By William Everett and Anna Yunker, Everett Law LLC
Although easy to overlook, the language of a government entity’s computer use policy regarding privacy and personal use by employees can be constitutionally significant and matter greatly in some circumstances. A public employer will likely be best served by having policy language that puts employees on notice that they have no reasonable expectation of privacy in the entity’s computer system, and that the entity reserves the authority to inspect and audit its networks and machines at its own discretion.
Privacy Law Considerations
Imagine that a manager has been hearing whispers from staff about a certain lead worker, Bill. The rumor is that Bill has been spending a great deal of work time on his employer-provided computer sending and reading e-mails and preparing documents for a side business he is trying to start.
Checking Bill’s computer would be a quick and logical way to either put the rumors to bed or find out if there is a problem. Is there anything to stop the manager from doing this?
The Fourth Amendment to the United States Constitution might be a barrier. The Fourth Amendment is best known for the limits it sets on searches and seizures by police officers and deputies. But it also applies to other types of searches performed by the government and provides protection in other contexts, including protecting employees against unreasonable searches by their governmental employers.1
An activity by an employer is a search, for Fourth Amendment purposes, if it intrudes on an employee’s reasonable expectation of privacy over the thing or place being examined.2 When this is the case, the Fourth Amendment requires the employer to have a reasonable basis for starting the search, and it prohibits the employer from making the search “excessively intrusive” in light of its purposes.3
What if there is no reasonable expectation of privacy? Then the Fourth Amendment and its requirements do not apply.4
In the hypothetical situation, checking Bill’s computer would seem to be a straightforward way to deal with the issue presented. But would a judge agree that the “rumors” are enough, under the Fourth Amendment, to justify the search? Because being wrong can lead to liability, it is usually better to avoid this question than to answer it.
An appropriate computer use policy helps a government employer do just that. A well-written policy enables appropriate searches by putting employees on notice that they have no reasonable expectation of privacy in the computers and networks provided by their employers for work purposes.
Cases Provide Useful Examples
Some examples from case law highlight the issues:
In United States v. Linder, the court held that a deputy United States marshal did not have a reasonable expectation of privacy in communications and documents he sent through and stored on government networks. The policy included language stating: “Employees are reminded that there is no expectation of privacy in the use of government computers or computer systems.” It went on to advise: “To the extent that employees wish that their private activities remain private, they should avoid using departmental computer systems for such activities.”5
- In United States v. Thorn, the Eighth Circuit Court of Appeals held that a government worker had no reasonable expectation of privacy when the policy warned employees of this and when the policy went on to notify employees that the agency reserved the right to access all of its computers to audit their use.6
- In Leventhal v. Knapek, an appellate court reached a different conclusion. The court held that a public employee had a reasonable expectation of privacy in part because there was no policy addressing this issue. There was also no evidence that the employer conducted routine checks of computers to put employees on notice that expecting privacy would be unreasonable.7
- In the Linder case, the employer went a couple of steps further to make sure employees could not claim privacy over what they stored on and moved through government networks. The agency reminded employees with a log-in banner that there was no expectation of privacy, as well as conducted periodic, documented training on the policy.8
Personal Use on Own Time
In Minnesota, some government entities allow employees to make limited personal use of their computer systems and technology, such as for accessing personal e-mail, Web browsing or social media outside of work time.9
From a data practices perspective, data that an employee makes in their own private capacity that is unrelated to the business of government is not government data under the Minnesota Government Data Practices Act.10 But when an employer allows personal use of its systems, does it give rise to a reasonable expectation of privacy?
Allowing limited personal use without offsetting policy language could arguably lull employees into expecting privacy. For government entities, it is probably undesirable to allow employees to generate, send and store content on their networks that they cannot access without satisfying Fourth Amendment search standards—back to the situation with Bill.
Policy language should make it clear that allowing limited personal use is not the same as granting privacy. The notice that the employer gave to employees in Linder would seem appropriate here: There is no expectation of privacy, and to the extent employees wish for their private activities to remain private, they should not be conducted on government-entity computer systems.
Manage the Risk
As a best practice, a public employer should review its computer use policy with legal counsel to ensure that it continues to meet the entity’s needs. Employers should also provide periodic training to employees about the policies to ensure that employees are aware of the limitations. Employees should be asked formally to acknowledge receipt and review of any new or revised policies, as well.