A recent survey in the United States has highlighted the growing trend of employers to electronically monitor employees in the workplace.
According to the 2005 Electronic Monitoring & Surveillance Survey conducted by the American Management Association (AMA) and The ePolicy Institute, employers have been increasing their efforts to implement electronic monitoring of employees to manage productivity and protect resources but also due to concerns over litigation and the role electronic evidence plays in lawsuits and regulatory investigations.
Although such concerns might be inducing employers to monitor their employees, such surveillance also raises attendant privacy concerns, particularly with regards to invasive forms of surveillance.
The AMA’s survey, which involved 526 U.S. companies, states that about 25 percent of employers have fired workers for misusing the Internet; another 25 percent have terminated employees for inappropriate e-mail use; and 6 percent have fired employees for misusing office telephones.
When it comes to workplace computer use, employers are mainly concerned about non-work-related Web surfing, with 76 percent of employers monitoring employees’ Web site connections.
The survey also showed that computer monitoring takes various forms including tracking content, keystrokes and time spent at the keyboard, the use of satellite global positioning systems to monitor cell phones, and the storing and reviewing of employees’ computer files.
According to the survey, of those organizations that engage in monitoring and surveillance activities, 80 percent inform workers that the company is monitoring content, keystrokes and time spent at the keyboard; 82 percent let employees know the company stores and reviews computer files; 86 percent inform employees as to e-mail monitoring; and 89 percent notify employees that their Web pages are tracked.
In order to induce employee compliance, employers have increasingly enforced their Internet and e-mail policies by firing employees who use company technology for personal use during workplace hours.
Employers, especially those from large companies, justify their employee monitoring practices by arguing that liability, discoverability, productivity and protection of trade secrets and intellectual property are serious concerns that justify these activities.
However, with greater and more invasive monitoring has come the inevitable lawsuits from employees for invasion of privacy. Thus, a number of jurisdictions are placing limits on how penetrative monitoring practices can be.
For example, in the United Kingdom, workplace monitoring is regulated by the Data Protection Act of 1998.
With regards to the monitoring of e-mail and/or Internet content, employers in the United Kingdom are required to carry out an impact assessment to establish whether any planned monitoring is necessary to address a legitimate business need and to ensure that the monitoring practices in question are necessary to meet that need. The employer needs to establish that monitoring is justified by showing, for example, why other less intrusive methods could not be used to address the risk and that the employer has selected the least intrusive method of monitoring.
In addition, the use of video monitoring must be justified in advance by performing an impact notification that video monitoring is being carried out; however, in exceptional cases, such as where there might be grounds for suspecting criminal activity, covert monitoring might be justified.
Recent Canadian Case
Similar limitations are applied in such European countries as France, Germany, Italy and Sweden.
In Canada, the issue of overstepping limitations with respect to workplace monitoring was considered in a recent ruling by Alberta’s Privacy Commissioner. The case involved the installation, without the knowledge of the employee, of keystroke logging software on the computer of an information technology employee by the employer, Parkland Regional Library (PRL).
The employer justified its action based on section 33(c) of Alberta’s Freedom of Information and Protection of Privacy Act, which permits collection of information that relates directly to and is necessary for an operating program or activity of a public body. PRL argued that the collected information was necessary to manage the employee, based on concerns about his productivity and his use of his working time. The Commissioner held that the employer did not have the authority under section 33 of the Act to collect the applicant’s personal information via the method used — keystroke logging.
The director of the library disputed the Commissioner’s finding that the library collected personal information on the employee, arguing that the managers never looked at any of the computer files that were logged.
However, the Commissioner stated in his ruling that the methods used by the library were too invasive, were not necessary for managing the employee and that it could have used “less intrusive means” to get the information needed to manage the employee. This was particularly evident by the fact that the information collected by the keystroke logger was information as to everything the employee did on his computer and, according to the Commissioner, the library did not need all of this information in order to manage him effectively.
In addition, the Commissioner noted that other employees in similar positions were not similarly monitored. Thus, the Commissioner ruled that the “lack of even-handedness further undermin[ed] the public body’s explanation for the collection.”
He further stated that keystroke logging software could become “necessary” within the meaning of the Act only where there was no less intrusive way of collecting sufficient information to address a particular management issue; however, under normal circumstances, reasonable limits should be placed upon the methods used to monitor employees in the workplace.
The Alberta decision, along with the UK legislation, are demonstrative of the position that although employers have every right to implement processes for the electronic monitoring of employees, it would be wise for employers to select the less intrusive methods and avoid highly intrusive tools such keystroke logging unless absolutely necessary.
Javad Heydary, an E-Commerce Times columnist, is a Toronto lawyer licensed to practice in both Ontario and New York and is the managing editor of Lawsof.com.