For decades, companies have monitored their employees’ activities at work and on office equipment, checking telephone records, email traffic and internet histories. It is often part and parcel of corporate life and many employees have learned to accept it. These checks can help uncover misconduct such as fraud and malicious data breaches, while also providing a better idea of how long teams may be involved in particular projects, whether they have the correct IT tools for the job, and how processes can be sped up.
Now, as the COVID-19 pandemic has created a prolonged need for staff to work from home, many companies are instituting more thorough checks on how employees are operating while off-site. There can be valid concerns underpinning this decision. Some companies feel they no longer have the same level of security control around the use of corporate information. Others cite concerns about productivity and a lack of visibility into how employees are spending their time. In highly regulated industries like financial services, it has also become much more difficult to oversee and ensure compliance among staff in notoriously risky functions, such as market manipulation concerns on trading floors.
At the same time, many are increasingly concerned that keeping such a close eye on workers can be tantamount to spying, especially when there is readily available and affordable technology that can go as far as tracking workers’ time in front of their computers or recording each keystroke.
Some software can capture videos of an employee’s screen and access their computer’s camera to take photos of the employee every 10 minutes to see whether they are slacking off. Other IT tools can create a minute-by-minute timeline of every app and website an employee views, categorizing each as “productive” or “unproductive” to help build that person’s “productivity score.”
Privacy campaigners and labor organizers are among those who are skeptical of this technology’s proliferation and its adoption by employers. Companies may be overstepping, and fears are growing that this kind of intensive tracking and monitoring is unnecessary, obtrusive and possibly illegal.
How Far Is Too Far?
Some employers are undoubtedly abusing technological capabilities to assert control. For instance, one company told staff working from home to keep a video conference call open all day so a manager could watch them and issue any orders that popped into his head, just as he would in an ordinary office environment. Meanwhile, some firms have forced employees to download apps that track their location, and others reportedly use time-keeping apps that record when laptops, smartphones and tablets are idle.
Some organizations began adopting more intense employee surveillance practices even before the pandemic. In August, the United Kingdom’s data privacy regulator, the Information Commissioner’s Office (ICO), confirmed that it was investigating allegations that Barclays had effectively been spying on employees by using an intrusive software system that monitored workers’ activity.
Since last year, Barclays has been piloting a software system called Sapience, which gives companies “insights into work patterns” and tracks productivity by monitoring employees’ computer use, according to the vendor’s website. But it was only in February of this year—after negative staff feedback and critical media reports—that the bank changed tack and announced that the software would track only anonymized data moving forward.
Before this update, individuals may have been easily identifiable from personal data the software collected, according to the ICO. Such concerns are a particularly sensitive issue in the United Kingdom and Europe, where data privacy rights are fiercely protected under the General Data Protection Regulation (GDPR). Infringing upon such rights can result in fines of up to 4% of a company’s global turnover, whether the organization is based in Europe or not.
Barclays has not made any public comment on the ICO’s ongoing investigation. However, this is not the first time that the bank has gotten in trouble for monitoring staff. In 2017, it faced widespread criticism when it rolled out a system known as OccupEye that tracked how long people spent at their desks.
Other organizations have admitted using similar technology. PwC created a facial recognition tool to help financial institutions track employees as they work from home. The software taps into employees’ webcams to capture face images and detects when employees are not in front of their screens during work hours. PwC said the technology aims to help ensure regulatory compliance among traders “in the least intrusive, pragmatic way.”
While such technology may not be illegal, lawyers warn that companies must inform employees that they are going to be subject to such monitoring and ensure the use is “proportionate.”
“Many employers will be anxious to have oversight of what their staff are doing and technological options that track activity and output seem like the obvious answer,” said Jane Amphlett, head of employment at law firm Howard Kennedy. “However, it’s not enough just to tell staff that they will be monitored in this way. Employees’ workplace privacy rights go beyond a right to be informed.”
Indeed, employers need to tread carefully when it comes to monitoring employees’ working patterns more closely. “Getting this wrong could be a serious breach of data protection legislation and be damaging for the company’s reputation,” said Sally Mewies, head of technology at law firm Walker Morris. “Employers will need to ask themselves why the relevant level of monitoring is needed and think hard about whether there is a less intrusive way of achieving the same end. It is unlikely to be enough cause to introduce workstation-style monitoring simply on account of an increase in home working due to the COVID-19 pandemic.”
Even when employers are satisfied that the monitoring is both justified and lawful, they must update privacy notices and policies and ensure that staff are made aware in an open and transparent way about how—and why—the monitoring is taking place, and for how long. “Such measures will be relevant not only to compliance with the core principles of the data protection regime, but also to whether affected employees can validly point to an infringement of the right to private and family life,” she said.
In reality, there is little to stop a company from simply adding draconian terms to its employment contract or privacy notice and forcing employees to agree. “Employers can easily change policies, send out notices to staff, and get them to click ‘agree’ on an email,” Mewies said. “If they don’t agree to the new terms, their employment can be terminated. Employees may try to bring a claim and, depending on the jurisdiction and the law, a regulator may investigate and issue a fine if it finds wrongdoing, but such actions are comparatively rare.”
If a company’s monitoring is too intrusive, the organization may suffer a reputational backlash, especially if a regulator officially issues a fine or other sanction. Anonymous tips from employees to the press can also tarnish a company’s name.
However heavy-handed or unethical the monitoring may be perceived, Mewies said, employers are likely to weather the storm so long as the actions do not break the law. For example, Amazon has long been criticized for its approach to monitoring employees, but has not been materially impacted. For years, the company has required “pickers”—the warehouse workers who locate the products for orders—to wear monitoring devices to track productivity. So far, none of the criticism has significantly dented its bottom-line or resulted in successful litigation.
Monitoring with Care
Transparency and proportionality are important, and employers should always choose the least intrusive way to monitor employees. According to James Simpson, head of employment at Blaser Mills Law, a useful rule of thumb is “if the monitoring feels excessive from the public’s point of view, then it probably is.”
To avoid crossing the line, companies should perform a data impact assessment to help focus on why the monitoring is necessary and to assess other possible approaches that would avoid or mitigate the need for monitoring. In some cases, a simple phone call with a line manager to discuss work and provide constructive feedback could suffice. These assessments would also help businesses draft and publish the necessary policies and procedures to keep employees informed and help maintain trust in management.
Legal experts warn that organizations need to take great care that any monitoring is not so intrusive that it could generate claims of discrimination or unfair dismissal if workers are fired as a result of any “evidence” gathered.
“It is important to apply a consistent approach to monitoring and to be mindful of the risks around discrimination,” said Sarah Skeen, associate at law firm TLT. “In circumstances where a particular employee requires increased levels of monitoring, such as when there are specific performance concerns, the employee should be made aware of this. Employers also need to ensure there are sufficient safeguards in place to prevent abuse or over-monitoring. Clear guidance should be issued to managers on the extent to which they can monitor and how this should be carried out.”
Experts also warn that just because monitoring employees via their keyboards and computer screens may be legal, it does not necessarily mean that everything workers do needs to be analyzed and recorded, or that all staff needs to be monitored in the same way to avoid allegations of bias. “It is one thing to conduct surveillance on a specific individual, in a targeted way and for a limited time, because you have reason to suspect they are up to no good, but it’s quite another to monitor everyone, all of the time, just in case they do something they should not,” said Camilla Winlo, director of data privacy consultancy DQM GRC.
“The problem isn’t the monitoring itself, but the fact that the intrusion into employees’ privacy doesn’t match the scale of the threat,” she said. “Although most detective controls—those used to identify risks—will require some trade-off between workers’ privacy and their safety, such tools can result in monitoring not just employees’ work habits, but their overall lifestyle choices, which is a potentially legally risky situation given that workers may also be legitimately using a computer in a private capacity from their own home.”
To avoid potential legal pitfalls, Winlo suggested that employers ask themselves if the monitoring controls can properly capture evidence of wrongdoing. If there is no way to use a less intrusive alternative, she said companies should also look at how far they can restrict the number of individuals whose privacy they intrude upon. Having an authorization process that only permits surveillance for certain types of serious misconduct could help ensure limits are maintained.
It is also important for companies to consider how they manage employees’ feelings about being monitored. “Most employees do not expect to be under permanent surveillance and would consider it intrusive and unwelcome,” Winlo said. “However, it is also likely that employees would understand that an employer would need to take reasonable steps to detect and prevent serious risk events. As a result, how will you consult with and inform employees so they understand when they might be under surveillance and agree that is proportionate under the circumstances? This needs serious consideration.”
Preserving Privacy Rights
Organizations may also need to consider the privacy implications of such monitoring, as rules vary by country or jurisdiction. In the United States, data privacy regulations are rapidly evolving. There are currently no federal laws prohibiting employers from monitoring their workforce, but state laws in Connecticut and Delaware require employers to notify employees about the monitoring of electronic communication and/or internet use. Employee notification requirements also exist in countries like Canada and Australia. In Europe, most elements of employee monitoring are also legal as long as employees are aware and have given consent. Depending on the jurisdiction, companies may need to follow additional requirements, such as specifically identifying the legal reasons for monitoring, carrying out a data protection impact assessment, or giving employees sufficient advance warning about the type of monitoring that is being introduced, the reasons for it and how the data can be used.
“While the automated monitoring of emails that check for viruses is standard practice and unlikely to be controversial, some types of monitoring—such as recording the time taken to undertake tasks on a computer or time away from the keyboard—are considerably more intrusive and require very careful consideration before they are introduced to be able to justify their use,” said Rachel Tozer, employment partner at Keystone Law. “This can cause internal issues for international company groups, particularly where the parent company is based in a country that takes a different approach to monitoring. Legal requirements—as well as the social norms—of each country need to be considered if employers wish to avoid damaging employee/employer relations.”
Some experts have argued that employee monitoring may actually be counterproductive, increasing employee stress and distrust. Instead, to truly address concerns about productivity and employee activity, companies may need to clearly define workforce requirements around output and hours. Then, they should begin active dialogues with employees about those expectations and any impediments to achieving them or necessary modifications to work schedules. In cases where compliance concerns make surveillance technology necessary, they should focus on ensuring minimal and internally consistent implementation. In all scenarios, companies should be assessing the legal risks of their planned course of action and should be communicating with employees.
With remote work likely to remain a significant part of corporate life, remote monitoring of employee productivity and behavior may continue to grow. Organizations need to exercise caution and restraint about how far they take the process, and whether to use such tools all the time, for everyone, everywhere. Particularly when faced with the choice of either consenting or being fired, employees may assent to such surveillance practices, but regulators and courts may not agree, and companies could face stiff penalties for taking spying on workers too far, in addition to the reputation impact of crossing the line between big business and big brother.