When a government agency requests the contact information for a company’s employees, whether by subpoena, CID or otherwise, its knee-jerk reaction may be to produce the data without a second thought. After all, failing to comply with an agency’s information request can have serious consequences, including significant fines and attorneys’ fees. However, employers are also obligated to protect their employees’ personal information from improper disclosure. In fact, most states have passed data privacy and security laws to protect employees’ personal information against unauthorized use and identity theft. A recent ruling authored by a Department of Labor Administrative Law Judge offers some tips to employers facing demands for their employees’ confidential personal information.[1]
In July, ALJ Steven Berlin ruled that the DOL Office of Federal Contract Compliance’s demand for employee contact information from Google was overbroad and intrusive on employee privacy. The OFCCP requested the name, address, telephone number and personal e-mail address of over 25,000 Google employees in connection with an audit of the tech giant’s compensation practices. Judge Berlin substantially limited the OFCCP’s request, citing a number of employee privacy concerns.
One of the most significant aspects of the ruling was its acknowledgment of real-world concerns regarding data privacy and protection. Judge Berlin noted that individuals’ contact information, in the hands of the OFCCP, may be targeted by hackers or leaked by OFCCP employees. The order pointed out that, in many instances, the federal government has failed to effectively safeguard sensitive information. In 2015, for example, hackers stole personally identifiable information, including in some cases fingerprints and Social Security numbers, for millions of current and former federal employees and applicants for federal employment. Judge Berlin also recognized that employers have a significant interest in maintaining employees’ trust by protecting their personal information. Even if a company is forced to comply with an agency’s demand, its employees will likely resent the involuntary disclosure of their personal information. Businesses will suffer if current and prospective workers perceive them as unwilling to protect their privacy interests. Judge Berlin addressed these concerns by ordering the OFCCP to take reasonable steps to protect the information it obtains from Google.
The order also held that the OFCCP’s demand for over 25,000 employees’ contact information was overbroad. The OFCCP argued that it was necessary to collect the contact information for a large number of employees in order to interview a selected number of them without revealing their identities to Google. While obtaining the contact information for a large number of employees is one way to reduce the possibility that interviewees can be identified and retaliated against, Judge Berlin noted that the OFCCP is likely to interview no more than 100 to 300 Google employees in connection with its investigation. Accordingly, collecting even a fraction of the requested data would still enable the OFCCP to hide the identities of selected interviewees. Ultimately, the ruling permitted the OFCCP to choose 5,000 specific employees whose contact information it will receive.
The July order demonstrates that employers can, and should, take steps to protect their employees’ confidential information—even when such information is demanded by the government. By resisting the OFCCP’s overbroad requests, Google managed to significantly pare down the scope of the agency’s demand and forced the OFCCP to take additional steps to protect its employees’ contact information. Like Google, other employers should consider creative solutions to defend against the unnecessary disclosure of sensitive employee data and maintain their employees’ trust.
[1] OFCCP v. Google, Inc., DOL ALJ No. 2017-OFC-4, July 14, 2017.