Employee monitoring software is a critical resource for protecting intellectual property, securing sensitive data, and ensuring that company assets are used appropriately. The solutions used to monitor employees can collect a vast range of potentially data including file access history, internet use, keystrokes, and email traffic. To ensure compliance with data privacy regulations the implementation of these technologies must be properly assessed against the potential privacy impacts they can have for employees.
Is employee monitoring data considered sensitive?
While it is readily apparent that standard HR employment data (names, addresses, etc.) is sensitive in nature, the data captured by employee monitoring software is rarely addressed directly. Monitoring solutions that capture computer usage data have the potential to unknowingly track data that pertains to sensitive categories under GDPR and related data privacy regulations.
Sensitive categories of data include identifiers of:
physical or mental health or condition
sex life and sexual orientation
racial or ethnic origin
political opinionsreligious beliefs or other beliefs of a similar nature
trade union membership
Under the lens of GDPR’s sensitive categories, internet usage data that includes websites visited and search engine queries is likely to contain identifiers for these categories. Should the data captured be insufficiently anonymized, a negligent breach of this data has the potential to lead to legal penalties under both GDPR and CCPA, depending on the location and citizenship of the employee.
Monitoring principles for data privacy
Ensuring privacy and security of data collected by employee monitoring software is essential. The following principles will serve to guide an implementation of an employee monitoring strategy that meets critical business goals without unnecessarily compromising the privacy of your employees.
Clearly define your monitoring goals
Clearly defined monitoring goals are more than simply a proactive measure for ensuring a successful adoption of monitoring, the explicit understanding of monitoring objectives is often mandatory. Without clearly defined goals, a business will not have the means of establishing that their implementation of employee monitoring serves their legitimate interest while respecting the principle of proportionality.
One of the core principles of leading data privacy mandates is proportionality – in the context of employee monitoring, this means that any monitoring activity taking place must have a legitimate business interest that definitively outweighs any potential harms to the privacy rights of employees.
GDPR in particular heavily emphasizes that the privacy rights of the data subject are paramount, strongly indicating that monitoring must be limited to the minimum extent required to achieve the objectives of your company. As part of implementing new employee monitoring technologies, you will be expected to conduct a Privacy Impact Assessment that clearly documents the potential privacy impacts the proposed technology will have on employees.
Ensure your monitoring is fully transparent
Even if your company is subject to less robust transparency requirements than is required by GDPR, 77% of Americans surveyed by Harris Poll indicated that they would be less concerned about having their digital activities monitored so long as their employer was fully transparent.
Attempting to monitor your employees without their prior knowledge will damage the reputation of your company and greatly increase employee turnover – 70% of employees in the Harris Poll survey indicated that they would consider quitting if they discovered that monitoring was performed without their prior knowledge.
While the degree of transparency will differ by jurisdiction, there are key transparency principles that will greatly inform monitoring strategies.
Policy development: Detailed policies are effective for informing employees to the extent of the monitoring practices that will be implemented within the organization. These policies should clearly outline the measures taken, the goals of the implemented measures, and the expectations the organization has of its employees. As monitoring-related policies are developed, the Article 29 Working Party (“WP29” – now replaced by the European Data Protection Board) recommends that a representative sample of employees are involved in assessing the legitimacy of the proposed solutions.
Explicit consent: In the context of the employer/employee relationship, the concept of consent is murky at best. The inherent unbalanced power dynamic present in such a relationship means that employers should not rely on consent as the legal basis for justifying their monitoring practices, however, explicit written consent is still a prudent measure for communicating and enforcing monitoring-related policies.
DSARs: CCPA and GDPR both have provisions that relate to the right for data subjects to request access to the data that is held by data controllers. Under these legislations, employers must be prepared to answer Data Subject Access Requests (DSARs) from employees in a timely manner.
Data minimization and protection
While the data collected through employee monitoring programs will provide valuable insights regarding productivity and technology usage in the workplace, the perpetual storage of this data may lead to conflicts with data privacy legislation if the employer cannot provide a legitimate business reason for storing the data long-term. Unless absolutely necessary, the recommended practice is to regularly cull data that is no longer necessary for meeting the stated objectives of the employee monitoring strategy.
Even with the quantity of data limited, employers are still expected to implement technical and administrative safeguards that adequately protect employee monitoring data. While the exact measures required are seldom explicitly addressed, it can be reasonably expected that at a minimum the data is protected against unauthorized access and that permitted access is kept to an as-needed basis.
Recommended limitations to employee monitoring
At this time, employers that are strictly US-based can be reasonably confident that commonplace and transparent employee monitoring practices are justified to monitor work-related activity on company-owned devices. That said, should the evolving data privacy landscape lead to the adoption of federal privacy laws there is a possibility that they will be heavily influenced by GDPR et al.
With that in mind, it is beneficial to understand the current limitations and demands imposed by international legislation. The below list is far from extensive as each Member State has their own adoption of the GDPR framework, however it provides a necessary context for establishing employee monitoring best-practices.
Stealth monitoring: As a part of informed consent and transparency, employers are not permitted to use monitoring technologies that attempt to obfuscate their presence. Monitoring technologies must be used transparently and employees should be informed of their use.
Blocking vs monitoring: In the case of managing internet access, the opinion of the WP29 is that employers should err on the side of blocking access to undesirable websites rather than relying on continuous monitoring.
Use data as stated: As per the purpose limitation principle of GDPR, monitoring data should only be used for the exact purpose that it was intended for unless the data will be used for a substantially similar purpose or you get consent to reappropriate the data.
Automated decision making: While employee monitoring data can be used to identify unproductive or inappropriate browsing behavior, the decision to discipline an employee must not be made automatically by the software. Human intervention is required to analyze the data and make an informed decision.
Avoid targeted monitoring: The monitoring of targeted individuals without a legitimate need is strongly advised against. The best practice is to use aggregated data for general monitoring and only increase in specificity if undesirable behavior persists.
Personal communications: Employers should not knowingly intercept personal communications (emails, telephones, etc.), even if they are taking place on work devices. The existence of a policy against personal use may help prevent personal use of assets, however once a given communication is known to be personal the employer should cease monitoring.
Data privacy obligations are constantly evolving. As clarifications of current legislation is released, the employer’s role as a data controller is expected to become increasingly clear. Increased demands for control over access to personal data is expected to heavily influence the adoption of federal privacy policies that can be reasonably expected to be influenced by GDPR. By implementing an employee monitoring strategy that is inherently GDPR-equivalent with respect to privacy your organization will be better prepared to adapt to future demands.