Published on August 18, 2023 by Annu Liss Anto and Anitha Revanna
The work-from-home (WFH) framework adopted amid the pandemic has made employee monitoring even more critical and compliance officers started closer watch of all activities. Seventy-three percent of all teams are expected to have remote workers by 2028, according to CNBC’s “How millennials and Gen Z are reshaping the future of the workforce” report. However, employee monitoring, with the use of artificial intelligence (AI) and machine learning (ML), could run into legal issues
What is employee monitoring?
Employee monitoring is a compliance activity monitoring technique that organizations implement for purposes such as the prevention and detection of valuable data breaches, employee engagement, increasing privacy and improving unproductive business operations.
Employee monitoring policy:
The lack of employee monitoring policies in a company may result in the misuse of employees’ private data. This undermines the fundamental right to privacy; businesses and employees must be informed of the relevant regulations in place.
According to general employment laws, an employer is permitted to digitally monitor employees. State and local laws detail how far an employer can go with the employee monitoring programs. If an employee uses a business asset for an activity unrelated to the business, the company does not require any consent to monitor such activity unless the users are informed about the tracking. Employees would also be aware that they are not allowed to use their personal communication networks to communicate work-related details.
Legal limitations on employee monitoring:
Employee monitoring policies are regulated by one or more government or private entities. Some countries may stipulate that these breach an individual's fundamental constitutional rights. Employee monitoring measures are critical, as they could benefit both employers' and employees' interests. We list below some of the relevant laws.
Electronic Communications Privacy Act of 1986 (ECPA):
The ECPA safeguards individuals in the US from unauthorised intervention of electronic communications. It limits the ability to commence computer transmissions, wire taps and tracing of telephone communications and stored electronic communications, etc. Cybersecurity-related investigations are increasing, so it is important to be aware of these laws.
General Data Protection Regulation (GDPR):
Most employee monitoring measures are lawful in the EU. However, the practices must be subject to the provisions of the GDPR. The GDPR holds organisations accountable for protecting the personal information they obtain from employees. It focuses on what data is stored by a company, how the data is updated and how the collected data is protected. The use highly stringent and intrusive electronic monitoring techniques could have a detrimental effect on staff morale. The GDPR mainly covers the EU, but compliance with the regulation is incumbent upon any organisation that deals with data subjects based in EU member states.
The Russian Federal Law:
The Russian Federal Law on Personal Data (No. 152-FZ), executed on 27 July 2006, forms the backbone of Russian privacy laws and demands data operators to make all the managerial and technical arrangements required for personal data protection against unlawful or unintended access.
-
Determine legitimate reasons: The reasons for employee monitoring needs to be well defined, to enhance employee cooperation. They could include improving security of staff and company assets or increase company productivity by monitoring employees' work to facilitate analysis and reporting.
-
Maintain transparency: Employees should be aware that they are being monitored; the stored data, which may include personal information, needs to be kept secure.
-
Have a standard policy: Employee-monitoring policies should clearly define what employee data is stored and what is not. This protects an individual’s fundamental right to privacy.
-
Acquire consent: Employee-monitoring policies require employee consent. It will ensure they do not keep or save personal information on company-provided laptops or smartphones.
-
Use of authenticated systems: The company is responsible for the security of personal data and surveillance recording of employees. Ensuring security while using third-party software or personnel is vital for avoiding misuse of personal data.
The above was a short description of regulatory policy. If an organisation does not have an employee-monitoring policy in place, it is well within the rights of the employee to raise this concern to higher management. An employer is expected to act in a legitimate way to access employee data. It is also the employer’s responsibility to maintain a balance between corporate concerns regarding surveillance and security and employee privacy. Policies must be reviewed periodically and amended when required.
How Acuity Knowledge Partners can help
We help draft policies and with employee monitoring in compliance with laws in the country. We also keep abreast of international regulations and suggest ways to mitigate risk that employers could consider prior to monitoring employees.
Source:
-
Electronic Communications Privacy Act of 1986 (ECPA) | Bureau of Justice Assistance (ojp.gov)
-
Art. 88 GDPR – Processing in the context of employment – GDPR.eu
What's your view?
About the Authors
Annu Liss Anto has over 1 year of experience in Corporate and Forensic Compliance at Acuity Knowledge Partners and is engaged in electronic communication surveillance. She holds a master’s degree in Business Administration, specialising in International Finance and Accounting, from Jain University, Bengaluru.
Anitha has 10+ years of experience in Marketing Compliance. She has previously worked with State Street Global Advisors. Her expertise spans across compliance and risk sector, focusing on compliance reviews of marketing/advertising materials and social media contents. At Acuity Knowledge Partners she is part of the central compliance team and specializes in marketing material review and social media reviews. Anitha is an MBA graduate from RV Institute of Management, Bangalore University.
Like the way we think?
Next time we post something new, we'll send it to your inbox