Workplace Investigations

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]

As there is no unified data protection regime, privacy protections stem from a patchwork of federal and state privacy laws which impose limits on the extent to which an employer can collect information from its employees in connection with an internal investigation. Whether specific conduct violates an employee’s rights is a very fact-specific inquiry requiring the application of relevant state laws and a regulatory regime. 

In most circumstances, an employer is free to conduct searches of its workplace and computer systems in the course of investigating potential wrongdoing. Such searches are generally not protected by personal privacy laws because workspaces, computer systems and company-issued electronic devices are often considered company property. Many companies explicitly address this in written corporate policies and employment agreements. Employees who use their own electronic devices for work should be aware that work-related data stored on those devices is generally considered to belong to the employer (as a matter of best practice, employers should generally prohibit or at least advise employees against using personal devices for work and to maintain separate work devices, where possible).

These broad investigatory powers notwithstanding, the ability of an employer to conduct searches in furtherance of an internal investigation is not unlimited. For example, if an employer seeks to obtain or review work-related data from an employee’s personal device, the employer must be careful to exclude any personal data. Certain states also prohibit an employer from requiring an employee to disclose passwords or other credentials to his or her personal email and social networking accounts, but permit an employer to require employees to share the content of personal online accounts as necessary during an interview while investigating employee misconduct.