SB 393  - AS INTRODUCED

2016 SESSION

16-2863

06/09

SENATE BILL 393

AN ACT relative to data privacy in the workplace.

SPONSORS: Sen. Bradley, Dist 3

COMMITTEE: Commerce

-----------------------------------------------------------------

ANALYSIS

This bill clarifies the rights of employers and employees concerning the possession and control of data.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Explanation: Matter added to current law appears in bold italics.

Matter removed from current law appears [in brackets and struckthrough.]

Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.

16-2863

06/09

STATE OF NEW HAMPSHIRE

In the Year of Our Lord Two Thousand Sixteen

AN ACT relative to data privacy in the workplace.

Be it Enacted by the Senate and House of Representatives in General Court convened:

1  New Subdivision; Employer and Employee Control of Data and Devices.  Amend RSA 275 by inserting after section 75 the following new subdivision:

Employer and Employee Control of Data and Devices

275:76  Purpose.  The widespread use of computers and electronic devices, creation of data, and reliance on the Internet for business and personal purposes have created uncertainty and a need for clarification and balance between an employee’s legitimate expectation of privacy and an employer’s legitimate need to protect its interests.  The purpose of this subdivision is to clarify and balance those interests.  This subdivision ensures that an employer has the right to possess and control its own data and devices, while simultaneously protecting an employee’s legitimate expectation of privacy with respect to his or her own personal data and devices.

275:77  Definitions.  In this subdivision:

I.  “Data” means numbers, characters, booleans, symbols, values, and quantities in digital, optical, electrical, or mechanical form.  This term includes, but is not limited to, the following types of such data and compilations of such data:  binary and text code; a bit, bits, a byte, and multiple bytes; source, object, and machine code; executable code, files, and programs; operating systems and system files; applications and mobile applications; software and firmware; computer files, folders, and directories; cloud storage and cloud computing; word processing documents and files; portable document format or PDF, documents, and files; spreadsheet, chart, and graph documents and files; presentation documents and files; databases; personal information management files, such as Microsoft Outlook, Lotus Notes, iCloud, Google/Gmail, Microsoft Office 365, and Yahoo!; electronic mail, email, and webmail; contact information, such as physical addresses, phone numbers, and email addresses; calendars, contacts, tasks, notes, and journals; text, instant, photograph, and video messages; voicemail; signal, audio, and wave files; music, photographs, movies, and videos; books and magazines; graphics; graphical information documents and files; desktop publishing documents and files; computer aided design documents and files; accounting and financial documents and files; project management documents and files; customer relationship management or CRM, documents and files; script files; video gaming files; archive files; zip or compressed files; webpage and Internet files; markup language files; social media, networking, relationship, recruiting, reviewing, publishing, discussion, and news files; e-commerce files; blogs, weblogs, and microblogs; chat room files; log and batch documents and files; metadata; fragmented data; and residual and deleted data.

II.  “Device” means any digital, optical, electrical, or mechanical machine used to create, send, receive, access, store, or process data.  This term includes, but is not limited to, the following types of such devices:  servers, routers, network equipment, computers, desktops, laptops, tablets, telephones, mobile phones, and smartphones; handheld computers, personal digital assistants or PDAs, music, photograph, movie, video and media players, and storage devices; photograph and video cameras; televisions, reproduction machines, and copiers; digital video recorders, calculators, video gaming devices, internal and external hard drives, uniform serial bus or USB, compatible drives, other types of data processing and storage equipment; computer chips and processors, compact discs, CDs, and CD-ROMS; digital video discs or DVDs, floppy discs, microfiche and microfilm, and digital, optical, magnetic, and electrical tapes and drives.

III.  “Employee” has the same meaning as in RSA 275:42, II, and also includes prospective, current and former employees.

IV.  “Employer” has the same meaning as RSA 275:42, I, and also includes any employee or other person acting within his or her capacity as an agent of such employer.

V.  “Employer data” means any data that is:

(a)  Created, sent, received, accessed, stored, processed, owned, managed, administered, leased, rented, licensed, purchased, or paid for by, or registered to or in the name of the employer, or an employee or other person for any purpose of the employer or in his or her capacity as an agent of the employer.

(b)  On or in any other employer data or any employer device, unless it is personal data under paragraph VIII.

(c)  Sold, assigned, or transferred to the employer, including pursuant to any agreement, contract, policy, acknowledgment, or otherwise.

(d)  Otherwise the property of the employer.  Any data that would otherwise be employer data shall remain employer data even if mixed with personal data, or created, sent, received, accessed, stored, processed, managed, administered, leased, rented, licensed, or purchased on, in, or with personal data or a personal device.

VI.  “Employer device” means any device:

(a)  Acquired, owned, managed, administered, leased, rented, purchased, or paid for by, or registered to or in the name of, the employer or an employee or other person for any purpose of the employer or in his or her capacity as an agent of the employer.

(b)  Sold, assigned, or transferred to the employer, including pursuant to any agreement, contract, policy, acknowledgment, or otherwise.

(c)  Otherwise the property of the employer.  Any device that would otherwise be an employer device shall remain an employer device even if operated, managed, administered, accessed, or controlled with or by a personal device.

VII.  “Legitimate reason” means any good faith legal, business, operational, technological, administrative, financial, regulatory, employment, health, safety, or welfare reason for the employer to have possession, custody or control of, or access to, or to monitor, review, retain, copy, use, or disclose any personal data or personal device, provided that such reason cannot be a mere pretext for the employer to do so.

VIII.  “Personal data” means any data that is:

(a)  Created, sent, received, accessed, stored, processed, owned, managed, administered, leased, rented, licensed, purchased, paid for by, or registered to or in the name of, the employee for a personal or other non-employer related purpose.

(b)  On or in any other personal data or any personal device, unless it is employer data under paragraph V.

(c)  Sold, assigned, or transferred to the employee, including pursuant to any agreement, contract, policy, acknowledgment, or otherwise.

(d)  Otherwise the property of the employee.  Any data that would otherwise be personal data shall remain personal data even if mixed with employer data, or created, sent, received, accessed, stored, processed, managed, administered, leased, rented, licensed, or purchased on, in, or with employer data or an employer device.

IX.  “Personal device” means any device:  

(a)  Acquired, owned, managed, administered, leased, rented, purchased, or paid for by, or registered to or in the name of, the employee, unless done so by the employee or another person for any purpose of the employer or in his or her capacity as an agent of the employer.

(b)  Sold, assigned, or transferred to the employee, including pursuant to any agreement, contract, policy, acknowledgment, or otherwise.

(c)  Otherwise the property of the employee.  Any device that would otherwise be a personal device shall remain a personal device even if operated, managed, administered, accessed, or controlled by an employer device.

275:78  Employer and Employee Control of Data and Devices.

I.  Except as permitted in paragraph IV, no employer:

(a)  Shall request or require that an employee relinquish possession, custody, or control of or access to any personal data or personal device, including requesting or requiring that the employee:  

(1)  Give the employer any personal data or personal device.

(2)  Disclose any user name, password, or other such information related to any personal data or personal device.

(3)  Assign or transfer to the employer the registration, administration, account, title, ownership, or other indicia of ownership, or rights to any personal data or personal device.

(4)  Change or establish any setting associated with any personal data or personal device.

(5)  Include the employer within a category of persons authorized access to any personal data or personal device.

(b)  Shall knowingly or intentionally access, monitor, review, use, or disclose any personal data or personal device of an employee, even if it is on or in employer data or an employer device, except as specifically permitted pursuant to paragraph IV, provided that the employer may do so to the extent necessary to assess whether such data or device is personal data or a personal device.

II.  An employer shall, at the written request of the employee identifying specific personal data or a specific personal device and the actual or virtual location of it, relinquish possession, custody, and control of, and thereafter delete or destroy, any personal data or personal device of the employee within the employer’s possession, custody, or control, even if such personal data or personal device is on or in employer data or an employer device, provided that the employer:

(a)  May have possession, custody, and control of, access to, and may review and monitor any such data or device to the extent necessary to assess if it is personal data or a personal device.

(b)  May require, at the employer’s election, as long as the employer has not acquired, transferred, or retained the personal data or personal device in violation of any statutory, contractual, common law, or other legal duty to the employee, that the employee agree to pay all costs related to the employee’s request before undertaking any such work, and pay all such costs before relinquishing such personal data or personal device to the employee provided that the employer shall bear all such costs if the employer acquired, transferred, or retained the personal data or personal device in violation of a statutory, contractual, common law, or other legal duty to the employee.

(c)  May retain a copy of any such personal data and personal device if the employer is required to do so by any local, state, or federal statute, rule, regulation, procedure, process, or other law, including retention in anticipation of potential litigation.

(d)  Shall not be required to comply with this provision if the request by the employee is unreasonable or if the personal data or personal device is not reasonably accessible, provided that the employer shall not access, review, monitor, use, or disclose it unless permitted to do so pursuant to this paragraph or paragraph IV(c).

III.  No employer shall take or threaten to take any employment or other action or retaliate against any employee for resisting, complaining about, or refusing to consent to or cooperate with conduct prohibited by paragraph I, requesting or insisting that the employer comply with paragraph II, or asserting a claim or cause of action under paragraph I or RSA 275:79.

IV.  Notwithstanding paragraph I, an employer may:

(a)  Request or require, in writing, that an employee relinquish to the employer possession, custody, and control of and access to any employer data or employer device within the employee’s possession, custody, or control, including by requesting or requiring that an employee:

(1)  Give the employer any employer data or employer device.

(2)  Disclose any user name, password, or other such information related to any employer data or employer device.

(3)  Assign or transfer to the employer the registration, administration, account, title, ownership or other indicia of ownership or rights to any employer data or employer device.

(4)   Change or establish any setting associated with any employer data or employer device.

(5)  Include the employer within a category of persons authorized to have possession, custody, and control of, and access to any employer data or employer device.

(b)  Request or require, in writing, that an employee relinquish possession, custody, and control of, and thereafter delete and destroy, any employer data or employer device within the employee’s possession, custody, or control that is on or in any personal data or personal device, provided that the employee:

(1)  May have possession, custody and control of, and access to, and may review any such data and device to the extent necessary to assess if it is employer data or an employer device.

(2)  May require, at the employee’s election, as long as the employee has not acquired, transferred, or retained the employer data or employer device in violation of any statutory, contractual, common law, or other legal duty to the employer, that the employer agree to pay all costs related to the employer’s request before undertaking any such work, and pay all such costs before relinquishing such employer data or employer device to the employer provided that the employee shall bear all such costs if the employee acquired, transferred, or retained the employer data or employer device in violation of a statutory, contractual, common law, or other legal duty to the employer.

(3)  May retain a copy of any such employer data and employer device if the employee is required to do so by any local, state, or federal statute, rule, regulation, procedure, process, or other law, including retention in anticipation of potential litigation.

(4)  Shall not be required to comply with this paragraph if the request by the employer is unreasonable or if the employer data or employer device is not reasonably accessible, provided that the employee shall not access, review, monitor, use, or disclose it unless permitted to do so pursuant to this paragraph.

(c)  Have possession, custody and control of, access to, and may monitor, review, copy, retain, use, and disclose any employer data or employer device, provided that, if any such employer data or employer device contains any personal data or personal device, the employer may knowingly and intentionally access, monitor, review, copy, retain, use, and disclose such personal data or personal device only if:

(1)  The employer has a legitimate reason for doing so and a good faith, reasonable belief that the employer needs to do so for that legitimate reason.

(2)  The employer’s possession, custody, control, access, monitoring, reviewing, copying, retention, use, and disclosure of such personal data or personal device is limited to the scope of the legitimate reason for doing so.

(d)  Request or require, in writing, that an employee transfer, move, remove, delete, destroy, alter, or modify any personal data or personal account of the employee on or in any employer data or employer device within a stated, reasonable period of time, and thereafter do so itself if the employee fails or refuses to do so within the stated period of time.

(e)  Request or require, in writing, that an employee, at the employee’s election, either:

(1)  Give the employer a copy of the portion of personal data or a personal device sufficient for the employer to fulfill its legitimate reason for requesting or requiring it; or

(2)  Permit the employer to have possession, custody or control of, access to, or to review, monitor, copy, retain, use, or disclose personal data or a personal device, as long as:

(A)  The employer has a legitimate reason for doing so and a good faith, reasonable belief that the employer needs to do so for that legitimate reason;

(B)  The employer’s possession, custody, control, accessing, monitoring, reviewing, copying, retention, use, and disclosure, of such personal data or personal device is limited to the scope of the legitimate reason for doing so; and

(C)  The request by the employer is reasonable and the personal data or personal device requested is reasonably accessible.

(f)  Provided that the policies, practices, and procedures do not otherwise specifically violate paragraph I, adopt and enforce policies, practices, and procedures governing employer data and employer devices and any conduct related to any data and devices, including personal data and personal devices, while the employee is working for the employer or on or in employer premises or property; and

(g)  Take or threaten to take any employment or other action against an employee for failing or refusing to comply with, consent to, or cooperate with conduct permitted by paragraph IV.

V.  Notwithstanding paragraphs I through IV, an employer or employee may:

(a)  Have possession, custody and control of, access to, and may monitor, copy, retain, use, and disclose any personal data, personal device, employer data or employer device that is generally publicly available, such as by the use of an Internet browser, or that can be obtained from another person without that other person violating any legal duty the person has to the employer or employee or any legal right of the employer or employee, provided that such conduct does not otherwise specifically violate paragraphs I through IV;

(b)  Assert or maintain a claim or cause of action arising out of or related to any personal data, personal device, employer data, or employer device, such as actions for conversion, breach of contract, breach of duty, misappropriation of trade secrets, unfair competition, defamation, and other causes of action, as long as such claim or cause of action is not contrary to paragraphs I  through IV;

(c)  Have possession, custody, or control of, access to, and may review, monitor, copy, retain, use, and disclose any personal data, personal device, employer data, or employer device through lawful process, such as a subpoena or discovery in a legal action; and

(d)  Comply with any local, state, or federal statute, rule, regulation, procedure, process, or other law that is or may be contrary to paragraphs I through IV and nothing in this subdivision shall diminish or release any duty that an employee or employer has to preserve or collect data or devices in anticipation of potential litigation.

275:79  Remedies.

I.  An employee may assert a claim or cause of action in any state or federal court of competent jurisdiction against the employer for any violation of RSA 275:8, I.

II.  An employer may assert a claim or cause of action in any state or federal court of competent jurisdiction against:  

(a)  Any employee who fails or refuses to fully comply with any lawful request or demand by the employer under RSA 275:78, IV(a) or IV(b); and

(b)  Any other person who solicits, induces, entices, aids, abets, assists, participates, or engages in any such violation.

III.  In any action under paragraphs I or II, the court may issue temporary, preliminary, and permanent injunctive relief enforcing RSA 275:78, I, IV(a) and IV(b) and other equitable relief, award actual damages if any, and, if the violation is willful or malicious or the claim or cause of action is frivolous or meritless, award costs of the action and reasonable attorney’s and litigation fees and expenses to the prevailing party.

275:80  Short Title.  This subdivision may be cited as the Workplace Data Privacy Act.

2  Repeal.  RSA 275:73 through RSA 275:75, relative to use of social media and electronic mail, is repealed.

3  Effective Date.  This act shall take effect 120 days after its passage.