IAPP-GDPR Web Banners-300x250-FINAL
I Spy With My Corporate Eye: The Employee Services Conundrum

It’s a conundrum: Companies want employees to be satisfied with their corporate services, but great user experiences in this context can require a certain amount of employee tracking that could affect employees’ views about workplace privacy. Even M doesn’t really want to know whether James Bond prefers his martini shaken, not stirred, but it may be incidental to the CCTV cameras in the MI6 café that keep assassins at bay! Companies have to manage potentially complex trade-offs between employee privacy, company security and user experience, including services such as BYOD programs, context-aware apps and even call monitoring for quality assurance.

Why do companies track employee data and behaviors?

In some instances, they have legal obligations to do so—safety and security, for example. But companies also want to prevent data/IP loss, improve productivity (are we cyberloafing AGAIN? Of course we are!), set appropriate cost standards, avoid liability for employee malfeasance, investigate misconduct and improve—or even predict—user experiences. In addition, a recent study by Aruba Networks states that 40 percent of Middle Easterners, 45 percent of Europeans and 66 percent of Americans fear loss of personal data from their employer, which leads them to try and hide their use of personal devices at work, and fail to report data loss or breaches. So we can’t necessarily trust all employees to appropriately manage their own behaviors.

Yet many users have notions about privacy that don’t match their actions—recently I was at an employer event where a coworker was complaining quite strongly that he was concerned about his privacy rights because of the recent publications about the NSA’s PRISM program. Not five minutes later, an employee none of us knew waltzed up and requested that we allow him to take photos of our employee badges—which contain our names and facial photos. My fellow employee promptly held up his badge for the taking of said photo without even asking who the person was, why he wanted the photos, and what he intended to do with them. Huh?

So it can be tricky business for a company to balance individual notions of privacy with real privacy rights, legal obligations and the desire to improve the workplace for all of us. Employee services that can collect personal information and hence impinge on an employee’s perceptions of privacy—justified or not—date back to historical and mundane things such as work-sponsored clubs, birthday parties, photos, on-site health services, travel arrangements and the age-old inebriated prank of photocopying one’s rump at the annual holiday party. Fast forward to today’s environment and we have seemingly innocuous services such as badge entry systems and call recording for quality assurance, social networking[1], ergonomic wellness tools, BYOD programs and exciting new devices such as Google Glass that could potentially record our every movement. Further, companies may contemplate offering additional helpful services, such as smart vending machines that serve up computer peripherals but track your purchases, Friend Finder, where you can find where your favorite mobile coworkers are located at every moment and options to “get us out of password hell” that may require collection of biometric information.

Regarding technological aids, context is becoming king: If I want to have increased access to corporate apps when I’m not on my corporate PC, then who I am, where I am and my trust level can unlock that door.

But taken even further, we can encounter what I like to call privacy-impacting “anti-services”. Did you know that CVS Caremark, a large US drugstore chain, recently said it would require its 200,000 employees to report their weight, blood sugar and cholesterol or be forced to pay an annual penalty of $600 for healthcare? It also will require that smokers try to quit. Several other major employers have also adopted such policies.

All this tracking, whether for good or not, brings potential legal risk. A cornucopia of different types of laws can be involved: Data protection laws, security laws, human rights laws, constitutional laws, contract laws, data transfer, data access and labor laws. Often these laws are not harmonized, making it difficult for a large global company to standardize certain services. Simply offering employees social media services invokes a number of different laws, including common law privacy rights; employment laws regarding discrimination based on personal information a hiring manager may find on a candidate; labor laws regarding free speech about the company; IP laws regarding loss of trade secrets or who owns a twitter handle, and newer state laws prohibiting employers from requiring social media passwords[2]. According to Gartner, Inc., 60 percent of corporations are expected to implement formal programs for monitoring employees’ external social media for security breaches and incidents by 2015. Many organizations already engage in social media monitoring as part of brand management and marketing, but less than 10 percent of organizations used these same techniques as part of their security monitoring program in 2012.

So what can employers do when they are offering services that may not be justified solely as continued obligations to reasonably manage employee security risks?

The first step is to analyze the new service under a privacy risk assessment process; questions poking at exactly how these services are being offered can help design them appropriately. The second step is to remember that companies need to be practical and determine reasonable criteria to prioritize service launches globally and find the right return on investment between the benefits to employees and the legal and reputational risks of getting it wrong.

Corporate-sponsored employee services can be beneficial for all of us, especially given the increasing co-mingling of our work and personal lives. We can improve employee health and safety, engage in social networking, facilitate finding expert help amongst our employee base, allow employees to use their own devices at work, allow them to access work-related systems while away from work and allow them to continue engaging in a reasonable degree of personal activities on company-owned systems. Doing it right—i.e. launching every new service with appropriate forethought and transparency as to the trade-offs—can make all the difference between a real service and a perceived “anti-service.”

If I were M, I would always want to know how James Bond wants his martini and would gladly go to the effort of personally posting many obvious notices of CCTV monitoring of same.

[1] Of course social media carries other risks, such as improper posting of confidential information, erroneously appearing as an authorized spokesperson, and too much cyberloafing if we’re on our Facebook accounts all day.

[2] The legislatures of at least ten states in the U.S. have passed laws regulating employer activity in this space, with many more states, and even Congress, considering such laws.

Written By

Ruby Zefo, CIPM, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»