July 2006: Privacy in the Workplace

Our right to privacy as employees is being increasingly violated
July 1, 2006

Recent CCPA Monitor articles described how our privacy as citizens and consumers is under world-wide siege by governments and transnational corporations. Employee privacy isn’t faring very well, either. Understand the forces at work. Know the stakes and what to look for--and how you can protect yourself, your family, your co-workers and friends.

Privacy is often defined as the “right to be let alone”--to be free of unwarranted intrusions into our daily lives, 24/7, by governments, businesses (includes the media), neighbours, or anyone else. It is a legal and societal shield protecting:

  • our bodies and minds--physical security, medical privacy, inner thoughts;
  • our families and homes, and other private spaces and possessions;
  • our personal activities and communications--in person, in public, by telephone, mail, or over the Internet; and
  • our reputations--in the eyes of our family and friends, to be sure, but also our standing with our employers and the many government departments, companies, and other organizations with which we deal.

Reasonable degrees of seclusion, anonymity, confidentiality, security, and control over our personal information and reputations are preconditions of individual dignity and autonomy, including--and even especially--at work. When our privacy is invaded, we feel the intrusion in our gut, no differently than discrimination, harassment, and other injustices. That is why, cultural variations notwithstanding, privacy is a universal human value that knows no national borders or jurisdictions.

Previous Monitor articles have revealed that political, market, and technological forces are hammering away at our privacy shield on all fronts. The allegedly freedom-loving U.S. Bush administration, in particular, is leading a brazen and global assault on the privacy of billions of ordinary and innocent citizens, especially--but not limited to--Muslims and Arabs. Governments and businesses the world over are caving in to America’s bogus, perpetual, and self-serving “war on terror,” sparing no unnecessary expense or risky technology.

The post-9/11 years have witnessed incalculable increases in unjustified surveillance, demands to show ID, random searches of our bodies and possessions, the interception of our electronic communications, secret files, data-matching, file-sharing, and on and on. We are being watched, suspected, lined up, identified, and reported like never before, not only when we fly or cross borders, but also when we bank, drive, enter buildings, use mass transit, attend public events, or simply log on to the Internet.

Not content with their own huge databases (on us), Bush-compliant governments are also converting the private sector into corporate snitches, and vacuuming up our personal data from airlines, banks, Internet service providers (ISPs), libraries and schools—and largely in secret. Obtaining court orders, showing reasonable cause, and being accountable have become too inconvenient for our police and security agencies. In a quantum shift in approach to state security, we the citizens are now deemed guilty until proven innocent.

It’s governments and businesses which are supposed to be more transparent, not us! I know the Bush administration doesn’t get it, and Stephen Harper’s “cozy-up to Bush” strategy likely spells further trouble ahead for the privacy of Canadians and visitors alike. The United States is the only major nation in the “Western” world without comprehensive privacy legislation, notably covering the private sector. The American constitution is held out as a model, but many of the most intrusive practices, from surveillance to searches, are born and bred in the “land of the free.”

Our privacy as consumers is also heading south. Huge transnational corporations constitute a “legitimate” Big Brother contender in their own right, even before they hand over our life stories to governments. We interact much more often with ISPs and telephone companies, financial institutions, retailers, airlines, marketers, and utilities than we do with government agencies. These companies have the intent, resources, and technologies to collect and amass great swaths of our financial, purchasing, membership, and other types of personal information. They don’t necessarily need or take very good care of it. They will often try to sell, rent, trade, or otherwise exploit our personal data like any other “asset,” unless prohibited.

It’s not prohibited enough on this business-friendly continent. Compare simply the vulnerability of our private sector communications such as our e-mails and use of the Internet to the near perfect security of old-fashioned letter mail. So we consumers suffer nuisances like spam and telemarketing, and catastrophes like identity theft, credit and collection nightmares, and ruined reputations.

Employee privacy

We spend so much of our lives at work: what about our right to privacy as employees? The news isn’t good here, either. Just as employers are demanding “more work for less pay,” they are also demanding or simply taking more and more of our personal information. We are being screened, tested, monitored, measured, and reported like never before.

Put simply, organizations have voracious appetites for employee (and lots of other) information, together with the computer, communications, surveillance, and other technological means to feed them. Practically all large organizations need to go on personal information diets. Already beholden, employees are being eaten alive, so to speak.

Who knows us better than our employers? Their files and data bases include our hiring, pay and benefits information, banking, insurance, family matters, pictures, personal identifiers and contacts, attendance, sick leave, claim and medical information, performance and other career-related records, grievances and other complaint files, “challenges” we’re having (at work or otherwise), investigations, discipline... the list is a long one. It’s just about all there.

In larger organizations, employee information is collected, “shared,” used in decision-making, and retained by great numbers of supervisory, personnel, finance, security, and other officials. Increasingly, their operations (and our personal information) are computerized. By definition, computers enable far more access to employee information, by far more people, far faster than ever before. The privacy risks of massive breaches are far greater, too, and, although violations are usually inadvertent, the damage is sometimes irreparable. There is often no recovery from ruined reputations, humiliation, and heavy financial loss.

An estimated 75% of companies in the United States electronically monitor their employees. Video surveillance cameras are multiplying like rabbits and everybody seems to need to wear ID cards these days, to enter or move around unthreatened workplaces. Maybe your employer has gone hi-tech with biometric tracking or radio frequency identification (RFID). One would think we all had “top secret” jobs and that none of us could be trusted, regardless of long service.

Job applicants now face much more invasive screening--any combination of “reliability,” criminal record, and credit checks with “third parties,” and medical/psychological tests to extract our blood, urine, inner thoughts, and even DNA. (Isn’t it evident that it’s the executives at the top who require more careful screening? That’s where thievery and other character lapses can really hurt an organization!)

Technology vendors seem to be having a field day flogging their surveillance, control, and performance measurement systems. So our movements, e-mails, Internet usage, voice communications, and other types of our personal information on company computers and networks are still an open book for employers inclined to peek. These electronic records have been likened to organizational DNA. In the event of security investigations or litigation, all bets are off. After all, organizations (claim to) “own” our personal information.

Nobody likes to be suspected, mistaken, rejected, or falsely accused based on inaccurate or incomplete information, especially by an unfair process, machine, or person. Extreme or arbitrary measures that are anything from bothersome to humiliating can poison the workplace environment and de-motivate the very employees organizations work so hard to attract and retain. This has been known since the Hawthorne studies in the 1920s. Why would employers do this?

I believe organizations can’t help themselves. The (mostly) guys at the top are forever demanding more “metrics” and production and lower costs and risks. Managers have an abiding interest in our productivity, and one can’t manage what one can’t measure. They want to ensure we’re qualified for a job or benefit. Bosses also tend to be risk-averse control freaks, taking too much counsel from legal and security “experts” who benefit by exaggerating the danger. They’ve been spooked by security concerns and are often hoodwinked into adopting untried technological “solutions.”

It is true employers have business interests to protect, including their property, secrets, and corporate image. They want their money’s worth from us and to limit their liability (as if it’s not limited enough already) to head off lawsuits for negligent hiring and firing, discrimination, and illegal conduct of all kinds. They are particularly protective of their electronic networks, on the lookout for personal use, pornography, breaches of security, and vulnerabilities such as viruses.

These safety, security, and other management imperatives need to be balanced with employees’ rights and/or expectation of privacy. Unfortunately, employers are having a hard time finding the proper balance, if indeed they are actually looking for one.

Know your rights

Canadians don’t have to check their privacy at the door when they report to work. We are protected in common law from libel, slander, and by the tort of privacy. And most of us are covered by federal or provincial privacy legislation, granting us several specific rights:

  1. to be informed about and to exercise some control over what personal information our employers collect about us and how it is used and disclosed to others;
  2. once collected in company files and data bases, to the protection of our personal information from unauthorized use or disclosure until it is properly destroyed;
  3. to access and challenge the relevancy or accuracy of this personal information; and
  4. to complain to the federal or a provincial privacy commissioner/ombudsperson if we believe any of our privacy or access rights have been unfairly denied. (S/he will investigate, issue findings, and recommend or order remedies).

Which Canadian employees are covered by privacy legislation? Virtually all government workers and many private sector employees, notably if your work is federally regulated, or situated in Quebec, Alberta, and British Columbia. (If you work for Wal-Mart in Ontario, however, you’re not covered. Shame on Ontario!)

Many unions have been slow to realize how they’ve been empowered. Some see collective agreement or human rights violations every time a supervisor says “Boo,” but fail to understand that privacy rights protect not just minorities, but all of their members in just about any injustice you want to name--and in a far more comprehensive way.

What can your union representative or you do to protect your workplace privacy, and that of your family, friends, and co-workers? There are three basic steps:

1. Recognize a privacy violation

Privacy is complicated, so back to basics. What is the impact on the shield protecting your body, mind, reputation, and home, your personal possessions, activities, and communications, the necessity and accuracy of the personal information your employer maintains on you, and your ability to access and challenge that information? Here’s a more complete list of red flags to look for:

  • new collections, uses, or disclosures of employee information, especially when unbeknownst to the employees concerned or contrary to their reasonable expectations of privacy; this could include the probing, collection, or interception of private thoughts, body fluids, images, and, increasingly, your communications, whether in person, over the phone, or e-mail;
  • the sale, rental, exchange, or publication of employee information;
  • computerization of processes and employee “data” if, as expected, it results in more access by more people, or the comparing of any distinct sets of employee information collected for different purposes (data matching);
  • the use of other (especially untried) technologies to observe, identify, test, monitor, measure, profile, compare, or report on employees;
  • the collection, use, or disclosure of medical, financial, evaluative, and other sensitive personal information, including names, numbers, and other identifiers the compromise of which could lead to identity theft;
  • making decisions based on inaccurate personal information, e.g., concerning hiring, promotions, applications, claims, grievances, discipline, and anything else to do with workplace rights, reputations, and careers;
  • outsourcing involving employee information (such as payments, benefit programs, company health services, security);
  • inadequate security safeguards (by the company or its agents) protecting employee information from unauthorized access, alteration, removal, or destruction;
  • anything else having to do with home or off-duty privacy, surveillance, measurement, evaluations, anti-terrorism, and the reporting of employee information outside the organization that could harm reputations; and
  • employees being denied the opportunity to access and challenge their personal information, especially if denied natural justice in the first instance.

2. Challenge it

These kinds of behaviours by your employer should prompt you to ask questions. What personal information is involved, who gets it, why, and under what legal or other authority? If you’re covered by privacy legislation, how will your privacy and access rights be protected? Who is accountable?

You want to ask these types of questions before a new system or technology gets entrenched. For example, if your company is proposing a major new system with apparently serious employee privacy risks, ask to see the “privacy impact assessment.” If there isn’t one, ask that one be considered (templates are widely available). Determine whether the necessity and feasibility of the proposal have been proven, including whether all reasonable and less invasive alternatives have been considered.

Assertions by employers that their employees have no right to privacy when using its computers and electronic networks are especially worthy of challenge. It’s your personal information! Organizations subject to privacy laws may only collect, use, and disclose this information for authorized purposes. Secondly, you have the right to access and correct your personal information residing in these data bases, subject to limited “exemptions.” Thirdly, you have the right to complain if your privacy or access rights are denied.

Your access rights may also come in handy in age-old workplace problems: unfair treatment by your boss, a co-worker, or a department. Unfair treatment usually involves a failure to take reasonable steps to ensure the accuracy of personal information prior to decision-making use, such as ignoring relevant facts in favour of unsubstantiated opinions. You can ask that any such inaccurate information about you be corrected, and that all those in receipt of the false information be notified.

Most large organizations have processes for answering privacy enquiries, access requests and complaints, such as through your supervisor, Human Resources and, if you’re lucky, a privacy coordinator or chief privacy officer. What if this doesn’t work? If you’re still lucky (to have one), you may complain to your privacy commissioner. S/he will investigate on your behalf and, if there is any obstruction or retaliation on your employer’s part, it’s a bonus for your case.

3. Avoid trouble

Before the job interview, find out about the organization’s approach to employee privacy. Does it have a privacy policy and “chief privacy officer?” If the hiring process is overly invasive, you may want to look elsewhere. And, for sure, tell the truth on your CV and during interviews.

On the job, take care not to violate company rules. Know your organization’s privacy policy and its subsets, such as the use of electronic networks. Office employees are now wired to their jobs every which way, including when “off duty,” so most employers allow limited personal use of their e-mail systems, the Internet, cell-phones, and so on. But always respect business confidentiality and, especially, be careful what you write about other individuals (because that becomes their information, not yours). And always watch what you write about your employer, whether on its networks or your own blog or chat rooms. You’re generally not allowed to bite the hand that feeds you.

Understand that good things don’t always come to those who wait. If you are supervised by an entrenched psychopath or blindly-loyal company (wo)man, leave. Walk away from office gossips (or defend the helpless person under attack). Run from back-stabbers.

The bottom line is that employee privacy is sometimes at odds with company interests. But no employer is above the law. Your privacy and access rights equate to your employer’s obligations and provide a valuable tool in ensuring a respectful workplace. You can defend yourself and others when there are apparent violations, through company processes and, if necessary, your privacy commissioner.

Given the political, commercial, and technological forces at work, this is not a time for complacency. What’s it going to take before ordinary citizens, customers, and employees stand up and tell the organizations “serving” them, “Enough!” I suspect it will take a government or business boondoggle of grand proportions and, with Harper’s American “roots,” the likelihood of that is just short of certain. His Conservative government is both keeping our personal information and wants more, including to hand over to the Americans.

If the opposition parties are looking for an issue to distinguish themselves, protecting the privacy of Canadians is a good place to start.

(Richard Sharp is an MBA grad who has been a privacy advocate, coordinator and consultant since 1977, perhaps longer than anyone else in Canada. In a subsequent article, Richard will identify ten things our privacy commissioners can do to make themselves heroes. He welcomes your comments or queries, at [email protected])