Can I Monitor my Employees? A Legal Guide

When we hear the word ‘monitor’ we may think of a ‘Big Brother’ type scenario of ever-watchful eyes. However, in business, being able to monitor an employee might play a very important part of ensuring your Intellectual Property, including source code, is safe. When done well and appropriately, it can also be a part of your risk management strategy. It can even be useful in dispute management.

There is, however, a balance that needs to be achieved. This balance involves the business need to maintain safe working practices with the employees right to privacy. So, how far can you go, what is achievable in monitoring employees and what is legal?

What is Employee Monitoring?

As our tasks at work have become ever more digitized being able to contain information, including IP, can be a challenge. Our workplaces are also no longer held within a perimeter. Remote working, multi-party collaboration using cloud-apps, and technologies like instant messaging, have created a very open workplace. This can lead to misuse and mishaps, including loss of IP, sensitive data leaks, and proprietary information exposure; all can end up as a costly business.

Monitoring of certain aspects of an employee’s work tasks can help to prevent lawsuits, data leaks that result in loss of competitive edge, and reputation damage.

Monitoring can take a number of typical forms:

1. Application usage – this can be done using audit tools which create events and output log files to create reports
2. Phone use – this should be limited to business phones that are paid for by the company, but BYOD has opened up a challenge for employee monitoring
3. Emails and other communication systems – company emails can be audited using Data Loss Prevention tools (DLP)
4. Physical tracking – such as entry to buildings, parts of buildings, video surveillance, etc. this is achieved using RFID key pass, biometric entry, and similar technologies
5. Security awareness training – this is a special case of employee monitoring that allows you to train users in being security aware. The training usually outputs metrics showing how individual employees react to certain situations

The information generated by one or more of the above systems can be used as an effective way to audit and monitor employee activity. These data can be used for a variety of reasons, including:

• General information on employee efficiencies in the task and productivity – this may be especially applicable with remote workers
• Preventing the leakage of company sensitive data
• For training purposes and security awareness
• Spotting insider threats before they become incidents (reactive)
• Spotting poor security strategies that have led to an insider threat (proactive)

How to Monitor with Respect

In a recent survey by Gartner, looking at employee monitoring practices, they found that 50% of companies used employee monitoring. This type of monitoring was seen as ‘nontraditional’ in that it used technology to monitor emails, social media messages, etc. Gartner has also predicted that by 2020, 80% of companies will adopt technologies to monitor staff.

With the best will in the world, monitoring your employees can become a contentious issue.  As employee monitoring becomes the norm, it needs to be done with respect and applied proportional to the risk level. If you do not pay attention to the negatives of employee monitoring it can backfire.

Privacy has also become an increasingly hot topic in the world because of the misuse of technology. As business owners, we need to be cognizant of this. One of the outcomes of the Garner survey mentioned above was that monitoring was accepted by employees if it was done in a transparent manner. Being up-front about who you are monitoring and why helps acceptance.

Legal Aspects of Monitoring Employees

Monitoring your employees is an option you need to use that is weighed against legal liabilities that overlap with employee activity. A survey from the ePolicy Institute has highlighted the level of issues that companies have to deal with, these include:

• 28% of employers have fired workers for email misuse
• 30% of bosses have fired workers for Internet misuse
• Over 65% of employers have fired workers for inappropriate online content

Each country, and in the U.S. even individual states, have their own legal frameworks that cover employee monitoring. You should understand your local laws around employee privacy before embarking on employee monitoring. Here are some general, common-sense rules to use:

1. Monitor respectfully – for example, if using video surveillance use it in common areas and not private places like bathrooms
2. Collect consent when appropriate – this is especially important in certain monitoring situation, for example, when recording HR-related meetings
3. Be transparent about monitoring – as mentioned above, transparency is appreciated by staff who are more likely to accept the practice if they understand what it involves and why you are carrying it out. This is backed up by further research from a Harris Poll focusing on U.S. employees. The poll showed that 64% of Americans said employers had the right to monitor employees’ digital activities on personal or work-issued devices – as long as they were transparent about it. Further, around 70% of employees would leave an employer if they found out they were being monitored and the employer had not been upfront about it.
4. Balance monitoring with privacy laws – there are a number of legislative frameworks across countries and U.S. states that require a company to be privacy respectful with employee personal data. If you collect personal data as part of your monitoring activities, you need to ensure that it is protected in a compliant manner.
5. Acceptable Use Policy (AUP) – this is a useful document that acts as a contract. An AUP will set out the normal working practices of your organization in terms of security and privacy. It can set out certain activities that will be monitored and it can be useful to link back to in an employee dispute.

Monitoring Digital Communications and Activities

You should always check your local laws for any nuances in the use of monitoring software applied to digital activities. Laws usually have a precedent to allow certain monitoring activities to take place as part of the legal interests of an organization to protect their Intellectual Property (IP). Usually, monitoring of digital communication can take place if the equipment is used partly or wholly for work purposes and monitoring is for work reasons.

Bring Your Own Device (BYOD)

In the case of an employee using their own device for work purposes, i.e., BYOD, the situation is less clear. Personal devices need to be covered by a BYOD policy. This policy will set out the limits of access to the device. You will need to have some access rights to allow you to comply with legislation or to carry out forensic security investigations. You will also need to stipulate in the policy the security measures the device will use to protect company confidential information – this may include monitoring tools.

Social Media

Use of social media by employees is a fuzzy area still. In the U.S. certain social media communications can fall under the remit of “protected free speech” and are therefore protected under law. Monitoring of employee social media needs to be balanced with the protection of company IP and sensitive information. Create a social media policy that expressly sets out what is and isn’t allowed on social media with respect to your organization.

Cloud Apps and Other Media

There are now myriad digital ways that employees communicate. This includes cloud-based apps and portals as well as forums. Cloud computing has created a perfect storm for malicious or accidental misuse of company IP and other data. Monitoring of these media should be considered within the confines of legislation.

Email

This is one digital communication that is almost expected to come under scrutiny; email is, after all, about business communications. In the U.S. The Federal Electronic Communications Privacy Act (ECPA), has permissions for employers to monitor employee use of company-owned devices, such as mobile devices, laptops, and other computers. This covers the use of email. However, you should always do so in a transparent manner that meets the regulatory requirements on privacy.

Other countries have similar provisions and you should seek out your local equivalent laws and regulations. Always check your own countries laws before monitoring employees.

Remote employees

Remote workers can be a challenge in both management and productivity. You need to allow your staff to have autonomy, yet, you also need to ensure they are performing their role. In some situation knowing the location of your remote employee is also important. If done well, employee monitoring of remote staff can be a win-win. Monitoring of remote work can provide an environment where any layer of micromanagement is removed. Your organization will be able to better project manage remote workers, as well as be sure of safe working practices, from a distance.

Employee Monitoring for Safe Working Practices

Employee monitoring is a generally acceptable form of IP and data management.  However, it must be performed with these things in mind:

• Your local laws
• Privacy regulations
• Employee transparency and involvement

By monitoring your employees, you can make sure that your productivity is optimized, use of company assets is appropriate and that security, privacy and IP protection are upheld. There are a number of ways that you can monitor employees and it is a case of finding the best fit method that works in an appropriate and respectful manner. In terms of digital communications and app use, Data Loss Prevention (DLP) tools offer a good balance between ensuring employee privacy whilst stopping any accidental or malicious leak of data or IP.  Finding this balance is key to employee acceptance of monitoring. It also helps to ensure that you stay on the right side of the law.