Balancing Employee Monitoring and Privacy Laws
Employee monitoring is all about striking a balance between protecting your company’s information assets and not going overboard to the point where employees feel alienated and you end up violating their privacy rights.
“Employers want to be sure their employees are doing a good job, but employees don’t want their every sneeze or trip to the water cooler logged. That’s the essential conflict of workplace monitoring.”
Employee Monitoring: Is There Privacy in the Workplace? (Privacy Rights Clearinghouse)
Balance can best be accomplished when organizations inform employees of the purpose of monitoring activities and set the employees’ privacy expectations by adopting reasonable and consistently enforced monitoring policies.
Why is Monitoring Really Necessary?
In addition to protecting the organization’s computer systems from the inadvertent downloading of spyware, viruses and trojans, employers have plenty of valid reasons for wanting to monitor employees’ Internet and email activities, including:
- Maintaining the company’s reputation and image
- Maintaining employee productivity
- Preventing and discouraging sexual or other illegal workplace harassment
- Preventing possible defamation liability
- Preventing employee disclosures of trade secrets and other confidential information; protecting intellectual property
- Avoiding potential copyright infringement that could arise from employees illegally downloading software, etc.
A 2005 survey by the American Management Association found that three-fourths of employers monitor their employees’ web site visits in order to prevent inappropriate surfing and 65% use software to block connections to web sites deemed off limits. About a third of employers track keystrokes and employees’ time spent at the keyboard. Just over half of employers review and retain email messages. While the figures for smaller and medium-sized businesses may not have matched those of the larger firms polled in 2005, it’s likely that the numbers have grown for businesses of all sizes as methods have improved, risks have accelerated and the costs of tools capable of monitoring employees activities have abated somewhat since then.
Employee Privacy Laws
Although privacy laws vary by state, there are currently few laws regulating monitoring of private sector employees. Public employers, such as state, federal and local agencies face tougher restrictions than private employers as a rule. Public sector employees may have some minimal rights under the Fourth Amendment of the United States Constitution, which safeguards against unreasonable search and seizure and was originally intended as protection against government tyranny. Private sector workers may have some protection in certain cases, such as any explicit protections that may be contained within union contracts.
Since the employer owns the computer network, the generally accepted rule of thumb for private employers is that the employer should be free to use at least reasonable electronic methods to monitor employees and safeguard other employees, the employer’s property and its business reputation.
While some eight US states have enacted some legislation with respect to employee’s privacy rights, most notably California, the most relevant federal law governing workplace privacy is the Electronic Communications Privacy Act of 1986 (ECPA). At first glance, this law and its amendments seems to prohibit the interception and monitoring of employees communications. However, there are key exceptions within the ECPA that provide substantial leeway to employers. They are:
- Employers may be exempt from the provisions of the act if they use a third-party provider for e-mail and Internet services. This is outlined in US Code §2511(2)(a)(I). Today, this may be the weakest of the three major exemptions.
- The language of the ECPA states monitoring is allowed on business-related communications, but not for personal communications.
- The ECPA does not apply if employees sign an agreement that states they have full knowledge of the company’s policies regarding e-mail and Internet usage and potential monitoring.
The last exemption is probably the most important for private employers as it is arguably the easiest to implement.
The California legislature approved an amendment to a bill in August of 2004 with respect to privacy protection for employees. The 2004 amendment prohibits employers from electronically monitoring their workers unless the employers provide adequate notice of the monitoring before it begins. Within the amendment, “adequate notification” requires that the company provide written or electronic notice to the employees about the types of activities being monitored and the types of information gathered, including any non-business-related information. An exception to the adequate notice requirement occurs when an employee is engaged in unlawful conduct and, when conducted in accordance with applicable federal and state laws, the monitoring will produce evidence of the unlawful conduct.
Data Security Concerns Can Trump Privacy Rights Issues
Data security laws have effectively elevated the privacy and safety of client or customer information above the privacy expectations of employees. Recent security breaches (such as the TJX case) have resulted in identity theft and the ongoing concern for increased safeguards to better protect customer and client information has resulted in additional legislation, such as the Gramm-Leach-Bliley Act that increases the responsibility of firms to guard customers and clients from internal security threats.
Creating a Policy to Set Privacy Expectations
Lawyers generally advise that one way for employers to avoid liability for monitoring employees online activities is to take all necessary steps to eliminate any reasonable expectation of privacy that employees may have concerning their use of company e-mail and other communications systems.
The legal case of Bourke v. Nissan Motor Corporation raised the issue of whether or not employees should have an expectation of privacy when their e-mail accounts are password protected. During a company training session, Nissan Motors randomly selected an e-mail message to be displayed while demonstrating the new e-mail system. The randomly selected message, sent by Bonita Bourke, proved to be a personal message, which included sexual content. Nissan began reviewing the e-mails of all training participants and found that several other employees were also sending inappropriate e-mails. Nissan issues warning letters to all parties guilty of violating the company’s policy. Ms. Bourke sued Nissan on the basis of violating her privacy.
The California Court of Appeals ruled in favor of the employer on the grounds that passwords should not provide an employee with a reasonable expectation of privacy because the company’s policy stated that “e-mail may be read from time to time by other people than the intended recipient”.
One effective and commonly-used way to eliminate the employee’s expectation of privacy is through the adoption of a detailed and clearly written acceptable-use policy. Usually, when an employer states a policy regarding any issue in the workplace, including privacy issues, that policy is legally binding. Policies can be communicated in various ways: through employee handbooks, by signed agreement at the time of hiring, via memos and meetings, and in union contracts.
The 2005 AMA Survey cited earlier showed that 80 percent of employers inform workers that the company is monitoring content, keystrokes, and time on the keyboard; 82 percent reported that they inform employees that their company stores and reviews computer files; 86 percent notify employees about e-mail monitoring; and 89 percent alert their staff that the URLs of the pages they visit on the Web while at work.
Who Should Create the Policy?
Clearly, the task of creating and updating a policy to address employee monitoring and privacy rights does not rest on the IT department. Instead, policy writing, policy updates and compliance enforcement needs to be a cross-functional team effort that includes, at the very least, representatives from human resources and legal counsel, along with input from the IT group, who can best advise on how monitoring can best be accomplished, which activities will be monitored, and what will be contained in any reports compiled as a result of monitoring activities. Legal counsel will be able to advise on any state or local regulations that may apply and draft the wording of the agreement.
If a new policy is adopted or an existing policy is substantially updated, unit managers throughout the organization must be advised and their cooperation urged in explaining the new or changed policy and the reasons behind it to their staff. Human resources may also consider having informative training sessions when such a policy is put in place or updated, perhaps with legal counsel present to answer employees’ questions.
What the Policy Should Include
Typically, acceptable-use policies do not explicitly state what monitoring methods will be used, but they do need to establish clearly what the acceptable uses of the Internet, computers, and e-mail are for employees. Most acceptable-use policies also leave open the possibility for monitoring non-business activities that occur while using the employers’ equipment or premises. Legal advisers suggest that it is essential for employers to demonstrate that monitoring is a routine and known activity in the firm.
Acceptable use policies should also establish clearly the consequences for violation of the policy. Enforcement procedures should be established to ensure that enforcement is carried out in a non-discriminatory way.
The Potential Costs of Not Monitoring Employees Activities
In addition to exposing customers and clients of the business to identity theft and the potential need to engage in costly litigation, costs due to improper use of employers’ computer systems can be substantial. Consider an employee who makes twenty dollars an hour. If this employee spends a half-hour each day reading and sending personal email, it is costing the company $2,600 per year in production. If the situation is common for one hundred employees, the total lost in production would amount to over a quarter of a million dollars per year.
Available Solutions
After field testing, we recommend Websense products as a complete content filtering and monitoring solution because we have tested them and know they work. Find out for yourself, with a free trial of Websense.
Related Articles:
