The UK Information Commissioner’s Office (ICO), the country’s independent data privacy watchdog, has opened an investigation into London-based bank Barclays over improper tracking of its employees during work hours. The probe is investigating claims of employee surveillance that include using tracking software to determine when and for how long employees were away from their desks, and how much time they were spending on a particular task.
The actions represent a serious potential violation of the terms of the EU General Data Protection Regulation (GDPR), which the UK ICO remains bound to until 2021. The maximum penalty would be 4% of the company’s annual global turnover, which could amount to £865 million.
The UK ICO investigation
Barclays made use of employee surveillance software made by Sapience Analytics, which was required on work computers for a period of up to 18 months. During the month of February the company allegedly activated an enhanced function that allowed it to track the activity of individual employees. The software would send out automated warnings if it determined that employees were away from their computers for too long or if they were spending too long on this particular task. Barclays appears to have been doing a trial of this feature in February, and it was ultimately scrapped due to negative feedback — in part from employees, and in part due to negative media coverage.
While the GDPR does leave some room for employers to monitor employees in this manner, Barclays is in trouble with the UK ICO for not providing proper notice of the scope of the employee surveillance or its purpose. Employers are required to notify employees of all surveillance that is being conducted and the reasons why they believe it is necessary. A spokesperson for UK ICO stated that the organization’s position was that employees should be able to “keep personal lives private” and were entitled to a degree of privacy in the workplace.
While the maximum fine the UK ICO can levy is 4% of total annual turnover, any actual fine in this case would likely be substantially less than that given the number of employees impacted (a maximum of about 21,400 according to recent numbers).
An attempt to “run out the clock” here will likely not help as well, as the UK ICO is expected to adopt domestic terms that are virtually identical to those of the GDPR when it becomes fully independent from the EU in 2021.
The rise of employee surveillance systems
The methods employed at Barclays are hardly unique. There has been a general rise in employee surveillance in recent years, particularly in recent months given the great shift to remote work during the Covid-19 pandemic.
Along with Sapience, the Prodoscore productivity software has seen a major uptick in business due to greatly increased amounts of remote work. The software tracks individual employees and gives them a unique “productivity score” based on their activity in linked cloud applications such as MS Office, G Suite and call center systems. Prodoscore uses sponsored surveys to pitch its product to workers as a “way to be recognized” in these settings, while its marketing directed at companies asks managers if they are “wondering what team members do when you’re not watching.”
Certain employee surveillance products go even further. At least two, StaffCop Enterprise and CleverControl, give employers privileged access to employee computers including the ability to remotely activate webcams and microphones. StaffCop claims that over 20,000 organizations use its software.
Screenshot-based employee monitoring tools have long been in use pre-Covid, most notably on the freelancing platform Upwork where they are the standard method for tracking workers that bill by the hour. Upwork’s system creates a “work diary” that automatically takes a desktop screenshot anywhere from once every 10 minutes to once per hour as a demonstration of activity and progress.
Barclays itself has dabbled with other forms of employee surveillance in the past; in 2017 the company received negative press when it briefly adopted the OccupEye system, which installs special sensors at seats to determine when they are occupied.
The problem of intrusive employee surveillance is much more acute in the United States than it is in the EU. US workers have virtually nothing in terms of an equivalent to the UK ICO’s protection from the use of this sort of software, whether at home or in the office. The only relevant law that prevents employers from monitoring employee communications is the Electronic Communications Privacy Act (ECPA), a bill passed in the 1980s prior to widespread computer use that only covers oral communications via telephone. Employer email monitoring has long been a contentious issue, with employers largely free to monitor company accounts so long as they provide a “valid business purpose” for doing so. There is some added legal room for employers to monitor the use of personal accounts on company systems if the employees agree to a relevant policy in writing when they are hired (and this is frequently a requirement of accepting the job).