In the Privacy domain, the “Employee Privacy” is one aspect of Privacy Management that often has a direct conflict with the Data Protection Compliance regime.
Under GDPR we have seen that Courts and Supervisory authorities have ruled that even an employee who uses “Customercare@company.com” email for personal communication is entitled to privacy rights.
Recently a case has also been reported from Illinois, the freight comapny BNSF Railway Co has been ordered to pay a compensation of $228 million in a class suit on behalf of its employees.
The decision handed Wednesday evening in Chicago federal court, came after the first trial under the Illinois Biometric Information Privacy Act (BIPA), a state law which restricts collection of biometric data like fingerprints or retinal scans.
The plaintiff, on behalf of himself and a class of other truck drivers, claimed he was fingerprinted when he entered BNSF’s railyards to make pickups and deliveries and that BNSF violated Section 15(b) of the BIPA by collecting his biometric data without first giving him written notice and obtaining his informed consent.
This decision could mean that the employees of an organization may enforce Privacy rights on par with the public.
A majority of Data Protection Professionals are themselves employees of an organization and hence they would welcome this development. So would be the Privacy Activists.
However, to be fair to all stake holders we need to question this decision of the Illinois Court (as reported in the media).
Employees are privileged persons within an organization. Law recognizes that any errors and omissions of an employee may create a vicarious liability on the organization. Employees work under a long term contract built on trust. They create the security systems within an organization and can collaborate with criminals to harm the organization and its third party customers.
Hence there is a need to enforce from security perspective of the company and its customers a strict regime of surveillance on the activities of the employees.
Hence having CCTVs inside an organization, monitoring the computer activity as well as collecting and using biometrics should be considered as “Legitimate Interest of an Organization” and should not be considered as “Privacy Violation”.
What may be required is an assurance based on a higher level of information security so that the employee information collected for a specific purpose of employment is not misused. Using the information to monitor employee behaviour from the perspective of security is however an exception.
Some Data Protection laws like the PDPB 2019 did provide “Exemptions” from Consent for employee monitoring activities required for performance assessment and fraud prevention.
The Illinois case could be one coming under such a requirement where the company wanted only authorized persons to enter the goods yard. Similarly the GDPR case in which an employee misusing the corporate email account for personal use had specifically violated the terms of contract. In such cases there should be no enforceable right to privacy.
It is for this reason that we advocate that “Employee Privacy” should not be equated to “Privacy of Non Employees”. Employees should be informed enough to provide their consent and understand the need for security to give up the special privileges that comes with the Privacy.
If this right of the employer is not recognized, then employees may tomorrow claim that they will work under pseudonymous ID or even anonymous ID and receive their salaries through Bitcoins and in principle they will have a case to justify.
We must therefore consider that “Employees of an organization are privileged persons and in respect of the personal data shared by them with the company in their capacity as employees should be exempt from provisions of prior Consent (except at the time of onboarding), Rights of Portability, Right to forget. They may continue to enjoy Right to access and Right to Correction.
Comments and views are welcome.
Naavi