HR law – LegalTXTS – A Luminate Law Blog

The GDPR: A Tsunami of Data Regulation That Could Crash Onto Your Shore

May 3, 2018 by Elijah Yip·0 Comments

A sea change in data protection law in the European Union (EU) is about to take place, and your organization doesn’t have to be based in the EU to feel its impact. The General Data Protection Regulation (GDPR) will take effect on May 25, 2018. The GDPR applies not just to EU Member States, but also to U.S. organization with EU-based employees. Any U.S. organization that has a branch, office, affiliate, franchise, or agent based in the EU should check if it must comply with the GDPR. Failure to comply with the GDPR can lead to fines of up to 20 million euros or 4% of annual global turnover (revenue), whichever is higher.

The GDPR regulates how “personal data” of EU citizens is collected, stored, processed, and destroyed. The GDPR definition of “personal data” has a broader meaning than how U.S. laws usually define the term. In addition to typical identifying information (e.g., name, address, driver’s license number, date of birth, phone number, or email address), “personal data” under the GDPR includes more expansive categories of data such as salary information, health records, and online identifiers (dynamic IP addresses, cookie identifiers, mobile device IDs, etc.). The GDPR also provides heightened levels of protection for special categories of employee data, including racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning an employee’s health, sex life, or sexual orientation, and biometric and genetic data.

The GDPR has wide-ranging effects on data collection, use, and retention. Some of the data practices regulated by the GDPR include:

Data processing – Consent is one legitimate basis for processing personal data of employees, but the GDPR requires that consent be freely-given, specific, informed, and revocable. This means most blanket consent provisions typically found in employment contracts are not valid. If obtaining consent according to GDPR requirements isn’t practical, an employer might need to rely on other legal bases for processing employee data. Processing employee data is legal if it is necessary for the performance of the employment contract, required by law, or in the employer’s legitimate interests which outweigh the general privacy rights of employees.
Employee monitoring – The GDPR limits what employers may do with data obtained through employee monitoring.
Notification – The GDPR specifies what information employers must include in notices informing employees about the kind of personal data that will be collected from them.
Right to be forgotten – Under certain circumstances, data subjects have the right to require data controllers to erase their personal data.
Data portability – A person is entitled to transfer their personal data from one electronic processing system to another without being prevented from doing so by the data controller.
Data breach – The GDPR governs the procedures and substantive requirements for giving notification of a personal data breach.

Now is the time to revisit your employment contracts and policies with privacy counsel to ensure compliance with the GDPR.

Login Lessons From the Hawaii Missile Alert Fiasco

February 7, 2018 by Elijah Yip·0 Comments

Phones across Hawaii lit up at 8:07 a.m. on January 13, 2018 with an alert that a ballistic missile was hurtling toward the state. Two minutes later, Governor David Ige learned that the alert was mistakenly sent. But it took another excruciating 15 minutes before the governor took to Twitter to clarify that there was “NO missile threat to Hawaii.” Why the delay? Governor Ige later confessed that he forgot his Twitter password.

Companies can learn a lesson or two from the governor’s login woes. Ready access to login credentials for your company’s online assets is crucial. Being locked out of your website, social media accounts, cloud services, and other digital assets can seriously damage your company’s operations and reputation. Securing usernames and passwords is just as important as keeping track of the keys to your office or company safe.

Here are some tips for keeping company login credentials safe and accessible:

1. Designate a location for storing login credentials.

Employees authorized to set up or modify an online account on behalf of the company should be instructed to store the login credentials in a designated location. This will prevent a frantic search for account information in mission-critical situations. The designated location can be a file stored in a specific drive or folder. If the file is encrypted – a highly recommended practice – make sure the encryption code is stored in a safe place. In some situations, simply writing down login credentials on a piece of paper can work. Just make sure the paper is stored in a safe and identified location.

2. Ensure access to login credentials to those who need it.

Employees who need access to the company’s online accounts should be told where the login credentials for those accounts are stored. Supervisors of employees who regularly use the account should know where the credentials are stored in case those employees separate from the company.

3. Develop a protocol for modifying login credentials.

Company policy should clearly articulate procedures for modifying login credentials to company accounts. For example, employees who make the modifications should be required to inform their supervisor in writing about the change and update the account information stored in the designated location.

4. Set up accounts with company email addresses.

Employees should not be allowed to use personal email addresses to register online accounts on behalf the company. Only company email addresses should be used to register accounts. If the login name or password for the account needs to be reset, a reset confirmation email is typically sent to the email address under which the account is registered. If the registered email address belongs to an employee, the company might not be able to complete the reset process if the employee (or ex-employee) refuses to cooperate.

5. Specify ownership of online assets.

Company policy should clearly specify that any online accounts created for the company are owned by the company, not the employee who registered them. Such a policy is especially necessary for social media accounts, which might seem like they belong to the employee promoting the company using the accounts.

Having login credentials at your fingertips is important to your company’s success, even if the stakes don’t involve warnings of impending disaster.

Hawaii governor blames false missile alert delay on forgotten Twitter log-in

NLRB Approves Rule Shuttering Cameras in the Workplace

January 27, 2014 by Elijah Yip·1 Comment

(Photo credit: Wikipedia)

“Smile, you’re on Candid Camera.” Originally coined on the eponymous TV show, that catchphrase is becoming more of common refrain in the workplace. Any employee with a smartphone can easily record an office conversation in secret. But are such covert recordings legal? And what control, if any, does management have over the making of such recordings?

The Law of Recording Face-to-Face Conversations

A majority of states (approximately 37) follow the one-person consent rule for recording face-to-face conversations. This rule authorizes the recording of a conversation so as long as one person in the conversation consents. The consenting party can also be the person recording the conversation. Practically speaking, this means it is legal to record a conversation with another person without his or her knowledge.

Most other states require the consent of all participants in the conversation. Covert recording of face-to-face conversations would not be permitted in states that follow the all-party consent rule.

Workplace Bans on Covert Recordings

Even if covert recordings are legal, management may regulate the practice if done so consistently with the right of employees to engage in concerted activity, which is protected under Section 7 of the National Labor Relations Act (NLRA). A recent National Labor Relations Board decision illustrates this. Whole Foods Market, Inc., Case No. 01-CA-096965 (Oct. 30, 2013). The case involved a challenge to a company policy that banned employees from recording conversations without prior management approval. The company’s stated purpose for the policy was “to eliminate a chilling effect to the expression of views that may exist when one person is concerned that his or her conversation with another is being secretly recorded.”

The administrative law judge (ALJ) in the case upheld the policy. The ALJ noted that there is no protected right to record conversations in the workplace, but even if there were such a right, management may regulate the exercise of that right. It was not adopted in response to union activity, and it was clearly tied to the company’s core value of fostering open and honest dialogue about company matters. The ALJ disagreed that the policy could reasonably be interpreted as a restriction on using social media to communicate and share information about work conditions through video recordings made at the workplace. The policy regulated a means of communication as opposed to the protected activity itself. It also did not prohibit employees from making recordings during non-work time. The policy therefore did not violate Section 7 rights.

Takeaways

The Whole Foods Market decision suggests questions that management should consider when drafting a work rule against covert recordings to ensure that the rule does not violate the NLRA:

Is the rule clearly linked to a purpose besides preventing employees from engaging in Section 7 activity?
Does the rule leave open alternative channels for employees to communicate about Section 7 activity?
Does the rule allow employees to make recordings during non-work hours?

A ban on covert recordings is more likely to withstand a legal challenge if management can answer “yes” to each of these questions.

Cybersecurity, Privacy & Internet Law

Tag: HR law

NLRB Approves Rule Shuttering Cameras in the Workplace

Tag: HR law

Related articles