Workplace surveillance has increased over the years due to the nature of technology development with the consequence of diminishing employee privacy. Privacy has become one of the most important human rights issues of the modern age. Workforces across the world have reported the stress related to privacy invasion and nations have responded by passing laws to protect the privacy of their workforces. The paper provides guidelines for employers, in the UK, to remain within the bounds of the law and the dangers associated when this is not the case.
Workplace surveillance has increased over the years due to the nature of technology development with the consequence of diminishing employee privacy. The Internet and its' technologies have accelerated the monitoring process making them more evasive and intrusive. A report from the Workplace Surveillance Project of the Privacy Foundation, which monitors employee monitoring worldwide, shows that 35% of the 100 million online workforces are monitored.
Although new technology increased profit and production in the workplace it also introduced problems for the employers which needed to be fixed quickly. An example of the problems faced by employers was given by Kirch in August 2000 in the issue of Security Magazine . It described a New York based import-export company that grew rapidly with the new technologies and financial boom of the 1990s. However, in 1999, the company saw its' profits nosedive, and they suspected that someone internal was responsible. The investigations found that two employees of the company, the head of the IT department and the manager of the company warehouse, were responsible and had siphoned 3 million dollars out of the company .
According to the 2002 survey by the CSI/FBI, 80% of respondents reported financial losses due to computer breaches. However, industry research shows that 70% of breaches are an inside job . There are also other reported facts that employers look at as reasons to decide to monitor employees. Some of the main reasons are listed below :
- 64% of employees reported going online for personal reasons.
- Over a third of employees reported playing games at work.
- A large fraction of employees reported visiting sex and gambling sites at work.
- Studies have shown that reducing online gossip, jokes, and other unproductive activities does increase productivity.
- 65% of Human Resource (HR) departments surveyed had disciplined an employee for improper online usage (Panko, 2004).
- 30% of HR departments had fired an employee over illegal use of the Internet (Panko,2004).
Because of these facts and some of the reasons listed below, strong employer monitoring of employees has become a by-product. According to the McWorld survey employers are monitoring a variety of employee activities as follows (Schulman 2001) :
- 29.2% monitor for productivity. Excess use of the Internet results in poor performance and therefore reduced productivity, so companies routinely monitor employee e-mails and Internet use.
- 29.2% monitor for theft of company property.
- 21.5% monitor for espionage.
- 9.2% monitor for performance review of an employee.
- 6.2% monitor to prevent harassment between supervisors and employees and among employees.
- 3.1% monitor to find missing data, assuming that employees may have it.
- 3.1% monitor to find illegal software on company computers put on by employees for their personal use.
- 3.1% monitor to prevent personal use of company computers for unproductive activities by employees.
There are a number of guidelines provided by the government and other bodies that employers must follow when carrying out surveillance to stay within the bounds of the law. These guidelines provide a framework for the employer to work from and are mentioned below.
The Employment Practices Data Protection Code: Monitoring at Work
From the Employment Practices Data Protection Code  we are interested in part 3 which looks into monitoring at work. The Code emphasises that employers must comply with the following legal requirements when monitoring at work:
- The Data Protection Act (DPA), which covers "data processing" in general.
- EC Directive 95/46 EC on data protection.
- The Human Rights Act 1998 and Article 8 of the European Convention on Human Rights - the right to respect for private and family life in the correspondence.
- The Regulation of Investigatory Powers Act 2000 (RIPA) and the Lawful Business Practice (Interception of Telecommunications) Regulations 2000 (LBPR).
According to the Information Commissioner's Office (ICO), the DPA says that "any adverse impact on workers is justified by the benefits to the employer and others" . The ICO do not believe that this statement of the law is correct in terms of compliance with Article 8, under which any interference with the right to respect for private life and correspondence must be in accordance with the law, peruse a legitimate objective, and be necessary in a democratic society and proportionate.
To justify monitoring at work, Section 3 states that employers should carry out impact assessments involving :
- Identification of the purpose of the monitoring and the likely benefits.
- Identification of the likely adverse impact of the monitoring.
- Considering alternatives to monitoring and the different ways it may be carried out.
- Taking into account the obligations that arise from monitoring.
- Judging whether monitoring is justified.
Employers have to be careful to abide by the code otherwise it could lead to legal proceeding in the courts. Employers should consider the following when monitoring their workers :
- The organisations' rules and standards should be made known and understood by the workers. Even though the standards are obvious, employers must not assume this and relay the rules however obvious or simple they are. Employers should specifically set out the circumstances in which monitoring will take place, the nature of the monitoring, how the monitoring information will be used, and the safeguards that are in place for the monitored workers.
- Workers should be informed when they are being monitored and also why they are being monitored. They should also be told who the monitoring information obtained will be disclosed to.
- Other people may have access to personal information about the workers collected through monitoring. The number of people who have access to this information must be kept to a minimum and they must ensure the information is kept secure, not misused or disclosed. They should also understand their responsibility according to the Data Protection Act related to monitoring.
- If monitoring is justified for a particular purpose, the information should only be used for that purpose specified and should not be used for any other purpose.
- Many businesses buy off the shelf monitoring systems and it is the business's responsibility that they are data protection compliance. If the software is supplied from outside the EU then it might not take account of the data protection law in this country.
- If personal information about a worker is collected it must be made available to the worker if they make a request to access it.
The employer can monitor an employee without informing them about the monitoring if it is done for one of the following reasons (Nickson 2002) :
- Recording evidence of a business transaction.
- Ensuring compliance with regulatory or self-regulatory guidelines.
- Maintaining the effective operations of the employers' system.
- Maintaining standards of training and service.
- Preventing or detecting criminal activities.
- Preventing unauthorised use of the workplace technologies.
The above are the general concerns that the employer needs to consider. However, there are also specific guidelines relating to electronic monitoring which are discussed below.
Monitoring Electronic Communications
This section covers all electronic communications, such as telephone calls, fax transmissions, e-mails and Internet access. Here is it also important that employers establish a policy on the use of electronic communication systems and communicate it to workers. Employers should consider including the following features in the policy :
- Set out clearly the circumstances in which workers may or may not use the employers' telephone system, e-mail system and Internet access for private communication.
- Make clear the extent and type of private use that is allowed, for example restrictions on overseas telephone calls or limits on the size and/or type of e-mail attachments.
- For Internet access, specify clear restrictions on material that can be viewed or copied. Give examples of the sort of material that is considered offensive - such as material containing racist terminology or nudity.
- Advise workers about what personal information they are allowed to include in communications.
- State clear rules for private use of the employers' communication equipment when used from home or away from the workplace.
- Explain the purpose for any monitoring conducted; the extent of the monitoring and the means used.
- Explain sanctions to be enforced if the policy is breached.
The employer should consider the following in an impact assessment of e-mail and communication monitoring to lessen the effect of privacy intrusion :
- Can monitoring of traffic, and not content of messages, be used? If not, can the traffic record be used to narrow the scope of content monitoring?
- Will monitoring breach client or worker confidentiality?
- Are there secure transmission lines, not subject to monitoring? For occupational health or trade-union related communications?
- Can workers mark communications as "personal"?
- Can monitoring be confined to external rather than internal e-mail?
- Can e-mails marked "personal" be excluded from monitoring?
- Are workers authorised to use the e-mail system for personal purposes?
- Are systems for recording information about e-mail use reliable?
As well as observing the core and other general principles set out above, employers also need to :
- Inform workers that they receive information about the use of telephone lines in the homes, or mobile phones provided for personal use.
- Avoid opening e-mails, especially ones that clearly show that they are private or personal.
- Ensure senders of e-mails are aware of any monitoring and the purpose behind it.
- If checking e-mail accounts of workers in their absence, make sure that they are aware that this will happen.
- Inform workers that information about their internet access and e-mails is retained in the system and for how long.
Employers also need to be satisfied that any "interception" in the course of monitoring will meet the requirements of Regulation of Investigatory Powers Act (RIPA) and the Lawful Business Practice Regulations (LBPR). Broadly, under RIPA, it is unlawful to intercept telecommunications except with the workers' consent or where the communication is connected with the operation of the communication system itself.
Here are some explanatory notes regarding Figure 1 :
- Is there interception? Interception takes place if the contents of a communication are made available, during the course of transmission, to someone other than the sender or intended recipient. It does not include stored e-mails that have been received, opened or deleted by the intended recipient.
- Have senders and recipients both given consent? Interception is allowed if the business has consent from both sender and recipient and consent must be freely given. Interception is also allowed in certain circumstances without consent of the sender or the recipient.
- Is the interception connected with operation of the communications system itself? Interception without consent is allowed if it is undertaken by or behalf of a business that provides a telecommunications service and it takes place for purposes connected with the provision or operation of that service.
- Is the interception only for monitoring business-related communication? Interception without consent can only occur if it is monitoring or recording communications which involve the business entering a transaction, or relate in another way to the business.
- Is the interception to decide whether a communication is a business related one? Interception without consent is allowed if it is to monitor, but not record, communications to check whether they involve the business entering into transactions or related to the business in another way.
- Is a confidential telephone counselling or support service involved? Interception without consent is allowed if it is to monitor, but not record, communications to a confidential, free, telephone counselling or support service such that users can remain anonymous.
- Is the interception for an authorised business purpose? Interception without consent is allowed if is part of monitoring, or recording, business communications for one of the following purposes:
- To establish the existence of facts.
- To check that the business is complying with regulatory or self-regulatory procedures.
- To check the standards that workers are achieving.
- To show the standards workers ought to achieve.
- To prevent or detect crime.
- To investigate or detect unauthorised use of telecommunications system.
- To ensure the security of the system guarding against viruses and other threats.
Some of the points made above are open ended, for example, to establish the existence of facts, which could give employers more incentive to intercept communication.
Article 29 The working document on the electronic communications in the workplace by the Data Protection Working Party complements Opinion 8/2001 on the processing of personal data and contributes to the uniform application of the national measures adopted under the Data Protection Directive 95/46/EC. It does not prejudice the application of national law in related areas to data protection .
The Working Party has set up a subgroup to examine this question and has adopted an extensive document and some relevant points will be mentioned here that have not already been pointed out. The subgroup consists of nine European countries of which the UK is one.
The Article points out workers can not abandon their right to privacy and data protection every morning at the doors of the workplace. Workers have a legitimate expectation of a certain degree of privacy in the workplace as they develop a significant part of their relationships with other human beings within the workplace .
The Working Party takes the view that prevention should be more important than detection when considering the use of the Internet for private use. In other words, the interest of the employer is better served in preventing Internet misuse rather than detecting such misuse.
The working document states that employers may consider providing workers with two e-mail accounts: one for work purposes and another account purely for private purposes where the account is only subjected to security measures. This could stop employers prying into personal e-mails. E-mails contain personal data covered by the provisions of Directive 95/46/EC and consent must be freely given for employers to process this data. The Working Party has taken the view that:
"Where as a necessary and unavoidable consequence of the employment relationship an employer has to process personal data it is misleading if it seeks to legitimise this processing through consent. Reliance on consent should be confined to cases where the worker has a genuine free choice and is subsequently able to withdraw the consent without detriment" .
There have been cases where employers have not followed the guidelines provided and have been taken to Court. The next section discusses a couple of these cases.
In judgements given to date, the Court has made it clear that the protection of "private life" mentioned in Article 8 does not exclude the professional life as a worker and is not limited to life within home .
The case Niemitz v. Germany was concerned with the search by a government authority of the complainant's office. The government tried to argue that Article 8 did not afford protection against the search of someone's office as the Convention drew a clear distinction between private life and home, on the one hand, and professional and business life and premises on the other hand. The Court rejected this approach by stating :
"Respect for private life must also comprise to a certain degree the right to establish and develop relationships with other human beings. There appears, furthermore, to be no reason of principle why this understanding of the notion of "private life" should be taken to exclude activities of a professional or business nature since it is, after all, in the course of their working lives that the majority of people have a significant, if not the greatest, opportunity of developing relationships with the outside world. This view is supported by the fact that, as was rightly pointed out by the Commission, it is not always possible to distinguish clearly which of an individual's activities form part of his professional or business life and which do not"
In another case of Halford v. United Kingdom the Court decided that interception of workers' phone calls at work constituted a violation of Article 8 of the Convention. Ms Halford was provided with two telephones of which one was for private use. No restrictions were placed on the use of these telephones and no guidance was given .
Ms Halford alleged that the interception of her telephone calls amounted to violations of Article 8 of the Convention. The Government submitted that telephone calls made by Ms Halford from her workplace fell outside the protection of Article 8, because she could have had no reasonable expectation of privacy in relation to them. The Government expressed the view that an employer should in principle, without prior knowledge of the worker, be able to monitor calls made by the latter on the telephones provided by the employer .
From the Court's view, "it is clear from its case-law that telephone calls made from business premises as well as from the home may be covered by the notions of "private life" and "correspondence" within the meaning of Article 8 paragraph 1.
There is no evidence of any warning having been given to Ms Halford, as a user of the internal telecommunications system that calls made on that system would be liable to interception. She would, the Court considers, have had reasonable expectation of privacy for such calls ..." .
The notion of "correspondence" includes not only letters in paper form but also others forms of electronic communications received at or originated from the workplace, such as telephone calls made from or received at business premises or e-mail received at or sent from the offices' computers.
Effects of monitoring
Employer monitoring has led to employee terminations and employees taking employers to court claiming their privacy has been invaded. The most devastating effect of monitoring is the fear of the employee losing their job. For many, a job is the only source of income and any sign of losing it creates fear. Employee monitoring also causes the following problems :
- Lack of trust among workers, supervisors, and management. Employee monitoring can undermine workplace morale and create distrust and suspicion between workers, supervisor and management. As employees' morale decline production levels may decline and employees may take the employer to court for invading their privacy.
- Stress. Constant monitoring can lead to high levels of stress and anxiety. For example Nussbaum (1991) cites a New York data processor whose boss kept flashing the message "You are not working as the person next to you" on her computer screen. There are many cases like this that lead to stress in a workplace.
- Repetitive strain injuries (RSI). RSI is a set of work-related muscular skeletal disorders caused by repeated and prolonged body movement resulting in damage to tendons, nerves and muscles. RSI might happen when employees fear to take frequent breaks from their work required in order to fight RSI in the fear that their supervisors may regard them as not working.
- Lack of individual creativity. Employees have a fear of exercising creativity that is outside normal procedures because they fear being questioned or even losing their jobs in case something goes wrong.
- Lack of self-esteem. The monotony of work and lack of freedom lowers employees' morale and consequently self-esteem.
- Worker alienation. Worker alienation is the lack of worker freedom and control. Alienation according to Shepard is higher among workers in industries with automated technologies.
- Lack of communication. Botan and McCreadie (1993) said that "it is well established that information technology does affect communication. When information technology is used for surveillance it can [further] affect organisational communication by reducing or eliminating the need for individual workers to be involved in communication. Workers are objects of information collection without participating in the process of exchanging the information, and seeking to participate may be a violation of work rules punishable by discharge"
- Psychological effects. The presence of electronic monitoring in the workplace may give the perception that employees' comings and goings are being watched even if that is not the case. This may lead to psychological effects on an employee thinking that privacy invasion may be occurring.
Employers must take on board the negative effects that monitoring can cause and try and find a medium that will allow their workers to work with certain comfort to get the best of their ability.
Although employee monitoring seems to be the norm there are things that employees can do to guard themselves against being monitored. The first thing is to refrain from those activities that are prime candidates for monitoring. Employees should never use the company equipment for illegal and unauthorised activities and this will limit the employers' power to monitor them. New software called an "Anonymizer" has been developed to protect users from intrusive employers by using strong encryption techniques. Using this software, the data passed will be encrypted in the log files and hence will not show up . Examples of anonymizers are ZeroKnowledge, Freedom, and SafeWeb. However, using this software will involve installing it on the employers' hardware which can be deemed illegal in some workplaces.
Employers have been provided with strong guidelines when considering monitoring and it is in their interest to follow them or face the Courts. Employees are entitled to privacy in the workplace and employers must respect this. Privacy has become one of the most important human rights issues of modern age. Employees should not have to work in fear and under stress created by monitoring. It is in the interest of the employer to find a happy medium to get the best out of his workforce.
- JM Kizza, 2003, Workplace Surveillance, [Online] Available at http://www.idea-group.com/downloads/excerpts/1591404568.pdf [Accessed on 22nd February 2010]
- Information Commissioner's Office (ICO), Part 3 - monitoring at work, [Online] Available at http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/coi_html/english/supplementary_guidance/monitoring_at_work_1.html [Accessed on 22nd February 2010]
- ARTICLE 29 - Data Protection Working Party, 2002, Working document on the surveillance of electronic communication in the workplace, [Online] Available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2002/wp55_en.pdf [Accessed on 22nd February 2010]