Defining Privacy More Difficult in Age of Mobile Devices

With an emphasis on practical strategies to improve productivity and performance, and limit potential liabilities, Bulletin to Management™ concisely analyzes new developments in employment and human resources management.

By Cathleen O'Connor Schoultz  

When it comes to privacy at work, employees think they always have it and employers think they never do, while the truth is probably somewhere in the middle, privacy and information security attorney John J. Heitmann said March 8 at the 2012 International Association of Privacy Professionals' Global Privacy Summit in Washington, D.C.

Especially if using their own mobile devices, such as smartphones, employees tend to think they are in a private zone, said Heitmann, a partner with Kelley Drye & Warren LLP.

And employers feel that if employees are using corporate resources, there is no expectation of privacy, he said during a session titled “Take Two: Employees, Smart Phones and Social Media: Best Practices for Mobile Computing and Social Media Policies.”

According to Heitmann, astute employers have a clear, comprehensive, and up-to-date mobile device and social media policy.

To create an effective policy, Heitmann advised, “assemble the right team, including IT, legal, HR, and people from the business units.”

Heitmann said a good policy, rather than feeling like a burden, can be reassuring to workers. “You'll find it will lead to happier employees and employers. Employees like knowing the rules of the road, and generally if they are notified, they will accept them,”he said.

Must Have Business Purpose

Most companies do a certain amount of monitoring, Heitmann said. After all, he said, privacy is just “the flip side of security.”

But while employers may, and often should, monitor employee use of electronic devices, it should never be done for nonbusiness reasons and never under false pretenses, he noted.

“I'll say it at least another six times: ‘Don't monitor employees unless you have a legitimate business reason,' ”Heitmann said.

The blurring of work-life boundaries continues to grow as employees bring their own smartphones and tablets to work or use their devices to check work emails at home, Heitmann said.

Once an employee's device is used for work, the employer has certain rights and responsibilities regarding it, he said. Employers need to protect the private data of customers and other employees that the mobile device user may have access to, he said.

Heitmann said it should be spelled out very clearly that in some cases, employees using their smartphones for work—especially if they have access to sensitive information—might have their devices “wiped”remotely by the employer.

“If this is the policy, make employees aware of it and get their consent,” Heitmann said. He said employers should also consider employing new software that is available to “segment”devices used for both home and work.

With this type of system in place, a company would be able to remotely wipe only the business side of the device. If the employee relocated the phone or tablet, it would still contain non-work data, such as family photos, Heitmann said. This is the kind of issue the policymaking team needs to consider, he said,

Risks of Location Tracking

One of the newer risks on the horizon, Heitmann said, is the “location-based services” for smartphones, which identify where a user is and was, and when. Hundreds of location-aware apps have been created for the iPhone, Android, and Blackberry, he said.

While employers may have the right to know where a delivery truck is, for example, they need to consider carefully what limits to create on accessing such information, purposely or not.

Another location-based risk is that users can enable location-tracking in their social media accounts. This reflects still other chances for employers to inappropriately discover where an employee actually is at any given time, Heitmann said.

Getting Employee Consent

An important best practice for employers in terms of policies, he said, is to be sure employees' consent is current.

Some employers get workers' consent every day when they sign onto their computers, Heitmann said. A good rule of thumb is to get it at least every six months and whenever there are any changes, he said.

In addition, he said, while employers may monitor an employee's social media activity, it must be upfront—“never monitor under false pretenses”—and for business purposes only.

And as a general rule companies should not require access to employees' personal information, Heitmann said.

He cited a recent case in which the Maryland Department of Corrections asked a job candidate for his Facebook password. This is not a good idea in general, Heitmann said, although in some cases it might be defensible.

Even if such an action is not determined to be illegal in a particular set of circumstances, it could still hurt a company's reputation, he said.

Heitmann also warned attendees to be sure their company social media policies do not go overboard and ban employees from legally protected activity such as forming a union.

Overbroad policies “can have a chilling effect” on an employee's right to concerted activity in violation of the National Labor Relations Act, he said.

By Cathleen O'Connor Schoultz