MONITORING THE EMPLOYEE WORKING FROM HOME

Written By Magel Romero

Given the influx of individuals who have been working at home for extensive periods of time during the COVID-19 pandemic, an increasing number of organizations are looking at ways to ensure their employees are in fact working when on the employer’s clock.  Many employees feel uncomfortable with being monitored by their employers, whether it is manually or automatically via tracking systems installed on computers/laptops. There are degrees of acceptability ofcourse. Using a webcam to monitor employees working at home certainly feels like an invasion of privacy. However, monitoring the VPN for more than capacity and network performance, but to check in on employees whose connection is regularly timing out could be appropriate. The employer’s perspectives regarding productivity and ensuring work is being appropriately conducted must be balanced with the employee’s reasonable expectation of privacy.

This article will look at the privacy legal considerations, but generally speaking, employee monitoring and the use of tracking systems do create an impression that the employer does not trust their employees. It really does boil down to whether accountability and a healthy as well as appreciated work ethic is built into the employment relationship, in which case such surveillance and its negative connotations can be avoided.

 

UNITED STATES PERSPECTIVE

In the U.S., employee monitoring is legal – if there is a legitimate business intent most federal and state laws permit employers to monitor almost anything that comes through company-owned devices and across the organization’s  network. These methods of monitoring and tracking include: attendance, screen content, e-mails, active/idle time, key strokes, etc. Although employee monitoring is legal for the most part, some state laws have established that consent is required especially in regards to the type of information being monitored, such as monitoring and capturing third party communications, or the monitoring of electronic communications altogether. Some of these states include Connecticut, Delaware, California, and New York.

With the California Consumer Protection Act (CCPA) that came into force in January 2020, it is also important to keep in mind that employees who are residents of California must also receive a notice of collection in compliance with the CCPA with respect to any tracking systems put in place by an employer, and organizations must also ensure reasonable safeguards are in place for the personal information collected.

There are some important laws to consider, and some important questions businesses need to ask themselves beforehand. An important law to consider in the United States is the, Electronic Communications Privacy Act (ECPA). This law does not target employee monitoring specifically but it does broadly restrict the monitoring of electronic communications. The ECPA generally does not permit the monitoring of electronic communications however, there are two exceptions available to employers. There is the “business purpose exception”, and the ability to monitor when consent has been provided. There are also laws regarding the monitoring and collection of electronic communications stored on corporate servers, which is generally prohibited by the Stored Communications Act (SCA), and the monitoring of personal devices that are used for work that may be prohibited by certain spyware state laws.

As you can see, although federally there is no mandatory legal requirement for employers to disclose employee monitoring activities, there are state laws in place to consider depending on what is being monitored, the types of electronic communications being monitored, and even where the  monitoring is taking place.

 

CANADIAN PERSPECTIVE

In Canada, employees of federally regulated businesses, such as banks, telecommunications and transportation companies, enjoy privacy protection under the Personal Information Protection and Electronic Documents Act (PIPEDA). Generally, under PIPEDA, an employer cannot spy on its employees without just cause. The following steps must be taken by employers under PIPEDA:

  • Employers can only gather and record employee information required for “reasonable purposes”, that is, “purposes that a reasonable person would consider are appropriate in the circumstances” (section 5(3) of PIPEDA);

  • Employees must give informed consent to the monitoring where it is not required by law. Such consent must be informed, that is, employees must be told the purpose for the monitoring, how any recording of the employee will be used and who it will be shared with;

  • Employees have the right to refuse monitoring (unless again there is a legal requirement to monitor); and

  • If the employee’s activities are being recorded in any way, the employee has a right of access to those recordings.

Under PIPEDA, a four part test is in place regarding the appropriateness of employee surveillance, first instituted by the Federal Court in Eastmond v. CPR in 2004, and used many times since by the Federal Privacy Commissioner:

  • Is the measure demonstrably necessary to meet a specific need?

  • Is it likely to be effective in meeting that need?

  • Is the loss of privacy proportional to the benefit gained?

  • Is there a less privacy-invasive way of achieving the same end?

It is thus clear that if PIPEDA applies, employee computer monitoring must only be used with extreme caution and only if there is a reasonable suspicion of inappropriate activity.

But what if PIPEDA does not apply? In B.C. Alberta and Quebec there are private sector provincial laws that govern employee relations. In those provinces, similarly to under PIPEDA, monitoring of employees must be with reasonable cause and consent must be provided except in rare circumstances, for example if there is a legitimate concern that the company network is being used for illegal activity. There could also be restrictions on monitoring in a unionized environment as outlined in collective agreements.

Clearly there is a void of privacy protection for private sector employees in other provinces, but in my view, irrespective of this gap, monitoring employees working at home is generally frowned upon in Canada. In my opinion employers should be focused on service levels and meeting deliverables rather than ensuring that employees are clocked in. Monitoring should only be used if there are legitimate and reasonable suspicions of inappropriate activity or if job responsibilities are not being met.

If you have any questions about whether instituting an employee work-at-home monitoring system makes sense for your organization, and how to reduce your employee privacy risks, contact PRIVATECH.

Magel Romero
Previous

ISO 27701 – AN INTERNATIONAL STANDARD FOR PRIVACY MANAGEMENT