Archives

Workplace Privacy: National Labor Relations Board

By law, US federal agencies are required to ensure the protection of the personally identifiable information (PII) they collect, store and transmit. In light of the current digital environment, government agencies are collecting more and more personal information. Highly publicized events of abuse, misuse and inadvertent errors in agency management of PII has fueled public concern about the government’s ability to protect private or sensitive information. This has resulted in increasing scrutiny and compliance expectations regarding federal privacy laws and regulations, which affects federal employees at all levels.

This article takes a look at how the National Labor Relations Board (NLRB) handles privacy issues.

NLRB’s Privacy Impact Assessments

Section 208 of the e-Government Act of 2002 requires federal agencies to conduct a Privacy Impact Assessment (PIA) before developing or procuring information technology systems or projects that collect, maintain or disseminate PII about members of the public.

The NLRB has conducted PIAs on the following systems:

  • Back Pay System
  • Case Activity Tracking System
  • Judicial Case Management System
  • Litigation Information on the Network
  • Next Generation Case Management System
  • Office of the Inspector General Investigative Files
  • Paper Check Conversion Over the Counter
  • Treasury Offset Program
  • Work in Progress

This is what an NLRB Privacy Impact Assessment would include:

Nature of the System

  • What is the system called?
  • Provide a generalized, broad description of the system and its purpose (i.e. what does this system do? What function does it fulfill?)
  • Describe the stage of development of this system.
  • Is this system required by law or Executive Order?

Data in the System

  • Will this system contain personal data elements?
  • List the personal data elements or types of data elements that the system will contain.
  • What are the sources of the personal information in the system?
  • Are the personal data elements described in detail and itemized in a record layout or other document?
  • Review the list of personal data elements you currently collect. Is each data element essential to perform some official function?

Verifying Data

  • For data collected from sources other than NLRB records and the record subject him/herself, describe how the data will be verified for accuracy, completeness, relevance and timeliness.
  • Describe your procedures for determining if data have been tampered with by unauthorized persons.

Access to the Data

  • Who will have access to the data in the system (e.g. users, managers, system administrators, developers, others)?
  • How is right of access to the data by a user determined?
  • Are criteria, procedures, controls and responsibilities regarding access documented?
  • What controls are in place to prevent the misuse (e.g. browsing) of data by those having access?
  • Do other systems share data or have access to data in this system?
  • Will other non-NLRB agencies share data or have direct access to data in this system (e.g. international, federal, state, local, other)?
  • How will the system ensure that agencies only get the information they need to fulfill their official functions?
  • Who will be responsible for protecting the privacy rights of individuals and employees affected by the interface between agencies?
  • Who is responsible for assuring proper use of the data?

Attributes of the Personal Data

  • Is the use of the personal data both relevant and necessary to the purpose for which the system is being designed?
  • Will the system derive new data or create previously unavailable data about an individual through a data aggregation process?

Maintenance of Administrative Controls

  • Explain how the system and its use will ensure equitable treatment of individuals.
  • Explain any possibility of disparate treatment of individuals or groups.
  • What are the retention periods for the data in this system?

Interface with Privacy Act Systems of Records

  • Does this system currently operate under an existing NLRB or Government-Wide Privacy Act system of records?
  • Provide the identifying number and name of each system.
  • If an existing NLRB Privacy Act system of records is being modified, will the system notice require amendment or alteration?
  • If the system currently operates under an existing Government-Wide Privacy Act system of records notice, are your proposed modifications in agreement with the existing notice?
  • If not, have you consulted with the government agency that “owns” the government-wide system to determine if they approve of your modifications and intend to amend or alter the existing notice to accommodate your needs?

An example of an NLRB Privacy Impact Assessment can be found here.

Applying the National Labor Relations Act

During 2011 and 2012, the NLRB’s Acting General Counsel published three Advice Memos, which reflected his views on the application of the National Labor Relations Act (NLRA) to social media policy provisions and employers’ discipline based on employees’ personal social media content. Some of the major opinions and views to come out of these memos are outlined below:

  • Employers cannot prohibit damaging statements about the company or its employees.
  • Employees are prohibited from discussion a coworker’s health condition. Employers ought to promote policy that prohibits employees whose job duties entail access to employees’ health information from disclosing that information in any manner, including via social media outlets.
  • Employers could promote policy that prohibits employees from disclosing compilations of payroll data when properly characterized as confidential business information.
  • Employees have a protected right to use and disclose coworkers’ contact information (e.g. names, addresses, phone numbers, email addresses), for “organizational purposes,” as long as the information is not obtained from the employer’s files.
  • Employers are permitted to establish rules intended to promote a “civil and decent workplace.” As long as a reasonable employee would understand the rule – for instance a rule requiring appropriate business decorum in communications – to achieve the above purpose, such rules are acceptable to the NLRB.

Summary

US federal agencies are legally required to ensure the protection of personally identifiable information (PII) they collect, store and transmit. This article takes a look at how the National Labor Relations Board (NLRB) deals with privacy issues.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam,  a privacy professional should be comfortable with topics related to this post, including:

  • US agencies regulating workplace privacy issues – National Labor Relations Board (IV.A.b.iv.)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>