The monitoring of employees is a poignant example of an activity that requires a balance between the interests of different parties.
On the one hand, organizations have a legitimate interest in safeguarding their information. Organizations can invest a significant amount of time and resources securing valuable data from external threats, only to have these efforts thwarted by the careless or intentional actions of an employee. Indeed, a study found that 29 percent of data breaches in the first half of 2014 were the result of malicious or careless employees. To address these risks, many employers establish monitoring, data loss prevention and other information security programs that log, track and analyze employees' actions.
On the other hand, as a recent Canadian case demonstrates, excessive and disproportionate employee monitoring can result in serious contraventions of the law. While the threshold between legally acceptable and unacceptable employee monitoring varies among countries that have enacted privacy laws, collecting information on every single action made by an employee on his or her computer without providing them specific notice of such activities, like the employer in the Canadian case did, would in most cases constitute an unjustifiable compromise of employees' privacy interests.
Canadian Employer's Use of Sweeping Employee Monitoring Software Found to Contravene Law
In January 2015, the mayor of the District of Saanich in British Columbia claimed that his employer, the District itself, used employee monitoring software in a manner that contravened applicable privacy laws. The privacy authority of British Columbia investigated these claims and discovered that the District had installed automated software on all employee workstations and did so without specifically informing employees of these practices. Employees were allowed to use their workstations for personal reasons, and the software was configured to, among other things:
- log every keystroke made by a user;
- log program activity by recording which windows were open and which window had the focus of the user;
- capture and store screenshots of activity on the monitor at 30-second intervals;
- monitor all emails and instant messaging conversations; and
- track every file created, deleted, renamed, or copied.
The privacy authority considered whether the District had the authority or legal justification to conduct such sweeping monitoring activities, including under certain statutory justifications such as for law enforcement purposes, and determined that it did not. The privacy authority also concluded that much of the information that was collected was sensitive or had no reasonable connection to the purported purposes of the employee monitoring program, i.e., IT security. The privacy authority therefore prescribed a number of detailed recommendations on the District, including dismantling many features of the employee monitoring software.
So what can an employer do to avoid the circumstances that befell the District of Saanich? Here are five suggestions.
- Conduct a privacy audit of the program before implementation to understand your legal risks and obtain recommendations on how to implement the program in a compliant manner.
- Carefully draft a clear and detailed employee monitoring policy to establish employees' privacy expectations in the workspace.
- Limit the collection of personal information to that which is strictly necessary for the stated purposes of the program.
- Work with security providers to tailor their software and monitoring tools to your unique business profile and objectives.
- Train employees so that they are aware of your employee monitoring activities, and train IT personnel so that they administer the employee monitoring program in a manner that mitigates legal risks.
Contributors: Jonathan Tam, Zia Hassan