Privacy in the Pennsylvania Workplace
When discussing privacy in the workplace, courts may balance an employee’s privacy rights against the interests of the employer. Often, the question boils down to whether the employee had a reasonable expectation of privacy. Below we examine some Pennsylvania developments relating to privacy in the workplace.
Invasion of Privacy
Pennsylvania recognizes four distinct types of invasion of privacy actionable under tort law: 1) Intrusion upon seclusion (intruding physically or otherwise on someone’s private affairs); 2) appropriation of name or likeness or using another’s likeness or name for one’s own benefit; 3) unreasonable publicity given to private life; and 4) publicity that unreasonably places one in a false light before the public.
In Doe v. Kohn Nast & Graf, the employer opened a piece of the employee’s personal mail which was sent to the employee from a physician in AIDS Services at Johns Hopkins University. A copy of the letter found its way into managerial files. The employee argued the mail was obviously personal and should not have been opened. The Court allowed the employee’s invasion of privacy claim to proceed.
Pennsylvania Wiretapping and Electronic Surveillance Control Act
The PA Wiretapping and Electronic Surveillance Control Act makes it a third degree felony to:
- Intentionally intercept or try to intercept wire, electronic or oral communication
- Knowingly share those communications, known to be gathered illicitly, or
- Use those communications, known to be gathered illicitly
This statute is why video surveillance does not include sound recording. There may be instances where an employer or employee think it is a good idea to surreptitiously record a conversation. This is absolutely not a good idea; to do so is a felony. Using the recording later is also a felony. In Commonwealth v. Smith, the Court found that an employee’s use of a voice memo app on his phone to surreptitiously record his supervisor violated the PA Wiretap Act because the phone was being used as a recorder, not as a telephone. There are exceptions to the Act. For example, if all parties have given consent to the recording of a conversation, then it is not illegal to do so.
As personal and company communications become more entwined in the workplace, the issue of an employee’s expectation of privacy with respect to email communications over work systems continues to evolve.
So far, employees in Pennsylvania have not succeeded with privacy claims related to work email. In Smyth v. Pillsbury Co., an employee tried to base a wrongful termination claim on his being fired after the employer read an email by the employee which the employer found to be unprofessional. The employee claimed that because the employer had assured employees that all email communications were confidential, the interception of his work email was a violation of his privacy, allowing him to pursue a remedy for wrongful termination. The Court dismissed the wrongful termination claim reasoning in part that the emails were not private notwithstanding the company’s assurances of confidentiality. However, this case did not involve a direct invasion of privacy claim by the employee, as the employee was challenging his firing under Pennsylvania’s narrow exception to at-will employment for wrongful termination.
In Kelleher v. City of Reading, the employee pursued an invasion of privacy suit when the employer published emails the employee claimed were private. The Court found that the employee had no reasonable expectation of privacy in the emails because, among other things, the city’s policies clearly stated emails were not private. The court noted, however, that an employee might have a reasonable expectation of privacy in work email depending on the circumstances of communication and the configuration of the system.
The safest route for employers is to have a clear policy that says employees have no expectation of privacy in work emails. Employers should review their policies and make sure the issue is clearly addressed.
Employee Medical Information
It is a common misconception that all employers are subject to HIPAA. HIPAA applies to health plans, health care clearinghouses and health care providers. It only applies to employers when they operate in one of the above capacities. Normally, an employer will only deal with HIPAA covered entities, not actually be one. However, if, for example, an employer operates a health clinic, it will find itself handling health information protected by the HIPAA privacy rule.
An employer may be subject to liability under traditional invasion of privacy principles if the employer accesses embarrassing private health information about an employee. An example is the Doe v. Kohn Nast & Graf case discussed above involving correspondence about HIV treatment.
Under the Americans with Disabilities Act (ADA), information obtained regarding the medical conditions or medical history of the applicant or employee must be collected and maintained in separate medical files and treated as confidential medical records not subject to general access or dissemination. The ADA allows supervisors and managers to be informed regarding necessary restrictions on work duties and necessary accommodations. This does not mean supervisors and managers are privy to the underlying medical details. First aid and safety personnel may be informed if the disability requires emergency treatment.
Another area in which employers are responsible for privacy is regarding HIV-related information. The Confidentiality of HIV-Related Information Act limits disclosing information related to HIV information.
Employee and Customer Data
The Breach of Personal Information Notification Act prohibits the unauthorized access and acquisition of computerized data that compromises the security or confidentiality of personal information maintained by the entity. The Act defines personal information as an individual’s first and last name in combination with 1) a social security number, 2) a driver’s license or state-issued ID and/or 3) financial account numbers or credit card numbers in combination with a security or access code or password that would permit access to the individual’s account. If a breach occurs, an entity is obliged to provide notification without delay to the affected persons. The statute is enforced by the Office of the Attorney General.