apply. Assuming the “right” circumstances, there are several laws thatwould apply to protect employees from disclosure and misuse of personalinformation by coworkers.

In California, Article 1, Section 8, of the California Constitution estab-lishes a general right to privacy that would allow employees to sue cowork-ers for invasion of privacy. Other states have similar provisions in theirconstitutions and/or include an employee’s right to privacy in their laborstatutes. The common laws of most states recognize several types of civilclaims for invasion of privacy. These laws effectively establish that cowork-ers do have an obligation to protect certain kinds of private informationabout coworkers from various types of disclosure and use.

An employee can sue both the employer and coworkers for invasion ofprivacy. In fact, because of the serious legal consequences to employers forfailing to protect private information adequately, many employers now

Lynn LieberEmployment Relations Today DOI 10.1002/ert

108

ert342_12_20158.qxp 6/26/07 2:31 AM Page 108

Summer 2007

require employees to sign confidentiality agreements that also include theobligation to protect the private information of other employees fromdisclosure. Interestingly, those contracts can be used as evidence in claimsby coworkers against each other. The data-security-breach notification lawsthat apply to employers are, in large part, intended to address the ever-increasing problem of identity theft. What if a data security breach is theresult of a coworker misusing employee information he or she found in the workplace? This can occur because an employee discovered a printout ofemployee names, addresses, and Social Security numbers that was originallygenerated for a legitimate business reason but was not properly secured. Itcan also occur because a manager did not properly secure an employeepersonnel file. Or it may be because an employee improperly accessed aparticular database. Regardless, if the information is misused by a coworker,that coworker could be liable to the employee for invasion of privacy andcould face criminal prosecution. Additionally, the employer could be liableif the coworker obtained the information because the employer did nothave appropriate controls in place to protect the information from improperaccess.

In addition to Social Security numbers and similar types of information,the privacy of medical information is also protected under the Americanswith Disabilities Act (ADA), the Health Insurance Portability and Account-ability Act (HIPAA), the states’ equivalents to those laws, and statutory andcommon law for invasion of privacy. For example, if an employer retainsinformation about an employee’s medical condition as part of its effort toprovide a reasonable accommodation at work, the employer must safeguardthe privacy of that information. Coworkers (with or without authorizedaccess to that information) must also protect the information, and failure todo so could subject them to liability for invasion of privacy. Even if accesswere authorized, the coworker could be sued by the employee for invasionof privacy if the coworker improperly disclosed the information. Theemployer could take other action against the coworker as well, includingtermination of employment.

Invasion-of-privacy claims also apply to other types of personal informa-tion, depending on what it is and how it was used. Employees reveal a greatdeal of information about themselves at work, whether or not they intendfor others to hear or see it. If one employee uses that information improp-erly, the other employee may be able to state a claim.

Not all employee information is protected, and not all disclosure and useof information will support invasion-of-privacy claims. However, there aresufficient legal consequences for employees to understand they have signifi-cant risks as individuals if they use or disclose other employees’ privateinformation.

Questions—and AnswersEmployment Relations Today DOI 10.1002/ert

109

ert342_12_20158.qxp 6/26/07 2:31 AM Page 109


CAN A COWORKER BE HELD LIABLE FOR DISCLOSING PRIVATEINFORMATION IN CONNECTION WITH ALLEGED VIOLATIONS OFWORKPLACE DISCRIMINATION OR HARASSMENT LAWS?

In some situations, employees may be privileged to disclose informationeven if it is otherwise considered private. Workplace harassment and dis-crimination are two such situations. The effectiveness of discriminationand harassment laws depends, in large part, on employees coming forwardwith information about certain kinds of inappropriate conduct so that acompany can investigate and respond to the information in an effort tohelp prevent and eliminate illegal conduct at work. In such situations, thelaws generally protect an employee from liability to the coworker for dis-closure.

If an employee and his or her supervisor are having a romantic affair thatanother employee discovers, that employee may decide to disclose it to thecompany because he or she reasonably believes the affair explains why the coworker has been getting all the plum assignments, better bonuses andraises, or better promotional opportunities. In that context, disclosure shouldnot subject the employee to liability even if an investigation reveals that theemployee was incorrect about the supervisor’s motives.

Employee disclosure of otherwise private information about an em-ployee’s personal life or beliefs may also be protected by harassment anddiscrimination laws. For example, what if a supervisor operates an anony-mous blog called “superiorityofwhites.com”? He does it on his own time,uses his own equipment, and never uses the company’s name. If an em-ployee discovers this information, it would be legitimate for the employee totell the company so it can review whether the supervisor is making inappro-priate employment-related decisions that are influenced by his personalbeliefs. The supervisor would likely not succeed in a claim against theemployee for invasion of privacy.

Other workplace laws may also protect employees from liability tocoworkers for disclosure of their personal information. Workers’ compensa-tion and safety laws are two additional examples. An employee who is offwork because of an alleged work-related injury would be hard-pressed toestablish a claim against a coworker for passing on otherwise private infor-mation to the employer or insurance carrier that could undermine the legiti-macy of the workers’ compensation claim. So long as it was reasonable forthe coworker to believe that the information was true and relevant to theworkers’ compensation claim, the coworker’s disclosure of the informationcould be viewed as intended to help prevent fraud. In that case, the em-ployee would have some protection from an invasion-of-privacy claim fromthe other employee.


110

ert342_12_20158.qxp 6/26/07 2:31 AM Page 110

Summer 2007

CAN AN EMPLOYEE BE SUED BY A COWORKER FOR SLANDER OR LIBEL FOR DISCLOSING PRIVATE INFORMATION?

If an employee “publishes” information about a coworker, depending on thetype of information, whether it was true, to whom it was disclosed, and the reason for the disclosure, the employee could be liable for defamation.Defamation involves false claims published to others that expose a person to hatred or ridicule or have a tendency to harm a person’s reputation. Ifdefamation is oral, it is called slander. If it is in written form or some otherfixed representation (such as a picture, cartoon, or other effigy), it is libel.These can be challenging claims to prove and there are several significantdefenses, including the fact that the statement was true. However, some-times even truth is not a defense, particularly if it was an “unprivilegedcommunication.”

One form of slander, slander per se, involves a false or unprivileged com-munication that charges someone with a crime or having been indicted, con-victed, or punished for a crime. If a coworker learns that another employeewas convicted of a crime and tells other employees about it, the coworkercould be sued by the employee for slander per se. If the information weretrue, some states would dismiss the claim. However, other states could stillfind it slanderous if there was a motive to cause harm (malice) by disclosingit and the other employees did not have a legitimate business need to knowthe information.

The situation is different when the information is false. Suppose a co-worker overhears a female employee on the telephone say: “I met a wonder-ful man at the bar last night, and we had a great evening together.” If thecoworker misrepresents the information and posts the information to a blogor tells others that the employee has “one-night stands” with men she picksup in bars, this could be slander per se against the employee because somestate defamation laws expressly protect individuals from statements that“impute chastity.” This example also raises issues about workplace harass-ment. Regardless of whether the coworker was a supervisor, if there wereenough incidents like this to create a hostile work environment for thefemale employee, the coworker could be held personally liable to the em-ployee under some antiharassment laws.

Employees learn private information about each other every day at work,whether because they are responsible for monitoring communications orbecause they overhear break-room conversations or see personal letters oncoworkers’ desks—regardless of how they acquired the private information,they run the risk of being sued for defamation by other employees. It is notunusual for coworkers to hear stories about why a particular employee mayhave been fired. Those stories may or may not be accurate. But in addition


111

ert342_12_20158.qxp 6/26/07 2:31 AM Page 111


to defamation, a coworker could be sued for invasion of privacy and inter-ference in contractual relations if he or she discloses those stories (or any-thing about the former employee’s employment) to a new or prospectiveemployer.

IS IT EVER PERMISSIBLE TO VIOLATE A COWORKER’S PRIVACY RIGHTS?

If an employee discloses that another employee is engaged in illegal activity,there are many circumstances in which the employee would not be heldliable for the disclosure. Sarbanes-Oxley and a variety of whistleblower lawswould protect the disclosure. It also may be protected if the disclosure wasmade to the police or in another official judicial or government proceeding.

For example, suppose one employee reasonably believes that anotheremployee is taking kickbacks from a vendor being considered for a contractwith the company or is falsifying business receipts so he or she can getreimbursement from the company. If the employee reports the concerns tomanagement, the company’s compliance department, or even to the policeor a responsible government agency, the employee is likely protected fromliability to the coworker. What if an employee sees another employee sur-fing pornographic Web sites at work using a company computer? Looking atpornography is not necessarily illegal, but most employer policies prohibitusing company equipment for that purpose. Viewing pornography at workalso can create a hostile work environment for others under the harassmentlaws. If the coworker discloses that information to the employer, there isminimal to no risk of liability for making the report. In fact, reporting thatsort of information would be encouraged by antidiscrimination, harassment,and no-retaliation laws.

HOW DOES ADVANCING TECHNOLOGY INCREASE THE RISK OF COWORKER PRIVACY VIOLATIONS?

As technology becomes more and more sophisticated and accessible, thereare increased risks that private employee information can be captured andused or misused by coworkers. In a matter of minutes, an employee with acamera phone can post unauthorized pictures and videos of coworkers onyoutube.com, in blogs, and on personal Web pages. Hidden cameras andtape recorders and equipment that can be used to intercept electronic com-munications are readily available. Depending on the circumstances, theseactions can give rise to various types of claims for defamation and invasionof privacy.

There are many federal and state laws that protect both the employer and employee regarding intercepting and recording conversations and other


112

ert342_12_20158.qxp 6/26/07 2:31 AM Page 112

Summer 2007

electronic communications. The Federal Electronic Communications PrivacyAct of 1986 generally prohibits intercepting electronic communications.However, if the employer is the provider of the communication system andit is used in the normal course of business or an employee consents, certaintypes of interception and monitoring of stored information are permitted.State laws also usually prohibit interception, recording, and monitoringwithout prior consent. The issue under state law is usually whether one,two, or all parties to the communication consent to the interception.

These laws generally protect the employer-owner of the systems, but alsowill protect the employee who is responsible for the recording and monitor-ing. If, however, that employee records or monitors information in an unau-thorized way, or uses the information for an unauthorized purpose, most ofthe legal protections evaporate and can result in invasion-of-privacy claimsagainst the employee personally.

With regard to blogs, Internet posting of an employee’s personal informa-tion (other than Social Security numbers, medical information, etc.), and pic-tures and videos, the law is still developing. Defamation claims based onslander and libel can be brought by employees against each other, as canclaims for invasion of privacy. The boundaries are being redrawn every day.

WHAT DO EMPLOYEES NEED TO KNOW ABOUT THEIR LEGALOBLIGATIONS TO SAFEGUARD THEIR COWORKERS’ PRIVACY?

If a company’s confidentiality agreements include broad language about pro-tecting other employees’ private information, they should be written in plainlanguage so that they are clear and unambiguous. Employee policies alsoshould explain an employee’s obligation not to disclose private informationabout other employees. In some contexts, the information could be propri-etary and disclosure could harm all the employees involved as well as thecompany’s business. It is prudent for all employers to update their policiesto include blogging and the use of camera phones at work.

Employees also should be trained on appropriate processes for maintain-ing employee information at work so that private information is protected.Managers need to know that they should keep employee personnel files andtheir manager’s desk files secure so as to avoid unintended disclosure towandering eyes and hands. Medical information, which includes even a sim-ple doctor’s note excusing the employee from work because of sickness, andleave of absence forms, should be kept locked separately from other filesabout the employee. This type of information can also be forwarded to HRfor recordkeeping.

Employees who require access to other employees’ Social Security num-bers and similar information should understand their potential liability if


113

ert342_12_20158.qxp 6/26/07 2:31 AM Page 113


they misuse the information or fail to protect it properly. All employeesshould understand their employer’s policies about who can providereferences and what information can be provided. Employees also shouldunderstand the dangers of talking “off the record” with potential employersof former employees.

At the same time, employees should know that they are encouraged tocome forward with information about other employees, even personal infor-mation, about conduct that may violate the law, company policies, codes ofconduct, ethics guidelines, and antidiscrimination and harassment policies.They also should be well trained on the company’s reporting processes forcomplaining about potential illegal activity. Employers should use cautionnot to confuse employees about their desire to have employees report thistype of information with the need to protect other types of information frominappropriate disclosure.


114

Lynn D. Lieber, Esq., is founder and CEO of Workplace Answers, a SanFrancisco–based provider of Web-based legal compliance training. Lieber is aseasoned employment law attorney and a nationally recognized spokeswomanon harassment and discrimination law. Workplace Answers delivers Web-basedtraining in human resources, unlawful harassment prevention, and financialand ethics compliance. The company helps client organizations to build aneffective affirmative defense under local, state, and federal employment law. Shemay be contacted via e-mail at [email protected].

ert342_12_20158.qxp 6/26/07 2:31 AM Page 114

workplace privacy between coworkers

Documents