The demand for employee monitoring software has increased dramatically since the pandemic started. A 2021 ExpressVPN survey found that 78% of employers with remote and hybrid workers were using these tools, with 57% of them implementing them within the last six months at the time of the survey.
Alongside this increased prevalence of employee data collection we now see legislation that improves the privacy rights of employees, such as new laws requiring employers to notify employees of electronic monitoring in New York and Ontario.
Just what can employers monitor? What they can monitor varies widely based on a variety of factors, including the jurisdiction of the company and its employees, collective bargaining agreements, and the balance between the employer’s legitimate interests and the impact on employee privacy.
For example, throughout much of the United States, employers nearly have carte-blanche to engage in employee monitoring on employer-owned systems, as long as there’s sufficient transparency and a policy in place forbidding employees from using the systems for personal use.
On the other hand, companies subject to Europe’s General Data Protection Regulations (GDPR) must prove that they have a lawful ground to collect computer usage data from their employees. They must also conduct a Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) prior to the monitoring, alongside several other obligations.
Monitoring principles employers should follow
This section will outline the most important principles found throughout employee privacy legislation. Even when not required by law employers may want to consider following these principles to reduce the privacy impact of employee monitoring.
- Have a clear purpose.
Before any monitoring takes place employers must have a clear understanding of their goals and what data they must collect to meet those goals. For example, an employer may monitor application usage to optimize the procurement and deprovisioning of software. Without clearly defined goals, a business cannot adequately establish whether or not their data collection serves their legitimate interest while respecting the principle of proportionality. In addition, personal data collected for a given specific, explicit, and legitimate purpose must not get processed further in a manner incompatible with that purpose.
- Proportionality.
While employers have a variety of legitimate interests for monitoring employee computer activity such as detecting malicious activity and ensuring employees are following company policies, the methods used to serve these interests must be minimally invasive and not cause undue harm to the privacy of employees.
For example, advanced threat monitoring technologies have become increasingly sophisticated in what data points they can collect. While an employer has a legitimate interest in ensuring the safety of their network, certain features, such as screen recording and key logging may be disproportionately invasive when less invasive alternatives for detecting security threats are available.
- Data minimization and protection.
Employers must ensure that data collected gets adequately protected according to its risk level. They must also ensure that they keep the data for only as long as necessary to meet their stated legitimate interests. Any data uniquely attributed to a given individual should get treated as sensitive as the monitoring tools may collect personal information such as indications that the employee belongs to a protected class. As such, companies must protect data collected by employee monitoring tools against unauthorized access and they must provide anyone with access to the data with training regarding the appropriate use of the data.
- Transparency and informed consent.
Attempting to covertly monitor employees can have significant negative impacts—70% of American employees in a Harris Poll survey indicated that they would consider quitting if they discovered that monitoring was performed without their prior knowledge. Employers can improve transparency by taking the following steps:
Provide employees with an electronic monitoring policy that clearly discloses the forms of monitoring used, the specific data collected, and the intended purpose of the data collection; involve a representative sample of employees during the planning process to ensure that their concerns are factored into the decision making process; provide employees with access to their own data so they can see exactly what is being captured.
Employers require some level of data collection to ensure the security of their networks and productivity of their employees. To ensure that employers do this data collection in a fair and minimally invasive way, they must have a clear purpose, limit data collection and retention, use employee data fairly, and get informed consent from their employees before they implement employee monitoring tools.
Neel Lukka, president, CurrentWare