Employers are increasingly becoming concerned about lost productivity, malware infections, distribution of company information, as well as their liability for sexual and other forms of harassment when explicit documents are exchanged via e-mail or the web. As such, many companies implement employee monitoring.
According to ABC News, nearly 80 percent of major companies monitor the internet usage, phone and email of their employees. There are many benefits to this practice including:
- Ensuring workplace safety
- Increasing Productivity
- Detecting Illegal/Unethical behaviors
- Enhancing data security
Ensuring employees are not engaging in illegal/unethical activities is increasingly important as these acts may result in financial and/or reputational risk to the entire organization. No organization is immune from these risks. Our 4-part series can help you learn about the different types of employee fraud:
- Asset Misappropriation
- Corruption
- Financial Statement Fraud
- Data, Intellectual Property and Identity Theft
While protecting against risks, employers must ensure they are practicing legal and ethical workplace monitoring. In the current conditions dominated by the coronavirus pandemic, many businesses have opted to use automated means to monitor staff productivity. However, from an employee’s perspective, the use of monitoring software may be intrusive if not distressing. Furthermore, without regard to data protection laws, the practices may potentially be illegal.
This article will help you practice legal and ethical workplace monitoring by breaking down the topic into the following parts:
- What is Workplace Monitoring
- Benefits and Consequences of Inadequate Workplace Monitoring
- Legal Requirements by Country and Jurisdiction
- Recommended Limitations to implement for Employers
- Best Practices for Legal and Ethical Workplace Monitoring
What is Workplace Monitoring
Workplace monitoring is used by employers for a variety of reasons including safeguarding their employees, for security reasons, or due to a legal or regulatory need to monitor. It is important to have a clearly defined purpose for any workplace monitoring, such as the discovery of health and safety breaches, as this can be communicated to staff to alleviate feelings of intrusion as well as ensuring any information or evidence is only used for the defined purpose. There is a range of ways that an employer can monitor the workplace, which include:
- CCTV
- Checking websites visited.
- Automated software checking employee’s emails.
- Opening mail or emails received by an employee.
- Listening in on telephone conversations.
- Searches of employees, their work area or their bags.
Benefits and Consequences of Workplace Monitoring
There are many benefits to workplace monitoring practices. However, employers face multiple consequences when workplace monitoring practices are inappropriate, i.e. excessive, intrusive, or otherwise poorly managed.
Benefits of Workplace Monitoring
Employers who practice workplace monitoring measures know how important it is to keep their employees’ personal information private. They have clear policies that set out what information the business can collect and keep, and when it can be passed on to others.
If employers take a best practice approach to workplace privacy, they can enjoy a number of benefits. These may include:
- complying with legal obligations
- improved productivity
- certainty and security for both you and your employees.
Legal Compliance
Through workplace monitoring, you can catch employees who are either breaking company policies or laws. This is critical as organizations may face legal and financial liability for these actions.
Improved Productivity
The way an employee uses their time has a significant impact on the productivity of the organization. By monitoring employees, you can understand work patterns and trends which can help detect ways to enhance productivity.
Moreover, when employees know that their performance and behavior is being monitored, this may encourage them to become more focused and less distracted in their work. This pushes employees to walk extra miles towards efficiency.
Certainty and Security
Having a well defined monitoring program will help employees to feel more comfortable with the systems put in place and to know the boundaries of that monitoring system. Further, if the system is targeted as safety and security this can help employees to feel like any threats to their safety will be identified and dealt with early.
Consequences of Inappropriate Workplace Monitoring
Although employee monitoring can be an extremely useful tool when used appropriately, inappropriate workplace monitoring may lead to several consequences including:
- Reduced employee trust
- Increased turnover
- Lost supervisor time, since someone needs to review the data and surveillance material
This could be due to many reasons. For instance, employees may perceive surveillance as a sign that the management does not trust them to complete their jobs properly. Employees may also feel a decreased sense of job satisfaction due to perceived mistrust, which may lead to increased turnover.
Furthermore, workplace surveillance typically serves to stop or reduce employees from wasting time, but the process also takes time away from supervisors who must perform the monitoring. This means the person in charge of surveillance may have less time for other responsibilities.
Breaches in Privacy and Personal Information
When monitoring employees, employers will likely stumble upon personal information, such as bank account information, health records, or profoundly private emails. The risk of a cyber-attack adds an additional layer of risk for companies to consider. If a monitoring system were to be hacked, revealing employees’ personal data, this could potentially constitute a personal data breach.
Therefore, employers should consider the reasons for collecting personal information and whether there is a collection method that avoids collecting unnecessary personal information, and implement secure measures to protect employees’ data.
Invasion of Privacy
Some common examples of invasions of privacy include:
- If an employer conducts surveillance without notifying employees (except in cases of covert surveillance which may involve cases such as sexual harassment and workplace bullying)
- When an employer conducts surveillance in places like toilets, parent rooms, and showers
- Installing software onto an employee’s computer or phone without their permission to track their activity
- Installing a keylogger onto an employee’s computer to track keystrokes without an employees knowledge and/or for unjustified reasons
- Publicly disclosing private facts, in this case, facts that were obtained through workplace monitoring
In some jurisdictions, employers are allowed to install monitoring software on any company provided device without informing the employee, while in other jurisdictions permission is required. Regardless, there are 2 important considerations regarding the above. Firstly, this only applies to company provided devices. Installing any such software on an employee’s personal device without their consent is a serious invasion of privacy. Secondly, just because something is legal in your jurisdiction does not mean it will sit well with employees, or even be ethical, and may result in a damaged employment relationship.
Legalities and Ethics
Data privacy is about the access, use and collection of data, and the data subject’s legal right to the data which often refers to the:
- Freedom from unauthorized access to private data
- Inappropriate use of data
- Accuracy and completeness when collecting data about a person or persons (corporations included) by technology
- Availability of data content, and the data subject’s legal right to access; ownership
- The rights to inspect, update or correct these data
However, different individuals place different values on privacy. This means some actions may be permissible to one, while others may not agree. Therefore, it is important to set clear, up front expectations and maintain transparency. Employees should communicate information such as:
- what personal information they collect
- why they are doing so
- who they might pass that information on to
- how they can access their own personal information
- how to verify or correct their personal information if it is incorrect, out of date or incomplete, even when not required to by law.
This will decrease mistrust or any confusion regarding the workplace monitoring practices.
Mistrust
Inappropriate workplace monitoring may hurt employees morale. Employees may feel doubted or as if their employers do not trust them, and this may lead to increased turnover. Employers can resolve this issue by informing their team upfront about their workplace monitoring practices. This way employees will understand it’s a company wide protocol and that they are not being singled out or targeted. Where possible, give employees a justification and an opportunity for input so that they feel the implementation was handled fairly.
Legal Requirements by Country
Organizations must ensure that if they do practice workplace monitoring, it is in accordance with applicable laws. Laws and regulations vary across nations and jurisdictions. Non-compliance can lead to serious legal, reputational and financial risk to organizations. We’ve outlined the legal requirements in a few key jurisdictions.
United States
The Electronic Communications Privacy Act (ECPA) permits an employer to monitor all activities on a computer that is company property. Activities may include:
- Internet use
- Software download
- Documents or files stored on a company’s computer
- Anything that is displayed on an employees computer screen
- How long an employees computer has been idle
- Keystrokes per hour
- Emails(both incoming and outgoing)
Employers can legally monitor employees who are not on-premise including those who are working from home on a company laptop. They may also monitor social media usage if under company-time.
However, employers must abide by relevant state laws. For instance, in Connecticut, employers that use electronic monitoring are required to give employees prior notice.
United Kingdom
Organizations in Europe are subject to the General Data Protection Regulation (GDPR), which requires that they process information about individuals, including their employees, in accordance with a number of standards such as that processing is fair, lawful, and transparent. If an employer uses monitoring software to collect information such as how long they have sat in front of their screen, or spent on the internet, they must comply with the GDPR.
The GDPR emphasizes:
- Informing employees about data collection methods
- Getting consent for personal data collection
- Security of collected data
According to the GDPR, computer monitoring is allowed provided:
- Employees are given advance notice of the monitoring through a clear internal policy
- It is done for a legitimate business purpose and doesn’t restrict an employee’s fundamental right to privacy
The GDPR also requires that where high risk processing activities are carried out, organisations must carry out a data protection impact assessment, or DPIA. The purpose of the DPIA is to ensure that the principles of data protection by design and by default are incorporated into any new initiatives.
Australia
The Privacy Act (1988) does not specifically cover surveillance in the workplace. However, organizations are required to follow relevant state laws. The NSW and the ACT have specific surveillance laws that apply specifically to workplace surveillance. And Victoria limits the use by employers of surveillance devices in certain parts of the workplace (e.g. washrooms).
The laws in the ACT and NSW require employers to:
- Give the employees 14 days’ notice before commencing surveillance, unless they agree to waive the notice period (which can be done in the employment agreement).
- Notify the employee of the type of surveillance, as well as how the surveillance will occur, when it will start and for how long it will continue and whether it is continuous or not. The ACT legislation also requires employers to outline the purpose for which the employer may use and disclose surveillance records.
- Have a policy in place relating to surveillance.
- Post clearly visible signage about camera surveillance (if any). The cameras must be clearly visible too.
- Notify employees that they are under tracking surveillance (if any).
In Victoria, the Surveillance Devices Act 1999 provides an offence for the use of an optical device or listening device to carry out surveillance of the conversations or activities of workers in workplace toilets, washrooms, change rooms or lactation rooms.
The ACT Act also prohibits surveillance of employees in places such as toilets, change rooms, nursing rooms, first-aid rooms and prayer rooms, and surveillance of employees outside the workplace.
In NSW, the Workplace Surveillance Act regulates the use of computer surveillance, camera surveillance, and audio surveillance technology, as well as geo-tracking technology. It outlines when it’s appropriate or legal to use these devices and when it’s illegal to do so as well. For instance, overt surveillance happens when employers surveil employees when the employees have been notified of this action. Under the Workplace Surveillance Act 2005, overt surveillance is unlawful unless a minimum of 14 days’ notice has been given in advance. The notice must contain details of:
- The equipment undertaking the surveillance (video, audio, tracking);
- When the surveillance will commence;
- Whether the surveillance will be intermittent or continuous; and
- Whether the surveillance will be for a specific time or ongoing.
Covert surveillance refers to surveillance that is undertaken without the knowledge of the employee(s). The Act strictly prohibits covert surveillance unless the employer obtains a ‘covert surveillance authority’ which has been issued by a Magistrate authorising the surveillance to determine whether the employee(s) are involved in unlawful activity at work.
When issuing a covert surveillance authority, the Magistrate will consider the following:
- The seriousness of the unlawful activity;
- Whether it will affect the right to privacy of other employees in the area; and
- Whether reasonable grounds exist to justify the surveillance authority.
The Act restricts computer surveillance by employers including monitoring or recording of information accessed and sent. It also regulates the surveillance of internet access by employees and prohibits the blocking of emails.
Under the Act, surveillance of an employee’s computer use can only be carried out where:
- There is an existing policy on computer surveillance in the workplace; and
- Notice has been given to the employee in advance; and
- The employee is aware of and understands the policy.
The Act also prohibits the blocking of emails sent to or by an employee except under certain conditions. Emails can be blocked if:
- It is in accordance with the computer policy of the workplace;
- The content of the email contained a virus;
- The email was spam;
- The email can be reasonably regarded as being menacing, harassing or offensive.
Aside from the above regulations, the Act specifically prohibits surveillance in certain areas. These include change rooms, toilets, showers or bathing facilities at a workplace. Employers should be careful to ensure that surveillance methods do not impinge on their employees’ rights to privacy.
It is recommended that employers in other states adopt the same level of transparency as employers in NSW and the ACT to align with employee sentiment and good practice.
In addition, the Australian Law Reform Commission (ALRC) recommends that surveillance laws, including workplace surveillance laws, be made uniform.
Recommended Limitations for Employers
Even if your country or jurisdiction does not specifically address employee monitoring practices, should the evolving data privacy landscape lead to the adoption of laws there is a possibility that they will be heavily influenced by current legislations. Here are recommended limitations for employers based on the GDPR framework.
- Stealth monitoring: As a part of informed consent and transparency, employers are not permitted to use monitoring technologies that attempt to obfuscate their presence. Monitoring technologies must be used transparently and employees should be informed of their use.
- Blocking vs monitoring: In the case of managing internet access, employers should block access to undesirable websites rather than relying on continuous monitoring.
- Use data as stated: As per the purpose limitation principle of GDPR, monitoring data should only be used for the exact purpose that it was intended for unless the data will be used for a substantially similar purpose or you get consent to reappropriate the data.
- Automated decision making: While employee monitoring data can be used to identify unproductive or inappropriate browsing behavior, the decision to discipline an employee must not be made automatically by the software. Human intervention is required to analyze the data and make an informed decision.
- Avoid targeted monitoring: The monitoring of targeted individuals without a legitimate need is strongly advised against. The best practice is to use aggregated data for general monitoring and only increase in specificity if undesirable behavior persists.
- Personal communications: Employers should not knowingly intercept personal communications (emails, telephones, etc.), even if they are taking place on work devices. The existence of a policy against personal use may help prevent personal use of assets, however once a given communication is known to be personal the employer should cease monitoring.
Best Practice Guide for Legal and Ethical Workplace Monitoring
Employers have legal and ethical requirements to consider when monitoring employees. The following principles will serve to guide an implementation of an employee monitoring strategy that meets critical business goals without unnecessarily compromising the privacy of your employees.
Clearly state your workplace monitoring purposes
Clearly defined monitoring goals are more than simply a proactive measure for ensuring a successful adoption of monitoring, the explicit statement of monitoring objectives is often mandatory under workplace monitoring regulations. Without clearly defined goals, a business will not have the means of establishing that their implementation of employee monitoring serves their legitimate interest while respecting the principle of proportionality.
Respect the principle of proportionality
One of the core principles of leading data privacy mandates is proportionality. In the context of employee monitoring, this means any monitoring activity must have a legitimate business interest which outweighs any potential harm to the privacy rights of employees.
GDPR in particular heavily emphasizes that the privacy rights of the data subject are paramount, strongly indicating that monitoring must be limited to the minimum extent required to achieve the objectives of your company. As part of implementing new workplace monitoring technologies, you will be expected to conduct a Privacy Impact Assessment that clearly documents the potential privacy impacts the proposed technology may have on employees.
Ensure transparency
While the degree of transparency will differ by jurisdiction, here are key transparency principles that will greatly inform monitoring strategies.
- Policy development: Detailed policies are effective for informing employees to the extent of the monitoring practices that will be implemented within the organization. These policies should clearly outline the measures taken, the goals of the implemented measures, and the expectations the organization has of its employees. It is recommended that a representative sample of employees are involved in assessing the legitimacy of the proposed solutions.
- Explicit consent: The inherent unbalanced power dynamic present in the employer/employee relationship means that employers should not rely on implicit consent as the legal basis for justifying their monitoring practices. Explicit written consent is the recommended measure for communicating and enforcing monitoring-related policies.
- DSARs: CCPA and GDPR both have provisions that relate to the right for data subjects to request access to the data that is held by data controllers. Under these legislations, employers must be prepared to answer Data Subject Access Requests (DSARs) from employees in a timely manner. This may include information such as the purpose of data processing, how long the data will be kept, source of data, etc.
Here are a few ways to monitor employees fairly:
- Make sure your policies explain in detail what aspects of your employees’ devices and the office are monitored.
- Have your workers sign an agreement that states they are aware of your policies.
- Clearly state your expectations in terms of work ethic and behavior. For example, let employees know that sharing company information with outside sources is against protocol.
- Follow the guidelines according to your state.
- Make sure you’re monitoring employee activity for your company’s sake. Selfish or personal reasons beyond are unethical forms of tracking.
- Monitor all of your employees to the same degree so no one on your team can claim they’re being treated unfairly.
Polonious is Here to Help
Many businesses can benefit from employee monitoring. This is especially true for businesses with remote employees, as it gives them a better handle on what team members who aren’t seen in the office every day are working on.
While workplace monitoring can prevent fraud, theft, and other employee misconduct, Polonious case management software can help you investigate such incidents when they do occur. Polonious’ enhanced, secure evidence management capabilities ensure that you can retain any evidence gathered from your monitoring activities for as long as required for the case, while keeping it safe from potential leaks.
Let's Get Started
Interested in learning more about how Polonious can help?
Get a free consultation or demo with one of our experts