Mobile devices and wearables are gathering more information than ever before about the movements and activities of employees, both during and after work hours. A plethora of technological solutions allow employers to track keystrokes, applications, website and file usage, instant messaging chats, e-mails, Internet connections, screenshots, software installations and more.
A Swedish bio-hacking group has, for example, created a small RFID chip that can be implanted under an employee's skin for easier identification and tracking. Another company, BehavioSec, has developed a patented "behaviometrics" technology that measures and analyzes a person's behavioral patterns, rather than their physical attributes, for verification purposes. Some of their products measure how a person types on a keyboard, uses a mouse and interacts with programs, “offering a new generation of information-security solutions simply by using the individual itself as its core asset; an asset that is extremely hard to replicate, which makes it the ultimate solution against identity theft."
Another company, Sociometrics Solutions, produces “wearable electronic sensing devices” that measure real-world social behavior, “capable of capturing face-to-face interactions, extracting social signals from speech and body movement and measuring the proximity and relative location of users.” The data is then combined “with other data sources such as electronic communications, objective productivity metrics and spatial analysis to provide unprecedented insights on how complex work gets done in the modern organization.”
“Using this platform, we help organizations unlock the potential of their people, and develop iterative and disruptive innovations to match their evolving business demands,” their website states.
Clearly, employee-tracking technology is only going to increase in sophistication and privacy invasiveness.
No doubt, there are benefits to the organization. It can improve work performance by increasing coordination, collaboration and attendance, motivate employees to follow protocols and stay on task and reduce risk to the organization and ensure better legal compliance.
However, it can also negatively affect employee morale. Plus, if not handled properly, monitoring can attract negative media attention on the company. Monitoring also creates a number of legal compliance risks here in the United States, including the Electronic Communications Privacy Act, the Stored Communications Act, the National Labor Relations Act, the Americans with Disabilities Act and other anti-discrimination laws—not to mention state laws regarding social media and biometrics, among others.
So, what issues and obstacles must an employer in the U.S., and around the world, consider in implementing employee monitoring programs?
"I think it’s very important for us to look at these technologies through the lens of the employee," said Pfizer Chief Privacy Officer Patrice Ettinger, CIPP/US, at this year’s Privacy. Security. Risk. (PSR) conference in Las Vegas.
Here’s why: Each day when people go to work they scan RFID badges, walk through lobbies surveilled by CCTV, have their biometrics screened when clocking in to work and their movements tracked via a mobile app or some other wearable. Instant messages are saved and emails are monitored. This all contributes to a perceived Big Brother-like atmosphere for employees.
As someone that is still new to the privacy field, I have found hypotheticals especially helpful in understanding the questions that should be asked when faced with issues like employee monitoring. At PSR, Ettinger, along with the other panelists—Morrison & Foerster Partner Christine Lyon and Visa CPO Jack Yang—presented the following case study to their audience of privacy professionals.
You are the Privacy Director for Acme Inc. The HR Director stops by your office and tells you that your VP of sales is planning to fire an employee for deleting a mobile app from her phone that all field sales employees are required to have installed so the organization can track them. This employee has deleted the app and refuses to re-install it onto her phone. The HR director wants to know what privacy issues they should be aware of before firing the employee.
Like many hypotheticals, this situation was intended to raise more questions than answers, and even the panel itself disagreed on how much deference should be given to the VP and HR in making the firing decision. One panelist said to go ahead with the firing, while others wanted more information. Questions raised by the panel and the audience alike included:
- What is the context of the situation?
- Are there employment law issues that should be taken into consideration?
- Do we know whether the employee had notice about the app and that they were being tracked?
- Did the employee have an option of alternative methods of monitoring if they were uncomfortable with the app?
- What are the employee's rights so far as access to the data collected about them?
- What was the employee's expectation of privacy while doing their job, and what is the legitimate business purpose behind the app?
- What is the nature of the particular employee's job—do they ever actually go out into the field, or do they spend all of their time at the office making sales calls?
- Why was the app required for this employee in the first place?
- How does the app work?
- Does it also monitor the employee during non-work hours?
- Was the app installed on an employer-supplied device, or on a personal device?
And while these questions often result in complex answers, and while current laws in the U.S. generally find monitoring legal, concerns about effectiveness and ethics still come into play. It is, indeed, a gray area. Different federal laws apply in various sectors, and there is no overarching law for employment privacy in the U.S. And while states have enacted various employment privacy laws in different situations, these vary state by state, all adding to the complexity of the legal and regulatory framework.
Legal compliance also depends on the type of employer, and the employment relationship. For example, in the case of government employees, monitoring must comply with the Fourth Amendment. However, private employees do not enjoy that same constitutional protection as it is there to protect individuals from the government and not from their private employer. Or, if an employee is a member of a labor union, then the National Labor Relations Act and a collective bargaining agreement may protect the employee’s interests.
In reality, some form of monitoring will have to take place, regardless of an organization’s stance on workplace privacy. For instance, the Federal Rules of Civil Procedure require that organizations do not delete or overwrite data that may be relevant to current or future litigation (this includes e-mails, files, and other communications). Statutes such as HIPAA, Gramm-Leach-Bliley and Sarbanes Oxley also contain requirements to retain and secure data in specific ways.
Nonetheless, there are ways to assuage your employees’ fears of the perceived Big Brother.
Employee education is especially important and can often be overlooked, possibly resulting in cynical and paranoid employees seeking ways to circumvent monitoring technologies. Employees should understand what employee monitoring is, what will be monitored and why it is good for the organization. Employers should communicate that the use of monitoring is not arising from a lack of trust, but rather is intended to protect the organization and its employees. If an employer chooses to monitor a company-owned device or system, then employees should understand that they do not have a reasonable expectation of privacy when using that device or system. Correspondingly, the employer must be careful to closely follow its stated monitoring policies.
Undoubtedly, employee monitoring is going to increase in prevalence in the workplace, and with that, there are going to be new legal and ethical questions and concerns for privacy professionals to deal with. Luckily, there are also some great resources out there to assist organizations in navigating the complexities of employee monitoring. But no matter what changes do come—technological, legal or otherwise—organizations should continue to view these issues through the lens of the individual, as Ettinger advocates. It is perhaps the best first step in achieving privacy conscious and legally compliant employee monitoring programs
photo credit: Office Politics: A Rise to the Top via photopin (license)