Workplace Investigations

As discussed in question 7, it may be difficult for a company to search an employee’s personal possessions. The company may search and gather electronic data stored in work laptops or company servers, subject to legal requirements and restrictions (eg, obtaining consent). 

The PIPA provides specific guidance on the requirements for obtaining consent. Under the PIPA, to collect or use an individual’s personal information, the information holder must be informed of and consent to:

• the purpose of the collection or use;
• the personal information that will be collected;
• the period of retention and use; and
• his or her right to refuse to provide consent and any disadvantages that may result from such refusal.

There are separate requirements for obtaining consent to provide an individual’s personal information to a third party. Also, consent must be obtained separately for the collection, use or provision of sensitive or unique identification information.

Under limited circumstances, personal information may be collected, used, or provided to third parties without obtaining the consent of the information holder. For instance, a company may collect and use personal information without obtaining consent where obtaining the information is necessary to achieve the company’s “legitimate interests”, which clearly exceed the information holder’s right to his or her personal information, and the collection and use are carried out within reasonable bounds. The term “legitimate interests” in this context is generally understood as a concept similar to “justifiable act” under the Criminal Code. The Korean Supreme Court has held that under exceptional circumstances such as the following, the company’s collection and review of employee data may constitute a “justifiable act” under the Criminal Code:

1. the company had specific and reasonable suspicion that the employee had committed a crime and the company had an urgent need to verify the facts;
2. the scope of the company’s review was limited to the suspected crime through the use of keywords, etc;
3. the employee had signed an agreement stating that he or she would not use work computers in an unauthorised manner and that all work products would belong to the company; and
4. the company’s review uncovered materials that could be used to verify whether the employee committed the alleged crime.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]

As there is no unified data protection regime, privacy protections stem from a patchwork of federal and state privacy laws which impose limits on the extent to which an employer can collect information from its employees in connection with an internal investigation. Whether specific conduct violates an employee’s rights is a very fact-specific inquiry requiring the application of relevant state laws and a regulatory regime. 

In most circumstances, an employer is free to conduct searches of its workplace and computer systems in the course of investigating potential wrongdoing. Such searches are generally not protected by personal privacy laws because workspaces, computer systems and company-issued electronic devices are often considered company property. Many companies explicitly address this in written corporate policies and employment agreements. Employees who use their own electronic devices for work should be aware that work-related data stored on those devices is generally considered to belong to the employer (as a matter of best practice, employers should generally prohibit or at least advise employees against using personal devices for work and to maintain separate work devices, where possible).

These broad investigatory powers notwithstanding, the ability of an employer to conduct searches in furtherance of an internal investigation is not unlimited. For example, if an employer seeks to obtain or review work-related data from an employee’s personal device, the employer must be careful to exclude any personal data. Certain states also prohibit an employer from requiring an employee to disclose passwords or other credentials to his or her personal email and social networking accounts, but permit an employer to require employees to share the content of personal online accounts as necessary during an interview while investigating employee misconduct.