IAPP-GDPR Web Banners-300x250-FINAL

By Matthew Barach

A Big Brother type software application from Microsoft might be the next wave of employee monitoring in the American workplace. Microsoft has filed patent application number 20070300174 in the United States for a "unique monitoring system," which is capable of tracking an employee's productivity, physical state and stress level. According to the patent application, the detection component would monitor, "heart rate…skin response…EMG, brain signals, respiration rate, body temperature, facial movements, facial expressions and blood pressure."  The monitoring could be conducted on a desktop computer, laptop, cell phone, pocket phone and even an employee's PDA. The device would link workers to their computers' via wireless sensors.

Traditionally, "accepted forms of employment monitoring have been in the Internet, email and telephone monitoring," points out Jacqueline Klosek, a privacy attorney at Goodwin Proctor LLP and author of the recently published War on Privacy. She adds that additional employee type monitoring technologies have been "related to employment movements such as GPS technology. This is a new realm."

The practical applications of this system might provide employers with the ability to identify user strengths and weaknesses, and it will also allow monitors to provide employees with various forms of workplace assistance. Assistance could be Web- or human-based.

"This particular patent application, in general, describes an innovation aimed at improving activity monitoring systems," stated Horacio Gutierrez, vice president of intellectual property and licensing at Microsoft, "and uses the monitoring of user' heart rates as an example of the kind of physical state that could be monitored to detect when users need assistance with their activities, and to offer assistance by putting them in touch with other users who may be able to help."

The legal record of the workplace privacy battle between employers and their employees is akin to the Harlem Globetrotters versus the Washington Generals, with employees playing the hapless role of the Generals. American courts have consistently ruled that employees have no or little right to privacy in the workplace. Courts have attempted to balance an employee's reasonable expectation of privacy with the business use for such intrusion. The business purpose for employee monitoring has usually outweighed the employee's expectation of privacy.

"Employers do have a fair amount of latitude in monitoring data," said Philip Gordon, head of the Privacy & Data Protection Practice Group at Littler Mendelson. "Under the Federal Wiretap Act employers can't monitor unless they get consent for telephone calls, but employers run into more substantial barriers when they move from monitoring thoughts over computer networks as expressed in communications over employers resources, versus employees' bodily functions; that's the distinction."

In one stark illustration of a company's ability to monitor their employees, a federal court found no "reasonable expectation of privacy in email communications voluntarily made by an employee to his supervisor over the company email system notwithstanding any assurances that such communications would not be intercepted by management" in the case of Smythe v. Pillsbury.

In cases such as McLaren v. Microsoft Corporation, courts have justified employee monitoring in the Internet field based on property rights of employers over their equipment, and the understanding that the workplace is not in the private domain. Courts have also upheld employee monitoring over liability concerns, such as inappropriate behavior by employees in the workplace, as with Garrity v. John Hancock Mutual Life Insurance Company.

Additionally, state and federal laws have offered few restrictions on employee monitoring. The Electronic Communications Privacy Act of 1986, which extends the Federal Wiretap Act to prohibit unauthorized interception of electronic communication, is not usually relevant in the work sphere, as companies monitor emails through the retrieval of stored communication rather than interception. Also, the Electronic Communications Act provides exceptions for provider authorization and user consent. Only two states, Connecticut and Delaware, have passed laws requiring notice to employees prior to workplace monitoring of email communications.

As a result of the legal context and the growth in technology, monitoring remains a staple in the modern workplace. According to a February 2006 fact sheet by the Privacy Rights Clearinghouse, "Recent surveys have found that a majority of employers monitor their employees. (T)hree-fourths of employers monitor their employees' Web site visits… 65% use software to block connections to Web sites deemed off-limits for employees. About a third track keystrokes and time spent at the keyboard. Just over half of employers review and retain electronic mail messages."

The growing presence of biometric technology is also changing the American workplace. Biometric technology can identify an individual based on unique physiological or behavioral characteristics. The common biometric example is a fingerprint, but other technologies include iris and retinal scans and facial recognition. According to a whitepaper presented by the Security Industry Association, biometrics are being used so, "employers can control who has access to what equipment, prevent fraudulent time and attendance entries and protect their assets from theft."

Interestingly, because of biometric technologies' association with security, employees seem willing to accept these new systems. According to a recent Harris Interactive survey, "four out of five employees and managers said they would be willing to have an ID card issued by their employer that would contain their photo, basic personnel information and a biometric identifier, such as a fingerprint."

But there might be limitations on what employees will ultimately accept from their employers, even in the biometric arena. Take mandatory microchipping, the practice of installing a microchip under the skin. Gordon writes that, "According to a 2007 study conducted jointly by Littler Mendelson and the Ponemon Institute, more than 90% of respondents, regardless of age, responded that mandatory microchipping by their employer would constitute a privacy violation." In fact, a number of states have outright banned the practice.

But future workplace monitoring techniques, such as those being developed by Microsoft, and the others that are sure to follow, might be beyond what courts, legislatures and employees have faced in the recent past. "This is an additional level of monitoring. You could draw conclusions that may or may not be correct," said Klosek.

As Attorney Gordon states, "There is an issue under the American Disabilities Act of requiring employees from undergoing medical exams. This type of monitoring could be considered a medical exam because it would reveal health-related concerns."

The question for courts and privacy advisors will continue to be how to best balance the ability to monitor employees versus employees' rights.

"The balance is the comfortable work environment for associates, you don't want the monitoring to hurt their productivity," said Zoe Strickland, vice president and chief privacy officer for Wal-Mart Stores, Inc. "It is a hard line to draw because it's new. Employers will need to balance productivity versus oversight."

Best practices will be to explain fully and clearly the policy and its rational as well as obtaining an associates' consent. "Number one best practice is to put in place a policy to make very clear what the rules are," stated Gordon.

If courts and legislatures have been the guide in the past, then employers will continue to have great latitude in controlling the workplace. Innovative forms of technology will likely play an even greater role in monitoring employees in the American workplace. However, although American courts and governments may not place many limits on privacy in the workplace, practical business decisions will likely still rule the day.

"The market plays a strong role in controlling privacy," said Klosek.

Privacy advocates will be forced to examine closely the rationale of high-tech forms of future monitoring for their organizations. Highly intrusive forms such as videotaping employees' lavatories and inserting microchips in employees will likely remain out of bounds, but monitoring for security and efficiency, particularly with consent, is likely to be the future of the American workplace. Privacy advisors will need to work closely with security leaders, IT departments and legal counsel to safely implement emerging workplace monitoring technologies.

"The privacy officer should engage in this area," added Strickland. "The question is, should we do it and, if we do, what should happen? Difficult decisions will need to be made as to when it's important to monitor."

As the future of workplace monitoring evolves along with technology, significant developments are sure to come to pass.

"Some of our patent applications reflect inventions that are currently present in our products and other applications. This particular application does not relate to any of Microsoft's current product plans," said Gutierrez.

Matthew Barach, CIPP/G, is an attorney and senior privacy consultant at Boston Privacy Group, and a member of the IAPP. He can be reached at mpbesq@comcast.net.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»