Tread carefully when monitoring employees

Published on August 18, 2023 by Annu Liss Anto and Anitha Revanna

The work-from-home (WFH) framework adopted amid the pandemic has made employee monitoring even more critical and compliance officers started closer watch of all activities. Seventy-three percent of all teams are expected to have remote workers by 2028, according to CNBC’s “How millennials and Gen Z are reshaping the future of the workforce” report. However, employee monitoring, with the use of artificial intelligence (AI) and machine learning (ML), could run into legal issues

What is employee monitoring? 

Employee monitoring is a compliance activity monitoring technique that organizations implement for purposes such as the prevention and detection of valuable data breaches, employee engagement, increasing privacy and improving unproductive business operations.

Employee monitoring policy: 

The lack of employee monitoring policies in a company may result in the misuse of employees’ private data. This undermines the fundamental right to privacy; businesses and employees must be informed of the relevant regulations in place.

According to general employment laws, an employer is permitted to digitally monitor employees. State and local laws detail how far an employer can go with the employee monitoring programs. If an employee uses a business asset for an activity unrelated to the business, the company does not require any consent to monitor such activity unless the users are informed about the tracking. Employees would also be aware that they are not allowed to use their personal communication networks to communicate work-related details.

Legal limitations on employee monitoring: 

Employee monitoring policies are regulated by one or more government or private entities. Some countries may stipulate that these breach an individual's fundamental constitutional rights. Employee monitoring measures are critical, as they could benefit both employers' and employees' interests. We list below some of the relevant laws.

Electronic Communications Privacy Act of 1986 (ECPA): 

The ECPA safeguards individuals in the US from unauthorised intervention of electronic communications. It limits the ability to commence computer transmissions, wire taps and tracing of telephone communications and stored electronic communications, etc. Cybersecurity-related investigations are increasing, so it is important to be aware of these laws.

General Data Protection Regulation (GDPR):

Most employee monitoring measures are lawful in the EU. However, the practices must be subject to the provisions of the GDPR. The GDPR holds organisations accountable for protecting the personal information they obtain from employees. It focuses on what data is stored by a company, how the data is updated and how the collected data is protected. The use highly stringent and intrusive electronic monitoring techniques could have a detrimental effect on staff morale. The GDPR mainly covers the EU, but compliance with the regulation is incumbent upon any organisation that deals with data subjects based in EU member states.

The Russian Federal Law: 

The Russian Federal Law on Personal Data (No. 152-FZ), executed on 27 July  2006, forms the backbone of Russian privacy laws and demands data operators to make all the managerial and technical arrangements required for personal data protection against unlawful or unintended access.

• Determine legitimate reasons: The reasons for employee monitoring needs to be well defined, to enhance employee cooperation. They could include improving security of staff and company assets or increase company productivity by monitoring employees' work to facilitate analysis and reporting. 

• Maintain transparency: Employees should be aware that they are being monitored; the stored data, which may include personal information, needs to be kept secure. 

• Have a standard policy: Employee-monitoring policies should clearly define what employee data is stored and what is not. This protects an individual’s fundamental right to privacy.

• Acquire consent: Employee-monitoring policies require employee consent. It will ensure they do not keep or save personal information on company-provided laptops or smartphones. 

• Use of authenticated systems: The company is responsible for the security of personal data and surveillance recording of employees. Ensuring security while using third-party software or personnel is vital for avoiding misuse of personal data. 

The above was a short description of regulatory policy. If an organisation does not have an employee-monitoring policy in place, it is well within the rights of the employee to raise this concern to higher management. An employer is expected to act in a legitimate way to access employee data. It is also the employer’s responsibility to maintain a balance between corporate concerns regarding surveillance and security and employee privacy. Policies must be reviewed periodically and amended when required.

How Acuity Knowledge Partners can help

We help draft policies and with employee monitoring in compliance with laws in the country. We also keep abreast of international regulations and suggest ways to mitigate risk that employers could consider prior to monitoring employees.

Source:

• Monitoring Employee Behavior Through the Use of Technology and Issues of Employee Privacy in America (sagepub.com)

• Electronic Communications Privacy Act of 1986 (ECPA) | Bureau of Justice Assistance (ojp.gov)

• Art. 88 GDPR – Processing in the context of employment – GDPR.eu

---

---