Workplace Privacy

Image

When it comes to protecting intellectual property, ensuring productivity and identifying bad behavior, employers have many tools available to them. Employers of all sizes are, increasingly, using these tools to monitor employees’ IT use. But their use poses legal risks and challenges—particularly for multinationals. Organizations should be aware of the legal restrictions that apply to in the jurisdictions where they work.

This topic page aims to help you balance organizational security with employee privacy laws throughout the globe.

Featured Resources

Privacy in the world of hybrid work

This web conference discusses how to navigate data privacy in a world of hybrid work where cloud computing is growing.
Read More

Can Privacy Thrive in the Virtual Workplace?

This web conference covers how colleagues are tackling the virtual workplace, how to build data protection practices into a virtual company and what collaboration tools are being used.
Read More

Return to office privacy issues

The COVID-19 pandemic forced many companies to work from home more than one year ago, but with vaccinations progressing, many businesses are returning employees to the office. Kirk Nahra writes that organizations face “a perfect storm” of privacy issues.
Read More


Latest News and Resources

Pulling back the layers on employee monitoring

The Wall Street Journal conducted a roundtable discussion with privacy professionals on the current landscape for employee surveillance and monitoring. Topics covered include how widespread monitoring has become, legal limits and ethical versus non-ethical deployments. Electronic Privacy Information Center Senior Counsel John Davisson, Gartner Vice President of Human-Resources Research Brian Kropp and Future of Privacy Forum Senior Vice President of Policy John Verdi took part in the conversatio... Read More

Consent as legal basis for EU and UK employment

Consent is one of the EU General Data Protection Regulation legal bases that can be used to justify the collection, handling or storage of personal data. For consent to be valid, it must be clearly distinguishable from other matters, intelligible and in clear and plain language, freely given, as easy to withdraw as it was to provide, specific, informed and unambiguous (GDPR Article 6, 7 and Recitals 32, 33 and 43). In the employment context, consent is deemed to be problematic. An actual or per... Read More

Vaccine credential systems: Considerations for US employers

Amidst the shifting employment landscape created by COVID-19, employers requiring employees to disclose their vaccination status has become a hot — yet murky — topic rife with privacy-related risks. Vaccination requirements are expected to soon “become dominant in the workplace” due to President Joe Biden’s recent COVID-19 Action Plan. Some employers will be required to impose vaccine mandates for their employees; some will be required to ensure their employees are either vaccinated or tested we... Read More

CPRA could obstruct existing employment rights
(IAPP, September 2021)
Web Conference: Privacy Rights of Global Employees in the Era of Work from Anywhere
(IAPP, August 2021)
The Impact of the New Normal on Workplace Privacy: A Study of Business & IT and IT Security Managers
(Ponemon Institute, June 2021)
Employee Health Data Collection Guidelines & Vaccination-Tracking Best Practices
(IAPP, March 2021)
Web Conference: Monitoring Employees’ Health & Activities Outside Work in Germany, Poland and UK
(IAPP, February 2021)
Privacy in the Wake of COVID-19
(IAPP, January 2021)
FTC orders Zoom to tighten data security practices
(IAPP, November 2020)
Checklist: Expedited Vendor Privacy and Security Assessment
(IAPP, April 2020)
Major bank warns against Zoom, Google Hangouts use
(IAPP, April 2020)
Maintaining Employees’ Privacy During a Public Health Crisis
(National Law Review, April 2020)
Workplace of the Future: Innovation and Communication Will Be Crucial for Employers
(Holland & Knight, March 2020)
The perils of employee-collaboration tools and how to avoid them
(IAPP, September 2018)
From weakest link to strongest asset: tackling employee negligence
(IAPP, June 2016)
Sample Employee Background Checks Policy
(HR Daily Advisor, May 2016)
Employee privacy and the GDPR – Ten steps for US multinational employers towards compliance
(IAPP, January 2016)
On Balancing Insider-Threat Protection and Employee Privacy
(IAPP, November 2015)
Making Killer Privacy Presentations to the Board
(IAPP, October 2015)
Managing Privacy in the Web 2.0 Workplace
(IAPP, August 2014)
Workplace Privacy Counsel blog
(Littler Mendelson, June 2014)
If Nine of 10 Employees Knowingly Breach Policy, How Is Privacy Possible?
(IAPP, June 2013)
Privacy training: An emerging part of the corporate education canon
(IAPP, October 2012)
Chief privacy officers discuss employee privacy training
(IAPP, October 2012)
Workplace privacy expert sheds light on fair employer access to employee data
(IAPP, September 2012)
View More Resources

Definitions

Bring Your Own Device

Use of employees’ own personal computing devices for work purposes. Acronym(s): BYOD Associated term(s): Consumerization of information technology (COIT)... Read More

Employee Information

Personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating; (1) an employment relationship, or (2) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship.... Read More

Employee Personal Data

Article 88 of the General Data Protection Regulation recognises that member states may provide for more specific rules around processing employees’ personal data. These rules must include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and mo... Read More

Mobile Device Management (MDM)

MDM refers to software solutions that allow administrators to oversee the use of mobile devices for productivity and security reasons. MDM solutions usually allow an organization to control mobile apps, networks and data used by the mobile device from a single centralized software product, thereby assuring better control of company information on personal devices. MDM solutions also present challenges in the BYOD context because they allow for greater monitoring of employees' personal use of the... Read More

Telecommuting

DPAs divulge privacy expectations for video conferencing platforms

The U.K. Information Commissioner's Office offered an update on its global coordination with six data protection authorities to convey privacy expectations for video conferencing platforms. In July 2020, the ICO joined regulators from Australia, Canada, China, Gibraltar, Hong Kong and Switzerland in an open letter to Microsoft, Google, Cisco and Zoom regarding preferred privacy practices and standards. The ICO reports the dialogue has "proven effective, efficient and mutually beneficial" while g... Read More

FTC orders Zoom to tighten data security practices

While it has become as vital a tool as any during the COVID-19 pandemic, teleconferencing platform Zoom Video Communications has faced its share of privacy and security challenges as it adapted its systems to an unexpected boom to its clientele. That adaptation will now go steps further under orders from the U.S. Federal Trade Commission. The FTC has announced a proposed settlement with Zoom related to allegations of deceptive and unfair infosecurity practices that risk users' privacy and secur... Read More

Companies deploying work-from-home surveillance

The Washington Post reports companies have begun surveilling employees and their productivity as they work from home during the COVID-19 outbreak. In addition to monitoring programs for determining employees' active work hours and online activities, organizations are also instituting other forms of oversight, including multiple daily check-ins, always-on webcam policies and "productivity scores." The tactics have drawn backlash as David Heinemeier Hansson, co-founder of the remote-work-software ... Read More

Data Protection Tips for video-conferencing
(Irish Data Protection Commission, March 2020)
Managing Privacy for a Mobile and Remote Workforce
(IAPP, August 2014)
View More Resources

Employee Monitoring, Social Media & Background Checks

Pulling back the layers on employee monitoring

The Wall Street Journal conducted a roundtable discussion with privacy professionals on the current landscape for employee surveillance and monitoring. Topics covered include how widespread monitoring has become, legal limits and ethical versus non-ethical deployments. Electronic Privacy Information Center Senior Counsel John Davisson, Gartner Vice President of Human-Resources Research Brian Kropp and Future of Privacy Forum Senior Vice President of Policy John Verdi took part in the conversatio... Read More

Web Conference: Privacy Rights of Global Employees in the Era of Work from Anywhere

Original broadcast date: 26 August 2021 Privacy rights and the protection of employee data has become an increasing area of concern for many organizations as they navigate a post-pandemic world along with evolving regulations. In this presentation industry leaders Barbara Cosgrove, VP and CPO for Workday, Michael Morgan, U.S. Head of Global Privacy and Cybersecurity for McDermott Will & Emery and Rehan Jalil, CEO of Securiti discuss aspects of protecting employee data. The privacy challenges posed by maintaining vast lakes of unruly personal data demand more than manual oversight. Add to that increased regulatory scrutiny and consumer expectation, and the problem looms large. In this presentation you will learn how software can ease your burden with greater data accuracy and integrity. Read More

Employee Surveillance Report: Is your boss spying on you?

Software designer Surfshark released its Employee Surveillance Report highlighting trends in employee surveillance from March 2020 to March 2021. Surfshark scraped searches for "bossware" surveillance tools across the world and found the use of and interest in employee monitoring was most prevalent in Sweden, the U.S. and Norway. The study also found one in five businesses are deploying surveillance technology while 62% of companies do so to collect productivity data. The report goes on to compa... Read More

Survey: Majority of companies recognize employee privacy

DTEX and the Ponemon Institute published a survey revealing 63% of IT professionals believe their companies place an importance on employee privacy, Infosecurity Magazine reports. The survey collected the opinions from 1,249 professionals on their organization's efforts to protect employees' sensitive data. Only 34% of respondents indicated their organization effectively protected employees' data. Additionally, 64% of professionals said tracking employee productivity in a privacy-preserving mann... Read More

Privacy Training in the Workplace

White Paper – 6 Ways Privacy Awareness Training Will Transform Your Staff

(February 2018) – As an organization, you have obligations to your customers and other stakeholders to protect their personal information. Some obligations are regulatory, some by statute, some by contract, and some simply due to public expectations. This white paper outlines six ways that establishing a privacy awareness training program will help your team to think about privacy and meet these obligations. Read More

White Paper – Must-Have Privacy Training Features for Your Team

(January 2018) – A privacy program cannot be successful without training. There is a Chinese saying: “Those who want to get the job done must first sharpen their tools.” An effective privacy training not only enables an organization’s privacy initiatives, but also enhances an organization’s overall operation in the areas of Privacy by Design and data protection-centric security practices. In this white paper, learn about the essential elements of an organizational privacy training program. Read More

Monitoring Your Privacy Program – Article Series

Last Updated: June 2015 This series of articles will take a look at monitoring programs across industries including recommendations from the privacy consultant, healthcare, IT, finance, government and telecom industries. Part 1: How to Effectively Monitor Your Privacy Program Part 2: Corporate Responsibility and HIPAA Part 3: IT Industry Part 4: Finance Industry Part 5: Emerging Themes ... Read More

How To Change Employee Password Habits

Password reuse across multiple websites and company logins is a major weak link in company security systems. In a survey CSID conducted in 2012 on password habits, 61 percent of the respondents reused the same password for multiple sites, and 44 percent of respondents reported they change their passwords once a year or less. Employee password reuse creates a new layer of risk for businesses, especially when major enterprises are hacked. A breach today can affect more than just the initial company—it can affect your business and many others, writes Joe Ross in this exclusive for The Privacy Advisor. Read More

BYOD

Survey: 51% of organizations operating without BYOD policy

STX Next’s Global CTO Survey found 51% of global organizations don’t have a “bring-your-own-device” policy, though more employees are using devices at home due to the pandemic, Infosecurity Magazine reports. Among organizations that have a BYOD policy, 13% is not using multifactor authentication, and researchers noted many organizations are not in a hurry to adopt security processes. STX Next Chairman Maciej Dziergwa said, “It is imperative businesses take measures to address these insufficienci... Read More

CNIL discusses BYOD best practices

France's data protection authority, the CNIL, published guidance on best practices for privacy and data security associated with the bring-your-own-device concept. The CNIL noted employers are responsible for the security of company data stored on devices that are not their own, including an employee's personal device. Additionally, the CNIL recommended BYOD issues can be reduced by risk assessment and formalized measures within security policies. (Original post is in French.)Full Story... Read More

Exploring the New Privacy Architecture of BYOD

Bring Your Own Device (BYOD), while well-intentioned, can make IT managers, CIOs and especially employees want to pull their hair out. The downfall of most Enterprise Mobile Management (EMM) and Mobile Device Management (MDM) solutions is that they pose too many restrictions or too much control over the user’s device. Quite simply, they don’t have the end user in mind. An employee may conclude that the employer’s promise of EMM device containerization is more of an illusion of privacy than a re... Read More