Bus Eth
Privacy at Work — Ethical Criteria Anders J. Persson Sven Ove Hansson ABSTRACT. New technologies and practices, such as drug testing, genetic testing, and electronic sur- veillance infringe upon the privacy of workers on workplaces. We argue that employees have a prima facie right to privacy, but this right can be overridden by competing moral principles that follow, explicitly or implicitly, from the contract of employment. We propose a set of criteria for when intrusions into an employee's privacy are justified. Three types of justi- fication are specified, namely those that refer to the employer's interests, to the interests of the employee her- or himself, and to the interests of third parties such as customers and fellow workers. For each of these three types, sub-criteria are proposed that can be used to determine whether a particular infringe- ment into an employee's privacy is morally justified or not.
KEY WORDS: contract of employment, drug testing, ethical criteria, ethics, genetic testing, privacy, sur- veillance, work Anders J. Persson is Ph.D. candidate in Philosophy at the Royal Institute of Technology, Stockholm.
Sven Ove Hansson is professor of Philosophy at the Royal Institute of Technology, Stockholm. His major research areas are philosophy of risk, decision theory, episte- mology, belief dynamics, and value theory. He partici- pates in several interdisciplinary research projects on environmental risk assessment and risk management. His most recent books are Setting the Limit. (1998), A Textbook of Belief Dynamics.
Theory Change and Database Updating (1999), and The Structures of Values and Norms (2001).
1.
Introduction Technological developments have in many cases alleviated work and improved v^ork conditions.
At the same time new technologies have caused new problems for workers. Several new tech- nologies infringe upon the privacy of workers.' This applies in particular to three major groups of technologies and practices: drug testing, genetic testing, and surveillance. We will begin by briefly introducing these, before discussing how they relate to the privacy issue.
Drug testing. According to statistics from the laboratory that performs about 80 percent of the drug tests ordered from employers in Sweden (Huddinge sjukhus), employers' use of such tests has become more and more common in this country (Eriksson and Olsson, 2001). The same tendency seems to prevail in other countries.
Genetic testing. Genetic testing includes both genetic screening and genetic monitoring. In genetic screening, workers are examined for possible genetic predispositions for example to chemically caused disease. In genetic monitoring, workers are tested for genetic damage caused e.g.
by exposure to chemicals in the workplace.
According to a report from 1982, about 5 percent of American businesses had set up programs of genetic screening on workers, and about 15 percent had plans to introduce such programs (National Opinion Research Center, 1982).
A later survey from 1989 indicates that the prevalence of such practices was on the increase (OTA, 1990).^ It is not unreasonable to assume an increasing trend in the use of genetic screening.
Journal of Business Ethics 42: 59-70, 2003.
© 2003 Kluwer Academic Publishers.
Printed in the Netherlands. 60 Anders J. Persson and Sven Ove Hansson Surveillance.
Surveillance of workers can be con- ducted in a number of ways, and employees in nearly all sectors are subject to more or less intru- sive surveillance by managers. Recent techno- logical developments have facilitated surveillance.
Examples include miniature cameras, "smart" ID badges that can be used to track an employee's movements around a building, computerised analysis of the pattern of telephone use and the destination of calls, and various systems that monitor employees' computer transactions more or less in detail (random screen pictures, moni- toring of e-mail and internet usage, etc.).
Most previous discussions of workplace privacy have been devoted to a specific practice such as drug testing or e-mail surveillance. The purpose of this paper is to put the workplace privacy issue in a more general context. The crucial issues that we intend to discuss in some depth are: What if any are the ethically relevant features of work and workplaces that make the issue of workplace privacy different from the issue of privacy in general? Under what conditions are workplace practices that infringe on employees' privacy morally defensible?
It is important to observe that many of the practices under discussion can also be questioned for reasons other than the intrusion into privacy that they give rise to. Surveillance and medical testing can come into conflict with property rights, with the right not to be hurt or harmed or with other moral principles not directly related to privacy. Many of the arguments that have been used against genetic testing, in partic- ular, do not refer primarily to privacy. Hence, Theresa Brady (1995) mentions two important arguments against genetic testing. First, abnormal findings can lead to social prejudices (although the individual may never develop the disease, or may have a condition that can be successfully treated). Secondly, testing may encourage what she calls a "Hitler mentality": "Both Hitler and genetic testing are looking for the 'perfect race', leaving those not fitting the description, out of society's rights and protections" (ibid., p. 52).
Elaine Draper (1991, pp. 175-188) seems to have similar fears about genetic screening unless proper restrictions are applied. (See also Levine, 1982; Saarnio, 1988; Simms, 1994; Uzych, 1986.) Joseph Kupfer (1993) argues that the effects of genetic testing penalize some members of the public, in a way that is inconsistent with due citizenship. These concerns are certainly impor- tant, but since our focus here is on workplace privacy in general rather than on specific prac- tices or technologies we will only discuss argu- ments that are directly related to privacy.
Another aspect of the employer's responsibility is the duty to prevent others, third parties, from intruding into the employee's privacy. The employer may have access to information that intrudes into workers' privacy, and is then required not to disseminate this information to unauthorized persons. The employer may also have a duty to arrange work conditions so that employees' privacy in relation e.g. to customers or passers-by is protected. We will not further discuss the nature of such duties in this article.
Gender-related privacy concerns is yet another aspect that has special importance in the work- place context. Such concerns have for example been adjudicated in the U.S. Supreme Court Johnson Controls case.'' The respondent's policy of barring all women, except those whose infertility was medically documented, from jobs involving actual or potential lead exposure exceeding the Occupational Safety and Health Administration standard, was found by the court to be discriminatory against women on the basis of their sex. In the opinion of the Court several gender-related privacy concerns are expressed as well. A danger of intrusion on personal privacy apparently arises when such information about individual employees is collected and processed in the way the respondent conducted its policy.
Gender-related privacy concerns are certainly important and well worth elaboration, but since our focus here is on workplace privacy in general, privacy-issues related to gender will in the rest of this paper be seen as a special case of the more general issue.
In Section 2 we discuss what is meant by privacy. In Section 3 we discuss what is special about workplaces in relation to privacy. In Section 4, we propose that legitimate infringe- ments of workplace privacy must be supported by justifications belonging to three categories. In Sections 5-7, each of these types of justification Privacy at Work - Ethical Criteria 61 is discussed more in detail, and criteria for their validity are proposed. In the concluding Section 8, these criteria are summarized in a compre- hensive guideline for the moral appraisal of workplace practices that intrude in the privacy of employees.
2.
What is privacy?
Since "privacy" is a key term in this discussion it is important to have a clear idea of what is meant by it. An individual's privacy concerns the degree to which others may have information about her and sensory access to her. We can therefore, as a starting-point, use Ferdinand Schoeman's definition:
A person has privacy to the extent that others have limited access to information about him, limited access to the intimacies of his life, or limited access to his thoughts or his body (Schoeman, 1984, p.
3).
Privacy can refer not only to a person's body and mind but also to her possessions. However, not every type of information or sensory access to a person or her possessions can be the subject of bona fide claims of privacy. A person can legit- imately claim that it is a matter of privacy what video films (s)he watches in his/her home, but a corresponding claim about the make and colour of the car in which (s)he drives to work would not be legitimate. This is the reason why a limited "sphere" (or "zone" or "territory") around a person is often referred to in discussions of privacy.
This notion is intended to capture the idea that the concept of privacy is only applic- able within certain boundaries — partly but only partly of a spatial nature — that surround him/her.
This "sphere of privacy" is analogous to, but not identical with, the more well-known "private sphere" that is central to liberal pohtical thought since John Stuart Mill. The private sphere is a zone in which the individual should be allowed to make her own decisions, whereas the sphere of privacy is a zone in which legitimate concerns may arise about others' access to and informa- tion about her. These two spheres may overlap in many situations, but neither of them seems to include the other. To see this, first consider a person who is treated for a venereal disease. Since this disease is a danger to others, the decision to treat it does not belong to the private sphere.
(In many countries persons affected by certain contagious diseases are legally required to undergo treatment.) Nevertheless, the nature of his/her disease is obviously a matter in which his/her privacy is concerned. Next, consider a person's choice of the outdoor clothes that (s)he wears when (s)he comes to work. This choice certainly belongs to the private sphere, but claims of privacy are hardly applicable to it.
A crucial issue in the definition of privacy is the extent to which the boundaries of the sphere of privacy can be influenced by the individual's own wishes and preferences. There are two simple and principled views that should first be investigated. One of these is the strictly non- paternalistic view according to which it is each individual's prerogative to decide what counts as an infringement of her privacy. The other is the strictly paternalist definition of privacy, according to which the individual's own wishes and pref- erences have no influence on what sensory or informational access to him or her is counted as an infringement of privacy.
Both these views can easily be shown to have counter-intuitive consequences. With respect to the strictly non-paternalistic view, consider a person who has voluntarily chosen to take part in a reality show on TV in which his/her every movement will be broadcast, and made available on the Internet. We would probably say that such a person has given up much of his/her privacy.
This way of speaking is not compatible with the strictly non-paternalist view referred to above. As to the strictly paternalist definition of privacy, consider two men who both have the same type of scar on their chests. One of them is totally unashamed of the scar, and often walks around bare-chested around his house or on the beach.
The other man always keeps his scar away from public view. There is good sense in claiming that the second, but not the first, man's privacy can be violated if a stranger sees his scar.
We are led, therefore, to a middle course between the two extreme views. We propose that the sphere of privacy consists of a core and 62 Anders J. Persson and Sven Ove Hansson a discretionary part. The core consists of such information or sensory access that is, in the relevant social setting, counted as an intrusion into privacy. A person's casebook from a mental hospital is a typical example. If (s)he does not care who reads it, this means that (s)he does not care about his/her privacy. It does not mean that (s)he removes it from the sphere of privacy."* In contrast, the scar of the second man in the above example belongs to the discretionary part of his sphere of privacy. A change in his attitudes can have the effect that the looks of his scar is no longer a matter of privacy.
The contents of both parts of the sphere of privacy are of course determined by social traditions, and we can expect them to be different in different cultures. At least as a first approximation the core can be considered to consist of those types of access to oneself that most persons wish to have control over. The discretionary part consists of those types of access that are considered legitimate for a person to wish to have control over.
This leads us to another important issue in the definition of privacy, namely what if any nor- mative contents the concept has. Good argu- ments can be given both for and against treating privacy as a normative concept.
One important argument for treating it as a normative concept is that no non-normative account of the boundaries of privacy seems possible. There appears to be no other way to explain these boundaries than that they are norms that refiect social customs and ideals.
Furthermore, it would seem strange to claim that something is an issue of privacy without implying that a requirement to protect it has some moral force. It would seem strange to claim, for instance, both that a person's yearly income is a matter of privacy and that there are no morally valid arguments against publishing everybody's incomes on the web-page of the Internal Revenue Service.
On the other hand, a definition according to which privacy is always a desirable state would make a critical discussion of privacy claims more difficult. Some measures that protect or increase a person's privacy may be morally indefensible because of their other effects. It should be possible to say that without denying that they would promote privacy.
The solution to this dilemma that we propose is to acknowledge that privacy is a normatively laden concept, but only to the level of prima facie moral principles. More in detail: Although the notion of privacy can be used for purely descriptive purposes, it is then used to describe a system of social norms. A statement about privacy therefore is, or at least implies, a state- ment about norms.^ However, it is not a state- ment about absolute or indefeasible normative status, but only one about prima facie norma- tive status.* Hence, if you say that Mr. Smith's psychiatric condition belongs to his sphere of privacy, then this means that he has a legitimate claim to secrecy about his condition. It does not mean that this claim has sufficient moral force to overrule the reasons that we may have to acquire and divulge information about his mental disease. Like other prima facie moral principles, it can be overridden, but only when sufficiently strong justification can be given for the actions that violate it. Hence, if neighbours need infor- mation about his disease in order to help him or to protect themselves, then it may be morally jus- tified to provide them with the information that they need for that purpose, but most probably not to let them read his complete hospital files.
In some cases information lacking name-links can solve the problem of providing medical infor- mation that the employer needs for preventive purposes.
Our conclusions on the concept of privacy can be summarized as follows:
(1) A statement that X is a matter of A's privacy is or implies a prima facie nor- mative claim that access to X should be limited in the interest of A.
It follows that infringements of privacy always need a justification.
(2) What counts as matters of privacy is the outcome of social norms and ideals, and may be different in different cultures.
(3) An individual's sphere of privacy, i.e. the collection of matters to which (s)he has legitimate privacy claims, consists of two parts:
(a) The core, that consists of such Privacy at Work — Ethical Criteria 63 privacy rights that others should respect whether (s)he claims them or not, and (b) the discretionary part that consists of the privacy rights that others have to respect only if (s)he claims them.' Having said this, we have left many foundational issues of privacy both unsettled and unmen- tioned. We believe, however, that the notion is sufHciently well-understood from an intuitive point of view so that the above explication is sufficient for the purpose of application to actual social settings such as workplaces.
3.
What is so special about work?
Privacy issues arise in many social settings. Video surveillance in public places, phone tapping for law enforcement purposes, and commercial data mining are a few of the privacy issues that are not primarily workplace-related. However, it has generally been claimed in the literature that workplaces are a separate case that needs special treatment in the analysis of privacy infringe- ments. Is that true, and if so, what is so special about work and workplaces? Certainly not the workplace itself.
If you visit a workplace where you are not employed, your right to privacy does not seem to have been affected.^ Work itself will not do either, as can be seen by considering cases in which you work in your own household; gardening, sewing your own clothes etc. Neither does working for someone else as a self-employed person. If you undertake, as a self-employed carpenter, to build a piece of furniture for a customer, (s)he would probably not even have thought of claiming a right to screen your genes, test your body fluids for drugs or survey your e- mail or your movements. This might have been different if you performed the same tasks as an employee. Hence, the determining factor is arguably the employer-employee relationship as set forth in an employment contract.' Therefore we need to ask: What is in a contract of employ- ment? Our treatment of this issue will be moral rather than legal, i.e. we will not investi- gate the contents of current laws but instead discuss what are the moral rights and other moral considerations on which laws in these areas should be based. The relationship between the employer and employee will of course in most cases include many aspects that are not covered by the employment contract. The employee may, for instance, be a shareholder in the company, be the major owner's best friend, etc. For our present purposes, it is essential to focus on the part of their relationship that makes one of them employed by the other, viz. the contract of employment. It should also be noted that due to the complexity of modern business organisa- tions, an employee may stand in different rela- tions to various persons and groups within the company in which (s)he is employed. In legal contexts, the company is nevertheless treated as a single entity (an artificial person). This is a con- venient simplification that can also be used in a moral analysis. We will therefore assume, that the employee has an employer that can be treated as a single entity in terms of the moral rights and claims that follow from the contract of employ- ment. The division of such rights and claims between different agents within a business company give rise to important moral and practical problems, but they will not be treated here.
It may be useful to compare employment con- tracts, with other types of voluntary agreements such as sale contracts and rental contracts. A sale contract does not give rise to any infringements of privacy other than those that are either explic- itly agreed upon or necessary for satisfying the explicit clauses. The same applies to a rental contract. If you rent a house, the owner will have a right to enter the house for certain purposes, but not to open and read the private papers that you keep in the house. Hence, although such a contract allows what can be considered to be infringements into privacy, it does so only to the extent necessary for satisfying the purposes of the contract or determining whether the risk of entering into such a contract are sufficiently limited. This practice conforms with one of the principles that we argued for in the previous section, namely that all infringements of privacy require a justification.
In our view, the same principle should apply to employment contracts as well. The employee 64 Anders J. Persson and Sven Ove Hansson does not self him/herself (that would be slavery) but fiis or her work. Therefore, for an intrusion into privacy to he legitimate there must he a justifica- tion for intrusion, a justification hased on what the employer can require of the employee according to the contract of employment.
This position is, of course, in need of further specification. Before specifying it further, however, we will treat an alternative position, namely that privacy is never infiuenced by the contract of employment. A proponent of this position may claim that the contract relation between the employer and the employee does not affect the status of the latter's privacy claims, which is the same in the workplace as when (s)he is off duty. Such a standpoint is implausible in view of the prima facie status of privacy claims that we referred to in section 2. Privacy claims can be outweighed by other moral principles, and this applies both in workplaces and in other social settings. It is prima facie none of your business if your neighbour is drunk on next New Year's Eve. However, if he has promised to drive your children in his car, then his privacy claims against you are overridden by other, stronger moral concerns. Similarly, if as an employer you have hired him to drive a group on tourists in a bus, you certainly have a legitimate claim to know if he is drunk.
Another extreme standpoint that may have to be dealt with is that privacy disappears in the workplace setting. A moderate version of this position is imphcit in Michael Cranford's (1998) sketch of a defence of drug testing on the work- place: According to his way of reasoning, the contractual relationship between the employer and employee makes privacy concerns irrele- vant.'° We find this about as implausible as a claim that the contractual relationship gives the employer a right to watch the employees when they change clothes. The mere existence of a contract of employment does not nullify privacy claims. There must be a specific justification that outweighs the privacy claim in question.
As we indicated above, an employer's reason for an intrusion into an employee's privacy should be based on what the former can require prior to and after entering into the contract of employment." Therefore, the specific nature of that contract is of interest in order to evaluate arguments for privacy intrusions. In addition to the formal aspect of the employer-employee contract relation, which is expressed in the contract itself and in legal rules and regulations, there are important psychological aspects that have often been neglected.
Basically, the contract of employment gives rise to certain rights, responsibilities and duties.
One idea, expressed by Patricia H. Werhane (1983), is that employee rights can be subsumed under the notion of accountability in the workplace; employees are accountable to their employers and have role responsibilities. These relationships involve reciprocal obligations and employee rights.
When Mrs Jones has agreed upon a contract of employment, this means that she makes a certain kind of commitment to exchange work for remuneration. She can then be held account- able for a certain performance that she has traded for this remuneration. On the other hand the employer makes a commitment based on the expectations that Jones will perform the work.
Furthermore, the performance for which Jones is accountable in the workplace defines her role responsibilities in that job.'^ In most cases however, her role and expected performance on the workplace is only insufficiently specified in the contract of employment.
What is then the normative status of the contract of employment, that specifies the relation between the employer and the employee?
Clearly, it gives rise to prima facie obligations on the part of the contracting parties to fulfil both the conditions stated in the contract and the implicit, culturally determined, expectations of role performance in the work situation. It appears that we have strong culturally and socially estab- lished ideas about the different roles we ought to perform in the workplace context. These role responsibilities are determined by, among other things, legal rules and norms and social and moral opinions. In a normative discussion, such prevailing laws and conventions may be ques- tioned in tw^o different ways: It can be questioned whether they should be followed, and also whether or not attempts should be made to change them. Privacy at Work — Ethical Criteria 65 The normative question we ought to ask is therefore: which of the culturally and socially established ideas about workplace roles should be maintained? The moral nature of the contract of employment relation can thus be seen as a second order ethical question whose answer depends heavily on determining which normative prin- ciples or normative theories are right, or at least defensible. The contract relation has relevance to practical ethical problems in the workplace context, but, important to bear in mind, only in this second order mode.
4.
The employer's three arguments As we have already indicated, a reasonable account of the moral legitimacy of privacy intru- sions should respect the prima facie legitimacy of individual privacy. Therefore such an account should fulfil the following basic condition: an intrusion into privacy is morally permissible if, and only if, a sufficient justification can be given that outweighs the individual's claim to privacy.
Furthermore, we propose that such a justification can only be given if the intrusion occurs in someone's legitimate interest. From the perspec- tive of the employer, this means that there are three different possibihties to fulfil this condition.
The employer can argue (1) that his/her own (business) interests justifies intrusions into workers' privacy, (2) that it is justified by the interests of the employee, or (3) that it is justi- fied as a means to protect a interested third party's legitimate interests. In the following three sections, we will discuss in which respects and to what extent these three types of justificatory arguments are capable of defending privacy intru- sions on the workplace.
5. First argument: the employer's own interests Based on the approach taken above to the contract of employment, it follows from that contract that the employer has the right to check that the work is properly done and that the employee fulfils his or her role responsibilities.
This can in typical cases be done without intru- sion into privacy when the product is tangible, but not necessarily when it is intangible, such as a customer relation. Nevertheless, such checking may be legitimate because it is conducted in order to secure interests on the employer's behalf that are primary in the contract relation between the two parties. It seems quite uncontroversial that employers have a valid claim on some level of work performance.
The employer also has interests, such as max- imizing productivity and profitability, that may not be specified in, or follow from, the contract of employment as such. When selling your work to an employer, a certain amount of work output is implied, but not necessarily the maximal output that you can muster. In contrast, it is in the employer's interest that your work output be maximal. This point is stressed by Des Jardins and Duska (1987) in their discussion of drug testing.
They argue that as long as drug abuse does not reduce an employee's performance to a level that would be unacceptable if the employee did not use drugs, the employer cannot claim a right to a higher level of performance. In other words, in virtue of the contract there are productivity expectations on the employer's side, and although drug use may reduce productivity, it is low productivity and not drug use in itself that the employer has a right to react against. The up-shot of this argument is that drug testing cannot be justified by the employer's interest argument.'^ According to our argument, legitimate reasons for privacy intrusions that are based on the employer's interests, have to be supported by the contract of employment. But even w^hen such support is available, the intrusion must also satisfy two other requirements in order to be defensible:
First, it must satisfy a criterion of minimal intrusiveness. Often the employer can choose between different means to obtain the same level of control over the work of his/her employees.
Other things equal (i.e. in a comparison between means of control that do not differ significantly in efficiency, costs, etc.) only the least intrusive of the feasible means can be legitimate.. An employer may, for instance, check that the worker's daily output is sufficient by looking at 66 Anders J. Persson and Sven Ove Hansson the output at the end of the day. Following his/her movements minute by minute is not nec- essary for that purpose.
Secondly, a requirement of efficiency must also be satisfied. Consider the owner of a candy shop who wants to ensure that the employees do not eat candy during work hours. The least intru- sive way to control this may be to weigh the employees once a week, but the correlation between weight increase and candy theft is so weak that this is a very inefficient way to achieve the control aimed at. This may be an extreme example, but the issue of efficiency has been dis- cussed in relation to electronic surveillance.
Ottensmaier and Heroux (1991) call such prac- tices in question, and provide empirical evidence of their ineffectiveness. A survey of electronic monitoring of Massachusetts office workers in 1988 indicated that monitoring neither enhanced productivity nor helped supervisors to do a better job.
Clearly, if an intrusion into an employee's privacy does not in fact further the employer's legitimate interests according to the contract of employment, then it cannot be defended by the employers' interest argument.
However, even when these two requirements are satisfied, it does not follow that privacy intru- sions are acceptable. The extent to which sur- veillance, genetic testing, or drug testing on a workplace can be justified by the employer's interests will then be an issue of balancing these interests against those of the employee.
In summary, we propose that intrusions by the employer into the employee's privacy are justi- fied if they satisfy the following four criteria:
(1) The intrusion is undertaken in order to ensure that the employee performs the tasks and fulfils the role responsibilities, owed to the employer, that are explicit or implicit in the contract of employment, (2) The means chosen are efficient to obtain the required information, (3) The least intrusive means to obtain the required information are chosen, and (4) The resulting intrusion into the employee's privacy is not so severe as to outweigh the employer's interests.
6. Second argument: protecting the Avorker Another argument that is often used in order to motivate genetic testing, drug testing as well as surveillance, is that the practice in question is conducted in order to protect the worker.
Genetic screening can provide workers and workplace management with information that can be used to protect their health. Drug tests can induce workers to avoid alcohol and narcotics and thereby reduce his or her risk of workplace accidents. Surveillance can make workers more inclined to follow safety instructions. Hence, each of these practices may be accepted as the outcome of a legitimate trade-off between the loss of privacy and other interests of the worker him- or herself.
An obvious anti-paternalist argument can be made against this type of privacy intrusions. It can be argued that it is up to the worker to decide whether or not (s)he should be geneti- cally screened, drug tested, or surveilled, in order to protect his/her health and safety. If the employer wants to perform such privacy intru- sions against the employee's will, then the employer must, according to this view, be able to justify this with something other than the w^orker's own interest.
In our view, this argument is too simplistic, since it does not take into account an important feature of the contract of employment as it is normally conceived. The contract of employ- ment includes a responsibility on the side of the employer for the employee's health and safety at work. Another way to express this is that by taking a job one enters what is in a sense a pater- nalistic relationship. Since the employer would be held morally responsible if the worker is hurt or his/her health damaged at work, the employer must also have means to prevent this from hap- pening. This paternalistic relationship does not apply to the employee's interests in general, but only to his/her work-related interests, primarily his/her health and safety at work. This includes effects on his/her health and well-being that materialize in non-work contexts, such as effects on reproductive functions. Hence, although it may be in the employee's own interest to be Privacy at Work — Ethical Criteria 67 tested for the risk of contracting Alzheimer's disease''' after retirement, the employer has no responsibility related to that risk and, therefore, has no special right to use a blood sample obtained for other purposes to perform such a test against the worker's own will. The crucial issue is whether the employer can be held responsible, which is the case if the employee contracts a work-induced disease, but not a disease unrelated to work.
The same conditions that were introduced in the previous section must of course be satisfied, namely that the privacy-intruding measures taken by the employer be efficient and minimally intru- sive.
If the same result can be obtained, e.g. either by surveillance of the workers or by informing and educating them, then the employer does not necessarily have a right to choose the former option.
In addition, it must be required that the infor- mation gathered for the purpose of protecting the worker's interests is actually used that way.
Much of the debate on privacy intrusions in workplaces has centred on situations in which this has reportedly not been the case. Information gathered e.g. from genetic tests can be used in a way that may be against the worker's interests. As Kupfer puts it: "After all, relocating workers or modifying existing conditions so that they will be less hazardous takes time, effort, and money.
It's plain cheaper to fire or not hire a worker who is at 'genetic risk'" (Kupfer, 1993, p. 18). To exclude someone from work in order to protect his or her health may be against his/her interests.
Kupfer claims that genetic screening under certain applications will lead to exclusions from work that are arbitrary and, therefore, unjust.
Similarly, Elaine Draper (1991) claims that genetic testing can lead to people being singled out as a result of their genetic status, and that this can be unfair in the same manner as exclusions due to race, gender, or age. The features that exclude a person from work have to be justifi- able in that they are both relevant to the work in question and fair. Screening practices, this argument goes, can be unfair, because they exclude people on morally indefensible grounds.
Kupfer (1993) expresses a similar thought; he maintains that it is unjust to penalize a person for her susceptibility to a disorder. "It is like treating someone as guilty until proven innocent" (ibid., p.
23). Both Draper and Kupfer seem to embrace the thought that the employer has the burden of proof of showing that intrusions into privacy are actually performed in a way that benefit the worker.
It is in many cases no easy matter to determine what measures by an employer are in the employee's own interest. For our present purpose it is sufficient to conclude that this is one of the criteria that have to be satisfied.
In summary, we maintain that intrusions by the employer into the employee's privacy are jus- tified if they satisfy the following criteria:
(1) The intrusion is undertaken in order to protect the employee's own interests in matters such that the employer could be held morally responsible if these interests are not well protected, (2) The means chosen are efficient to obtain that purpose, (3) The least intrusive means to obtain the required effect are chosen, (4) The measures taken to protect the worker are in his or her own interest (e.g. a worker is not fired when (s)he could be relocated).
7. Third argument: protecting a third party Intrusions into a worker's privacy can also be motivated by the employer's duty to protect a legitimately interested third party, such as other workers and people not covered by the contract of employment, for example customers, share- holders, suppliers, creditors, neighbours to the workplace etc. The ethical considerations an employer has to make include a balancing of a worker's privacy against other legitimate concerns. In the foregoing section we saw that maintaining a worker's privacy is not always in his or her best interest. In this section we focus on cases when a third party's interests may have on balance more moral weight, making intrusions into workers' privacy legitimate. 68 Anders J. Persson and Sven Ove Hansson The argument from Section 5 against requiring maximal performance does not necessarily apply here.
It can be claimed that the employer has a duty to protect the interested third party as far as possible, which implies maximization rather than optimization. This is perhaps most obvious in cases of safety and accident prevention. It can plausibly be claimed that, for example, the man- agement of a public transport corporation has a duty to decrease passenger risks as far as possible.
It can then be argued that even if a drug-using employee performs as well, in terms of safety, as a drug-free employee whose performance is accepted, the employer has a legitimate interest to fiirther increase the safety performance of the first employee. Arguably, drug testing can be a means to achieve that.'^ In contrast, the efficiency criterion (from Section 5) applies here as well. In order to justify an intrusion into an employee's privacy, with reference to protection of a third party, the employer must, among other things, show that the intrusion in question actually has the desired effect. The minimal intrusion criterion is also applicable for obvious reasons similar to those discussed in Section 5.
One claim intended to support the interested third party argument is that corporations are responsible for harm committed by employees; therefore firms are entitled to make certain privacy intrusions in order to fulfil that respon- sibility. Jennifer Moore argues that this argument does not succeed in circumventing the claims of privacy rights. She tells us: "Responsibility for the action of others does not allow one to do anything to control their behaviour" (Moore, 1989, p. 279). Her idea seems to be that the right to privacy cannot be overruled by the proposed responsibility argument. In our view, this view does not seem tenable as a general principle. As we have argued above, privacy claims have only prima facie normative status and can be out- weighed by other types of moral considerations.
It is not difficult to construct both cases in which privacy claims should give way to the employer's responsibility for a third party and cases in which they should not.
In summary, we maintain that intrusions by the employer into the employee's privacy can be justified by the protection of third party inter- ests, if they satisfy the following four criteria:
(1) The intrusion is undertaken in order to ensure third party interests (e.g. health and safety) for which the employer is morally responsible, (2) The means chosen are efficient to obtain the required information, (3) The least intrusive means to obtain the required information are chosen, and (4) The resulting intrusion into the employee's privacy is not so severe as to outweigh the interests of the third party.
8.
Conclusion The criteria developed in the previous sections can be summarized in the form of the following guideline for determining the moral status of infringement into workplace privacy:
An intrusion by an employer into an employee's privacy is justified if and only if it satisfies all of the following four criteria:
(1) The intrusion is undertaken with one of the following three purposes:
(a) to ensure that the employee performs the tasks and fulfils the role responsi- bilities, owed to the employer, that are explicit or implicit in the contract of employment, (b) to protect the employee's own inter- ests in matters for which the employer is morally responsible, and to do this with means that are also in the employee's own interest, or (c) to protect a third party's legitimate interests in matters for which the employer is morally responsible.
(2) The intrusion is performed in a way that is an efficient means to achieve its purpose.
(3) The intrusion is performed with the least intrusive means that are available to achieve its purpose.
(4) The resulting intrusion into the employee's privacy is not so severe as to outweigh the value of achieving its purpose. Privacy at Work — Ethical Criteria 69 Notes ' The need for legislation or other measures to strengthen protection of individuals' privacy in working life seems to be well recognized by the authorities in most of the countries that have access to such technologies. Draft Law on protection of personal integrity in working life (LIA), SOU 2002: 18, Directive 95/46/EC, the European Parliament, The Personal Data Act, the Parliament, EU (1999) etc. have all been elaborated in response to the current technological situation.
^ In these two reports, The Office of Technology Assessment (OTA) surveyed major U.S. industrial companies, utilities, and unions about their use of this technology.
^ Automobile Workers v. Johnson Controls, Inc., 499 US.187 (1991).
'' In Swedish jurisdiction, patients have right to access to their hospital casebooks and are also allowed to publish them.
^ Hence privacy can be construed either as a nor- mative concept or as a descriptive concept that is coextensive with normative ideas. For our present purposes it is not necessary to choose between these two options.
* W D Ross famously developed the idea oi prima facie duties. Such a duty is a moral obligation, which is binding unless there is a stronger and overriding obligation. An actual duty, in contrast, is a remaining duty, all things considered. See Chapter 2, Ross (1930).
' On claimable rights, see Hansson (2001), pp.
208-218.
* Your right to privacy can of course be affected even in this situation, for example, if permission to visit the workplace in question demands submitting to a security check. However, that kind of privacy infringements seems not to make the workplace as such special in any relevant sense.
' The contract of employment can have different forms and origins. In most cases most of its contents are not negotiated between the employer and the individual employee. In addition to legal regulations, much of the contract's contents can originate in collective agreements with labour unions or in other forms of negotiations within companies.
'" Even if this bold statement certainly not is Cranford's own, it seems to follow from his argument that an employee's right to privacy only can be violated "... when personal information is collected or used by the employer in a way which is irrelevant to the terms of employment" (p. 1805).
" This point is for example articulated in the U.S.
Supreme Court Consolidated Rail Corp.
v. The Railway Labor Executives Association case. The union argued that the proposed drug testing program regulated an employee's private, off-duty conduct. The court rejected that argument and held that the parties need not agree on the details of drug testing methods or confidentially standards for Conrail's program to be justified by the party's contract.
'^ Werhane (1983, p. 16) defines accountability in the following fashion: a person, P is accountable for an action, A, if P is held liable to answer for respon- sibilities acquired by P's role, office, associations, station or situation.
'' Michael Cranford (1998) argues, in opposition to the conclusion above, that drug testing can be justified in terms of the contract of employment, to the effect that no illegitimate privacy intrusion occurs when drug tests are conducted. Nevertheless, Cranford thinks it still possible to come to the con- clusion that drug testing is a morally questionable practice: ". . . it [drug testing] still amounts to treating employees as a means to an economic end, and is therefore, fundamentally inconsistent with a substan- tive valuation of human worth and dignity" (ibid., p.
1806). The idea is thus that there are other moral concerns that conflict with drug testing practices.
Indirectly he can be said to put the very contract of employment into question; there must be something morally wrong with a contract of employment per- mitting an activity that offends "human worth and dignity". Furthermore, the argument is valid only insofar one ignores legal considerations concerning drug use. Drug use is in many contexts illegal and the employer could in some cases be held liable for tolerating its employees' behaviour in this regard.
'•* A predisposition to Alzheimer's disease is not yet, as far as we know, technically possible to detect via a genetic test. But it does not seem far-fetched to assume that predispositions that are in a similar way unrelated to work, will in a near future be techni- cally possible to detect in this way.
'^ In the U.S. Supreme Court case Skinner v.
RLEA the constitutionality of regulations, requiring private railroads to collect blood and urine samples from railroad crews after serious accidents, was challenged.
The Supreme Court found the testing program reasonable under the Fourth Amendment. One of the main arguments was that the public interest in determining the causes of serious railroad accidents adequately supported the regulations. In NTEU v.
Von Raab the Supreme Court recognized compelling government interests that supported programs that test 70 Anders J. Persson and Sven Ove Hansson police officers or other public employees. Another Supreme Court case. United States Department of Defense et al. v.
Federal Labor Relations, also addresses serious issues on balancing the public interest against the employees' interest.
References Brady, Teresa: 1995, 'The Ethical Imphcations of the Human Genome Project for the Workplace', International Journal of Applied Philosophy 10(1), 47-56.
Cranford, Michael: 1998, 'Drug Testing and the Right to Privacy: Arguing the Ethics of "Workplace Drug Testing', Journal of Business Ethics 17(16), 1805-1815.
Des Jardins, Joseph and Ronald Duska: 1987, 'Drug Testing In Employment', Business and Professional Ethics Journal 6, 3—21.
Draper, Elaine: 1991, Genetic Testing and Exclusionary Practices in the Hazardous Workplace (Cambridge University Press, New^ York).
Eriksson, Mimmi and Borje Olsson: 2001, 'Alkohol och drogtester i svenskt arbetsliv', Arbetsmarknad & Arbetsliv 7(4), 225-238.
European Council, The Directive 95/46 EC, the European Parliament.
European Parhament, Personal Data Act (523/1999).
Hansson, Sven Ove: 2001, The Structure of Values and Norms (Cambridge University Press, Cambridge).
Kupfer, Joseph H.: 1993, 'The Ethics of Genetic Screening in the Workplace', Business Ethics Quarterly 3(1), 17-25, Levine, M, P: 1982, 'Industrial Screening Programs for Workers', Environment 24(5), 26-33.
LIA, draft law on protection of personal integrity in working life, SOU 2002: 18.
Mill, John Stuart: 1869, On Liberty (Longman, Roberts & Green, London), Moore, Jennifer: 1989. 'Drug Testing and Corporate Responsibility: The "Ought Implies Can" Argument', JoMwa/ of Business Ethics 8, 279—287.
National Opinion Research Center: 1982, Survey of the Use of Genetic Testing in the Workplace, conducted for the Office of Technology Assessment, Washington DC.
Office of Technology Assessment (OTA): 1990, Genetics in the Workplace (US, Government Printing Office, Washington DC).
Ottensmeyer, Edward J,: 1991, 'Ethics, Pubhc Policy, and Managing Advanced Technologies: The Case of Electronic Surveillance', Jowma/ of Business Ethics, 519-526, Ross, Wilham David: 1930, The Right and the Good (The Clarendon Press, Oxford), Saarnio, Heikki: 1988, 'Health Examination and Scientific Inference in Occupational Health Service', Theor Med 9, 89-100.
Schoeman, Ferdinand: 1984, 'Privacy: Philosophical Dimensions of the Literature', in Philosophical Dimensions of Privacy (Cambridge University Press).
Simms, Michele: 1994, 'Defining Privacy in Employee Health Screening Cases: Ethical Ramifications Concerning the Employee/ Employer Relationship', Journal of Business Ethics 13(5), 315-325.
Uzych, L,: 1986, 'Genetic Testing and Exclusionary Practices in the Workplace', J, Public Health Policy, 37-57.
U.S.
Supreme Court Automobile Workers v. Johnson Controls, Inc., 499 U.S.187 (1991), Consoiidated Rail Corp. v. RLEA, 109 S. Ct, 2477, 131 LRRM 2601 (1989).
National Treasury Employees Union v.
Von Raab, 109 S. Ct, 1384 (1989), Skinner v.
Railway Labor Executives Association, 109 S, Ct. 1402, 130 LRRM 2666 (1989).
United States Dep't of Defense v.
EL.R.A., 510 US, 487 (1994).
Werhane, Patricia H,: 1983, 'Accountability and Employee Rights', International Journal of Applied Philosophy 1, 15-26, Philosophy Unit, Royal Institute of Technology, SE-lOO 44 Stockholm, Sweden E-mail: [email protected]; [email protected]
