I Spy With My Corporate Eye: The Employee Services Conundrum

It’s a conundrum: Companies want employees to be satisfied with their corporate services, but great user experiences in this context can require a certain amount of employee tracking that could affect employees’ views about workplace privacy. Even M doesn’t really want to know whether James Bond prefers his martini shaken, not stirred, but it may be incidental to the CCTV cameras in the MI6 café that keep assassins at bay! Companies have to manage potentially complex trade-offs between employee privacy, company security and user experience, including services such as BYOD programs, context-aware apps and even call monitoring for quality assurance.

Why do companies track employee data and behaviors?

In some instances, they have legal obligations to do so—safety and security, for example. But companies also want to prevent data/IP loss, improve productivity (are we cyberloafing AGAIN? Of course we are!), set appropriate cost standards, avoid liability for employee malfeasance, investigate misconduct and improve—or even predict—user experiences. In addition, a recent study by Aruba Networks states that 40 percent of Middle Easterners, 45 percent of Europeans and 66 percent of Americans fear loss of personal data from their employer, which leads them to try and hide their use of personal devices at work, and fail to report data loss or breaches. So we can’t necessarily trust all employees to appropriately manage their own behaviors.

Yet many users have notions about privacy that don’t match their actions—recently I was at an employer event where a coworker was complaining quite strongly that he was concerned about his privacy rights because of the recent publications about the NSA’s PRISM program. Not five minutes later, an employee none of us knew waltzed up and requested that we allow him to take photos of our employee badges—which contain our names and facial photos. My fellow employee promptly held up his badge for the taking of said photo without even asking who the person was, why he wanted the photos, and what he intended to do with them. Huh?

So it can be tricky business for a company to balance individual notions of privacy with real privacy rights, legal obligations and the desire to improve the workplace for all of us. Employee services that can collect personal information and hence impinge on an employee’s perceptions of privacy—justified or not—date back to historical and mundane things such as work-sponsored clubs, birthday parties, photos, on-site health services, travel arrangements and the age-old inebriated prank of photocopying one’s rump at the annual holiday party. Fast forward to today’s environment and we have seemingly innocuous services such as badge entry systems and call recording for quality assurance, social networking[1], ergonomic wellness tools, BYOD programs and exciting new devices such as Google Glass that could potentially record our every movement. Further, companies may contemplate offering additional helpful services, such as smart vending machines that serve up computer peripherals but track your purchases, Friend Finder, where you can find where your favorite mobile coworkers are located at every moment and options to “get us out of password hell” that may require collection of biometric information.

Regarding technological aids, context is becoming king: If I want to have increased access to corporate apps when I’m not on my corporate PC, then who I am, where I am and my trust level can unlock that door.

But taken even further, we can encounter what I like to call privacy-impacting “anti-services”. Did you know that CVS Caremark, a large US drugstore chain, recently said it would require its 200,000 employees to report their weight, blood sugar and cholesterol or be forced to pay an annual penalty of $600 for healthcare? It also will require that smokers try to quit. Several other major employers have also adopted such policies.

All this tracking, whether for good or not, brings potential legal risk. A cornucopia of different types of laws can be involved: Data protection laws, security laws, human rights laws, constitutional laws, contract laws, data transfer, data access and labor laws. Often these laws are not harmonized, making it difficult for a large global company to standardize certain services. Simply offering employees social media services invokes a number of different laws, including common law privacy rights; employment laws regarding discrimination based on personal information a hiring manager may find on a candidate; labor laws regarding free speech about the company; IP laws regarding loss of trade secrets or who owns a twitter handle, and newer state laws prohibiting employers from requiring social media passwords[2]. According to Gartner, Inc., 60 percent of corporations are expected to implement formal programs for monitoring employees’ external social media for security breaches and incidents by 2015. Many organizations already engage in social media monitoring as part of brand management and marketing, but less than 10 percent of organizations used these same techniques as part of their security monitoring program in 2012.

So what can employers do when they are offering services that may not be justified solely as continued obligations to reasonably manage employee security risks?

The first step is to analyze the new service under a privacy risk assessment process; questions poking at exactly how these services are being offered can help design them appropriately. The second step is to remember that companies need to be practical and determine reasonable criteria to prioritize service launches globally and find the right return on investment between the benefits to employees and the legal and reputational risks of getting it wrong.

Corporate-sponsored employee services can be beneficial for all of us, especially given the increasing co-mingling of our work and personal lives. We can improve employee health and safety, engage in social networking, facilitate finding expert help amongst our employee base, allow employees to use their own devices at work, allow them to access work-related systems while away from work and allow them to continue engaging in a reasonable degree of personal activities on company-owned systems. Doing it right—i.e. launching every new service with appropriate forethought and transparency as to the trade-offs—can make all the difference between a real service and a perceived “anti-service.”

If I were M, I would always want to know how James Bond wants his martini and would gladly go to the effort of personally posting many obvious notices of CCTV monitoring of same.

[1] Of course social media carries other risks, such as improper posting of confidential information, erroneously appearing as an authorized spokesperson, and too much cyberloafing if we’re on our Facebook accounts all day.

[2] The legislatures of at least ten states in the U.S. have passed laws regulating employer activity in this space, with many more states, and even Congress, considering such laws.

Written By

Ruby Zefo, CIPM, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»