OneTrust_Square Banner_300x250_DD_ROS_01_19

By Matthew Barach

A Big Brother type software application from Microsoft might be the next wave of employee monitoring in the American workplace. Microsoft has filed patent application number 20070300174 in the United States for a "unique monitoring system," which is capable of tracking an employee's productivity, physical state and stress level. According to the patent application, the detection component would monitor, "heart rate…skin response…EMG, brain signals, respiration rate, body temperature, facial movements, facial expressions and blood pressure."  The monitoring could be conducted on a desktop computer, laptop, cell phone, pocket phone and even an employee's PDA. The device would link workers to their computers' via wireless sensors.

Traditionally, "accepted forms of employment monitoring have been in the Internet, email and telephone monitoring," points out Jacqueline Klosek, a privacy attorney at Goodwin Proctor LLP and author of the recently published War on Privacy. She adds that additional employee type monitoring technologies have been "related to employment movements such as GPS technology. This is a new realm."

The practical applications of this system might provide employers with the ability to identify user strengths and weaknesses, and it will also allow monitors to provide employees with various forms of workplace assistance. Assistance could be Web- or human-based.

"This particular patent application, in general, describes an innovation aimed at improving activity monitoring systems," stated Horacio Gutierrez, vice president of intellectual property and licensing at Microsoft, "and uses the monitoring of user' heart rates as an example of the kind of physical state that could be monitored to detect when users need assistance with their activities, and to offer assistance by putting them in touch with other users who may be able to help."

The legal record of the workplace privacy battle between employers and their employees is akin to the Harlem Globetrotters versus the Washington Generals, with employees playing the hapless role of the Generals. American courts have consistently ruled that employees have no or little right to privacy in the workplace. Courts have attempted to balance an employee's reasonable expectation of privacy with the business use for such intrusion. The business purpose for employee monitoring has usually outweighed the employee's expectation of privacy.

"Employers do have a fair amount of latitude in monitoring data," said Philip Gordon, head of the Privacy & Data Protection Practice Group at Littler Mendelson. "Under the Federal Wiretap Act employers can't monitor unless they get consent for telephone calls, but employers run into more substantial barriers when they move from monitoring thoughts over computer networks as expressed in communications over employers resources, versus employees' bodily functions; that's the distinction."

In one stark illustration of a company's ability to monitor their employees, a federal court found no "reasonable expectation of privacy in email communications voluntarily made by an employee to his supervisor over the company email system notwithstanding any assurances that such communications would not be intercepted by management" in the case of Smythe v. Pillsbury.

In cases such as McLaren v. Microsoft Corporation, courts have justified employee monitoring in the Internet field based on property rights of employers over their equipment, and the understanding that the workplace is not in the private domain. Courts have also upheld employee monitoring over liability concerns, such as inappropriate behavior by employees in the workplace, as with Garrity v. John Hancock Mutual Life Insurance Company.

Additionally, state and federal laws have offered few restrictions on employee monitoring. The Electronic Communications Privacy Act of 1986, which extends the Federal Wiretap Act to prohibit unauthorized interception of electronic communication, is not usually relevant in the work sphere, as companies monitor emails through the retrieval of stored communication rather than interception. Also, the Electronic Communications Act provides exceptions for provider authorization and user consent. Only two states, Connecticut and Delaware, have passed laws requiring notice to employees prior to workplace monitoring of email communications.

As a result of the legal context and the growth in technology, monitoring remains a staple in the modern workplace. According to a February 2006 fact sheet by the Privacy Rights Clearinghouse, "Recent surveys have found that a majority of employers monitor their employees. (T)hree-fourths of employers monitor their employees' Web site visits… 65% use software to block connections to Web sites deemed off-limits for employees. About a third track keystrokes and time spent at the keyboard. Just over half of employers review and retain electronic mail messages."

The growing presence of biometric technology is also changing the American workplace. Biometric technology can identify an individual based on unique physiological or behavioral characteristics. The common biometric example is a fingerprint, but other technologies include iris and retinal scans and facial recognition. According to a whitepaper presented by the Security Industry Association, biometrics are being used so, "employers can control who has access to what equipment, prevent fraudulent time and attendance entries and protect their assets from theft."

Interestingly, because of biometric technologies' association with security, employees seem willing to accept these new systems. According to a recent Harris Interactive survey, "four out of five employees and managers said they would be willing to have an ID card issued by their employer that would contain their photo, basic personnel information and a biometric identifier, such as a fingerprint."

But there might be limitations on what employees will ultimately accept from their employers, even in the biometric arena. Take mandatory microchipping, the practice of installing a microchip under the skin. Gordon writes that, "According to a 2007 study conducted jointly by Littler Mendelson and the Ponemon Institute, more than 90% of respondents, regardless of age, responded that mandatory microchipping by their employer would constitute a privacy violation." In fact, a number of states have outright banned the practice.

But future workplace monitoring techniques, such as those being developed by Microsoft, and the others that are sure to follow, might be beyond what courts, legislatures and employees have faced in the recent past. "This is an additional level of monitoring. You could draw conclusions that may or may not be correct," said Klosek.

As Attorney Gordon states, "There is an issue under the American Disabilities Act of requiring employees from undergoing medical exams. This type of monitoring could be considered a medical exam because it would reveal health-related concerns."

The question for courts and privacy advisors will continue to be how to best balance the ability to monitor employees versus employees' rights.

"The balance is the comfortable work environment for associates, you don't want the monitoring to hurt their productivity," said Zoe Strickland, vice president and chief privacy officer for Wal-Mart Stores, Inc. "It is a hard line to draw because it's new. Employers will need to balance productivity versus oversight."

Best practices will be to explain fully and clearly the policy and its rational as well as obtaining an associates' consent. "Number one best practice is to put in place a policy to make very clear what the rules are," stated Gordon.

If courts and legislatures have been the guide in the past, then employers will continue to have great latitude in controlling the workplace. Innovative forms of technology will likely play an even greater role in monitoring employees in the American workplace. However, although American courts and governments may not place many limits on privacy in the workplace, practical business decisions will likely still rule the day.

"The market plays a strong role in controlling privacy," said Klosek.

Privacy advocates will be forced to examine closely the rationale of high-tech forms of future monitoring for their organizations. Highly intrusive forms such as videotaping employees' lavatories and inserting microchips in employees will likely remain out of bounds, but monitoring for security and efficiency, particularly with consent, is likely to be the future of the American workplace. Privacy advisors will need to work closely with security leaders, IT departments and legal counsel to safely implement emerging workplace monitoring technologies.

"The privacy officer should engage in this area," added Strickland. "The question is, should we do it and, if we do, what should happen? Difficult decisions will need to be made as to when it's important to monitor."

As the future of workplace monitoring evolves along with technology, significant developments are sure to come to pass.

"Some of our patent applications reflect inventions that are currently present in our products and other applications. This particular application does not relate to any of Microsoft's current product plans," said Gutierrez.

Matthew Barach, CIPP/G, is an attorney and senior privacy consultant at Boston Privacy Group, and a member of the IAPP. He can be reached at


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»