I often get emails from my blog and Twitter readers, many of whom I have never met before; sometimes several in a day. Many often ask for help that really is a call for free consulting help. Others are quick, short and fast for me to answer. Others are just bizarre. I answer whatever I have time for. I recently got the following question (edited to protect identities), and I think so many folks may be involved in a similar situation with all the continuing job losses that it might be useful to several folks…
Hello Rebecca,
I found you through Twitter when I did a search on “employee privacy” and decided to contact you because I think you might be able to answer or guide me to where I could find the answers about some employee privacy issues I’m tackling.
Here’s my story:
I am to be laid off in the fall, which I have known since the beginning of this year. After I am laid off, do I have a right to insist that all personal information that had been collected about me (email monitoring, web search history, surveillance videos, and perhaps also audio recordings) be destroyed? I do not want video, email, and perhaps audio records about me to remain in the possession of my former employer after I have left their employ. Are there any federal or state laws that would govern an employer’s dispossession of private information about an employee that had been gathered during the course of their employment? Would I have to involve a lawyer to ensure that ALL the information collected about me is destroyed?
I sincerely thank you for any information you could provide that might help me negotiate this situation with my soon-to-be ex-employer.
[name]
Dear [name],
Thank you for your message.
Well, there are several variables that impact the answer to your questions; unfortunately this is not a black and white issue.
Whether or not you can successfully ask for your personal information to be permanently destroyed depends upon many factors:
- Did you sign any employment contract when you first started working that indicated what you agreed to as part of your employment? If so, did it include how your personal information would be used and retained?
- Does your company have any policies regarding the collection, use and/or retention of employee information?
- If they do, have they provided training for the policies, or communicated the policies to personnel?
- Does the company use the employee information for other purposes, such as safety (for the videos), compliance with various laws (such as OSHA, EEOC, etc.), etc.?
- Is the company contractually obligated to provide employee information to any other organization or entity?
- Do the regulatory oversight agencies have any requirements for maintaining and retaining employee information, for your particular industry? Eg., government, education, etc.
- Can your individual information items be feasibly extracted from the photos/videos/data files/etc. without damaging the other information that the company needs to keep?
Regarding some of the specific items you listed and whether you can request to have them destroyed:
- Email monitoring info: Highly unlikely. Email systems and corresponding messages established for business are typically considered to be business property. Does your company have a policy stating this? Do you have a login banner that states this? If not, you may have some luck with this.
- Web search history: Highly unlikely. Internet accessibility from company networks are typically provided for work purposes and, like email systems, are considered as company property, including all logs and data associated with them. Does your company have a policy covering Internet use? If not, you may have some luck with this.
- Surveillance videos: Probably not, but depends upon where the videos were made. Somewhere that you would expect privacy, such as in the restrooms? Or somewhere public, as in the lobby or at the front door? Does your company have a surveillance policy? If not, you may have some luck with videos in some locations.
- Audio: For phone messages and voice mail? Probably not. But, as stated, depends upon your company’s policies. Most phone systems are provided for business purposes, and as such are considered as company property, including all phone activity. If there are no policies, you may have some luck with this.
In the U.S., to my knowledge, there are few to no federal laws, but a smattering of state laws, that cover employee rights to their own individual PII to allow them to request all or some of it to be destroyed or returned at the end of employment. In other countries, though, there are much stronger employee rights laws. I’m assuming you are in the U.S.?
Generally, in the U.S. the answers to your questions depend greatly upon whether or not your organization has any employee policies and/or employment contracts in place that cover what will happen to employee personal information, of all kinds and in all forms, whenever employees leave the organization.
I’m not a lawyer, so please do not consider this as legal advice. However, I would suggest you check on the issues listed above. Then, if you want to pursue actions based upon what you find it would probably be good to get a lawyer if this is something you feel strongly about.
Hope this helped. Good luck in your efforts!
Rebecca
Tags: awareness and training, employee privacy, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training