The following is excerpted from “Information Nation: Seven Keys to Information Management Compliance.”
The personal information that banks, brokerage firms, creditors, e-merchants and others collect about their customers is so valuable that other marketers are willing to pay tidy sums for such data. But consumers have become very protective of their private information.
“Personal information, voluntarily submitted by visitors to our site, such as name, address, billing information and shopping preferences, is never shared with a third party. … When you register with Toysmart.com, you can rest assured that your information will never be shared with a third party.”
The customer data included details such as names, credit card information, home addresses, names and birthdays of children, and shopping preferences.
After an outcry from former customers and privacy advocates, and a great deal of embarrassing coverage, its parent company agreed to buy the list for $50,000 and destroy it.
Ownership of information. Your organization has a responsibility to properly manage and protect information assets as it would any other asset that it owns. The data stored on the information systems across your organization — from the largest customer relationship management databases to the smallest handheld e-mail devices — are your organization’s lifeblood, and must be protected as such.
The information that employees generate in their daily working activities is also part of your organization’s information asset collection. It is your responsibility to inform employees, through policies and training, that all such business information is the property of the organization. This will help establish the importance of the information and set expectations for how this information will be treated when an employee leaves your organization. The following is a sample policy statement that informs employees about this issue.
Ownership of Company Information:
Sample Policy Statement. All information that you create, receive and/or use while conducting company business is owned by the company, regardless of whether that information is in paper, electronic or any other tangible form. In addition, all employees must provide all business information in their possession or control to the Company upon request, at any time, for any reason.
Individuals who cease to be employees of the company must provide original and all copies of any business information to his or her supervisor prior to leaving the company. All business information located in any company facility or facilities managed by another entity on behalf of the company are presumed to be company property. All business information created or stored on or in a company computer, imaging system, communications system, telecommunications system, storage device, storage medium or any other company system, medium or device are presumed to be company property.
All business information, regardless of its location, that in any way pertains to the company or company business, is presumed to be company property. Only upon a showing that the business information in question does not in any way relate to company business will such information be deemed to be other than company property. Theft or appropriation of any business information is strictly prohibited. Giving access to another person who is not authorized to have access to, review or otherwise see company business information is also strictly prohibited.
Undertaking these prohibited acts may result in termination and/or civil or criminal penalties.
Privacy of employee information at work. You need to be clear with employees about whether they should expect that the information they create and receive on the job is private. Generally, organizations in the United States have taken the approach that such information is not private, and the organization thus reserves the right to access and review it at will.
U.S. courts have generally supported this approach. For example, in Garrity v. John Hancock Mut. Life Ins. Co., two female employees were fired for sending sexually explicit e-mail over the company e-mail system, in contravention of the company e-mail policy. The employees viewed the e-mail containing the offensive content as personal, and argued that the company invaded their privacy when it accessed and examined it. The court weighed the issues to determine whether “the expectation of privacy was reasonable.”
The court did not find that expectation reasonable, for several reasons:
· The company’s e-mail policy stated, “Company management reserves the right to access all Email files,” and “there may be business or legal situations that necessitate company review of Email messages and other documents.”
· The company “periodically reminded employees that it was their responsibility to know and understand the email policy,” and employees had been warned about “several incidents in which employees were disciplined for violations.”
· The two employees testified that they sent the e-mail messages (some of which were jokes) to other employees with the expectation that they would subsequently be forwarded.
· The employees admitted that they knew the company had the ability to examine company e-mail messages.
Legal opinions on this approach to employee privacy at work are not consistent in every jurisdiction, and companies should investigate the laws of each jurisdiction in which they do business. For example, the Social Chamber of the Supreme Court of France ruled in 2001 that an employee’s personal e-mail sent or received on company systems could not be accessed and viewed by an employer, even if the company advised employees that it would do so.
Privacy of Employee Information:
Sample Policy Statement
Company resources used by employees to create, transmit, receive and store business information, such as computers, the e-mail system and facsimile machines, should only be used for business purposes. In addition, the information in these systems should only be related to Company business. These resources, and the information contained within them, are the property of the Company. Furthermore, the company reserves the right to access and review any business information, whether it is located in company facilities or not.
Employees do not have and should not expect any right to privacy with respect to any Company business information, including e-mail transmission, electronic communication or Internet or intranet communication. The Company reserves the right to monitor the use of any company property, equipment, phone line, computer, software or any storage device.
© 2004, Randolph A. Kahn, ESQ., and Barclay T. Blair. For informational purposes only. Get the advice of counsel before adopting any Information Management policy element.