Checklist: Evaluate Actions That Intrude on Privacy for Business Purpose

Ask the following questions to evaluate whether actions that may intrude on employee privacy are supported by a legitimate business purpose:

• Do we have a written policy that advises employees of the potential for the actions under discussion?
  • How was the policy communicated to employees?
  • Can we document that all employees have received the communication?
• If we don't have a written policy, have employees otherwise been advised that the company will document, monitor, search, or in some manner investigate under these particular circumstances?
  • If yes, can we document that notice?
• Has our legal advisor reviewed our policies and advised that there are no legal issues that would prohibit or restrict our planned action?
• Have we restricted the amount of information we collect about employees to information that has a valid business purpose?
  • Do we periodically review information to determine that it is still relevant?
  • Do we allow employees to have access to information concerning them; do we correct errors in that information as they are identified?
  • Do we destroy all nonessential information when an employee terminates?
• Do we restrict the release of information about employees without their consent?
• What evidence do we possess that makes our proposed actions reasonable?
  • Can we produce the evidence in the future for an outside party?
• Is our organization's proposed action appropriate, reasonable, and in proportion to the perceived or known threat to our business?
  • In other words, are we overreacting?
• In the past when there were similar situations, did we take the same or similar actions?
  • If not, why not?
  • On what basis can we justify a change in our approach?
• Are our proposed actions fair to all concerned including the employee(s) under suspicion?
• Are our actions ethical?
• Are we prepared to defend our actions in the event of a lawsuit or media exposure?
• If the proposed action is in response to a specific incident (for example, the unexplained disappearance of inventory, the suspicion that an employee is using drugs, allegations of sexual harassment via e-mail, etc.) is the basis of suspicion supported by more than rumor or hearsay?
• Under the same or similar suspicions, would we propose to use the same procedures if the employees under investigation were executives?