While school risk managers often focus on student misconduct and
risks, they should be well-versed in managing employer/employee risks and
setting rules and policies for digital access and permitted conduct. The rights
of public schools and districts as employers to track digital activities of
employees and contractors align with those of private sector employers, with
one important exception. As public entities, federal Constitutional 4th
Amendment search and seizure protections apply in ways they do not typically
apply to private entity employers. These may not apply to a private or
parochial educational institution. But appropriate notice and consent, express
or implied, should be sufficient to satisfy both national statutory and common
laws and state or federal constitutional protections.
The prime law in the employer monitoring and surveillance area,
nationally, is the Electronic Communications Privacy Act of 1986 (“ECPA”), an
amendment to Title III of the Omnibus Crime Control and Safe Streets Act of
1968, commonly known as the "wiretap law." The ECPA was adopted
initially to govern third-party interceptions of electronic communications, not
to govern employers' rights to monitor their workers. (All states have their
own wiretapping” statutes that either mirror the federal law or provide their
own unique spin in the federal law.)
The ECPA provides civil and criminal penalties for any person
who intentionally intercepts, uses, or discloses "any wire, oral, or electronic
communication." The term "electronic communication" is defined
as "any transfer of signs, signals, writing, images, sounds, data, or
intelligence of any nature transmitted in whole or in part by a wire, radio,
electromagnetic, photo-electronic or photo optical system that affects
interstate or foreign commerce."
Essentially, the ECPA prohibits the interception, use or
disclosure of electronic communications to which the interceptor, user or
person making the disclosure is not a party – it requires the involvement of a
third-party. This is called the “one consent rule.” One party to the communication can give their
consent to its interception, use or disclosure, without violating the ECPA. (As
noted below, a small minority of states require the consent of both parties to
a communication. This is called the “dual consent rule”, and these states are
commonly known as “dual consent states.”)
Most of the cases developed under the ECPA involve criminal
justice and investigatory wiretaps of telephone and e-mail communications, with
employer-rights getting increasing attention in recent years. Until recently,
most of the case law in the civil application of the ECPA in employer-rights
involved monitoring telephone communications of employees and customers. But
the law applies equally to all digital communications, including email, instant
messaging, text messaging, social networking communications, faxes and any
other electronic communications developed.
Exceptions
Two exceptions to the prohibition against interception and use of electronic communication of the ECPA afford employers broad rights to monitor their employees: An employer may monitor an employee's conversations if the monitoring occurs (i) in the ordinary course of business or (ii) with the employee's consent.
Two exceptions to the prohibition against interception and use of electronic communication of the ECPA afford employers broad rights to monitor their employees: An employer may monitor an employee's conversations if the monitoring occurs (i) in the ordinary course of business or (ii) with the employee's consent.
Consent:
Employee’s consent can be express or implied. Express consent can be obtained
by written or oral agreement with the employee. An employee handbook signed and acknowledged
by the employee is an example of express consent, as is an employment
agreement.
Implied consent can be obtained by conditioning employment or
access on the employee’s consenting to the surveillance. The user’s consent is
evidenced by their use of the digital technologies or acceptance of employment
or remaining in their job after being apprised of such rules.[1] In an employment
situation, implied consent can be evidenced by notices of monitoring policies
contained in the employee’s handbook, notices appearing on the computer screen
or inclusion in the employment application forms. Some employers use several
reminders of the monitoring and surveillance, in a “belts and suspenders”
approach.
The ECPA also contains a "business exclusion
exemption" that exempts interceptions made by equipment "furnished to
the subscriber or user by [a communications carrier] in the ordinary course of
its business [and being used by the subscriber or user] in the ordinary course
of its business." Under this exception, an employer may monitor phone
calls made on an employer-supplied telephone system by attaching a device
supplied by the employer. The courts look to whether a reasonable business
justification exists for the monitoring, whether the employee was informed
about the employer's right to monitor, and whether the employer acted
consistently in connection therewith.
Additional federal and state legislation have been introduced to
afford employees improved rights and weapons in the battle for more privacy.
But, so far there's no federal law that requires employers to notify employees
that their communications are being monitored. (Union members have protection
not afforded to non-unionized workers. The NLRB ruled that the monitoring of
employee digital communications and activities. Os a collective bargaining
issue.)
Many states have adopted their own version of the ECPA, and the
dual consent states require the consent of all parties to the communication for
non-exempt interceptions (as opposed to the one-consent ECPA rule). In addition
to the state versions of the ECPA, state laws include constitutional
provisions, statutes and common law (law that has been developed through
case-by-case review and, in the United States is as much part of the law as a
statute).
Common Law and Privacy Laws
In some cases, state common-law rights exist and may provide a separate common law right of action. Typically, they seek relief under the common-law tort of invasion of privacy. Invasion of privacy laws don't exist in all states, and in some cases, statutes labeled as "privacy” laws do not deal with privacy matters at all. In New York, for example, the privacy statute deals with protection of celebrities and others rights against the commercial exploitation of their images.
In some cases, state common-law rights exist and may provide a separate common law right of action. Typically, they seek relief under the common-law tort of invasion of privacy. Invasion of privacy laws don't exist in all states, and in some cases, statutes labeled as "privacy” laws do not deal with privacy matters at all. In New York, for example, the privacy statute deals with protection of celebrities and others rights against the commercial exploitation of their images.
In the states that recognize the tort of invasion of privacy, a
violation generally requires an intentional intrusion, "physical or
otherwise, upon the solitude or seclusion of another upon his private affairs,
or concerns if the intrusion would be highly offensive to a reasonable
person."
One of the key conditions to successfully prosecuting an action
for invasion of privacy is whether the person has a "reasonable
expectation of privacy." Courts across the country are finding with more
and more frequency that no reasonable expectation of privacy exists with e-mail
or employee online communications. When the privacy policy or electronic use
policy that we all click without reading explains their practices or that users
have no expectation of privacy, it is hard to prove that your expectation was
reasonable.
Conclusion
Whether they have a right to privacy under employment circumstances or not, many employees find the intrusion of digital surveillance and monitoring offensive. This makes it a practical problem, not a legal one.
Whether they have a right to privacy under employment circumstances or not, many employees find the intrusion of digital surveillance and monitoring offensive. This makes it a practical problem, not a legal one.
Many employers are choosing to notify employees in advance that
their activities may be monitored. These notices can be contained in a written
e-mail policy or within an employee handbook. Under all circumstances, the
employee should acknowledge them in writing and the employer should retain
those written acknowledgements. When unions are involved, the NLRB has ruled
that employee surveillance and digital communications monitoring is a
collective bargaining issue. This further complicates the issue.
Yet, with increasing exposure to litigants seeking to hold the
employer responsible for what is said and done by employees, especially within
school environments, employers must seriously consider monitoring as a risk
management option. But if school employers choose to monitor, they must do it
wisely and consistently, and adopt a policy that works for their environment.
They should also find a public employment lawyer who can craft one, just for
their purposes, rather than using one off the shelf or discovered online. A
carefully written, well-enforced policy is smart employee relations–and best
educational institutional practices.
[1] An
example of how implied consent is utilized in a customer service environment is
the “this call may be monitored for quality control purposes” recording. By
remaining on the phone, callers have provided their implied consent to being
recorded. They evidence their rejection of consent by hanging up.
