A guide to employee monitoring and workplace privacy

Ever get the feeling you’re being watched at work? The reality for most employees is that they probably are. With technology for employee monitoring becoming increasingly advanced and accessible, more and more companies are using a plethora of products to track their employees’ every move. While it all sounds a little covert, in reality, employee monitoring in some form or another is acceptable and indeed expected in most circumstances.

There are numerous reasons for employers wanting to keeps tabs, including improving employee safety, increasing productivity, and guarding trade secrets. What’s more, employee monitoring products spell big business. As a result, employers are being persuaded by the makers of monitoring software and hardware that they need to keep a closer eye on their employees.

So what does this mean for the privacy of employees and their basic rights? There are two major facets of employee monitoring. On the one hand, employers need to make sure they’re abiding by the regulations that are in place. On the other hand, workers need to know what to watch out for, and what their rights are under various circumstances.

As mentioned, in this industry, as in many others, technology and its widespread availability are advancing quickly. As such, there remain gray areas when it comes to its governance. Therefore, many employee privacy cases end up in the courts, with judges having to make decisions based on the laws, regulations, and precedents available.

For this reason, it’s advisable for both employers and employees to err on the side of caution when it comes to monitoring. This would mean employers avoiding undertaking actions for which the laws are unclear, such as off-hour employee tracking. And for employees, it would mean assuming that most of their activities during working hours, especially while online, are being monitored.

While employees may feel like their privacy is being invaded, employers are often well within their rights to pry further than you might think. In this post, we’ll delve into the main forms of employee monitoring and what can be expected in the US, Canada, the UK, and Australia.

Background checks

Background checks are definitely nothing new and have long been used by employers during the hiring process. While it can feel as though privacy is being invaded, most applicants understand that it’s a case of due diligence. In fact, in some instances employers can be heavily fined for not conducting certain checks.

We covered the subject of background checks in-depth in a recent post, but we’ll summarize the major points for each country below.

US

As detailed in the post mentioned above, it is legal for US employers to obtain almost any information about an applicant or employee. The one notable exception is genetic information. However, even though any other information can be obtained, such as medical records, driving records, and credit scores, not all of it can be actually used by the employer to deny an applicant a job.

For example, arrest records cannot be used against someone, as they don’t imply a conviction. Other exceptions are race and employment status. Furthermore, there are also types of information that can be obtained and used, but with significant limitations. Medical records can be used in rare cases, as can bankruptcy filings and past employment history.

Canada

Within Canada, federal laws govern employment. However, each province also has its own laws. As such, employers need to consult the individual provincial rules for advice on the intricacies of what is allowed, as outlined in the article above.

In general, Canada’s laws aim to protect the privacy of the applicant or employee and, in most provinces, consent has to be given for the checks to take place. However, employers can still access a great deal of information, including financial history, criminal history, education, driving record, and online and social media presence.

UK

The UK takes a very definitive stance on background checks, especially when it comes to eligibility to work in the UK. In fact, employers can be fined up to £20,000 (about USD $26,500) for not performing a this particular check. The gov.uk site also stipulates that you can only perform criminal checks for roles in certain areas, such as healthcare and childcare.

Additionally, health checks can only be required in certain cases: if it’s a legal requirement (e.g. eye tests for commercial vehicle drivers); or if it’s a job requirement (e.g. insurers need health medical history). The website also reiterates that data protection rules must be followed when handling applicant information.

Australia

The Corrs regional guide to background checks explains what constitutes normal practice in Australia. They typically cover education, previous employment, health or medical records, criminal records, and online and social media activity. Things like union membership and political views generally cannot be used to inform hiring decisions due to anti-discrimination legislation.

Background checks are subject to the Privacy Act 1988 so employees must be informed about how information will be collected. They must also consent to the collection of ‘sensitive information’ and be allowed to access the collected information upon request.

Computers, phones, and mobile devices

Unless a job is purely physical, then many workers will spend some or all of their time using a desktop or laptop computer or mobile device. Of course, more than just work tasks can be carried out using these systems. Whether or not a company allows it, it’s often easy to use them for personal activities such as email, messaging, and web browsing.

Since all of these functions are also typically used for work-related tasks, it’s not as though they can be simply disabled or blocked to prevent personal use. And so ensues a minefield of potential issues for employers and employees alike.

While employees feel that they should be able to maintain some degree of privacy, employers needs to protect their best interests. They want to know if someone is wasting company time and resources, conducting themselves in an inappropriate manner, disclosing company secrets, or even committing a crime, among other things.

Indeed, the laws in most countries lean heavily toward the employer having significant rights when it comes to monitoring, especially when it comes to company-provided computers and devices. However, they vary from country to country in dictating what exactly can be monitored and how it can be carried out. Here’s what you can expect depending on where the company is situated.

US

In the US, as is the case in the other countries we’re covering, employers are within their rights to monitor all activity that is carried out on a company-owned device. This includes desktop computers, laptops, cell phones, pagers, and tablets. Since the device is company property, this applies not only in the place of work, but also when the device is taken home or elsewhere. It also means that they can monitor activity on such devices during off-work hours.

When it comes to email, employees often assume that only their work email is monitored. However, if they’re accessing personal email from a company device, this could be observed too. The same goes for any other forms of communication such as messaging apps, as well as web browsing, including time spent on social media sites.

Exactly which applications are monitored and how much information is collected depends on the software that’s being used. For example, rather than monitor an entire device, an employer may just want to view email usage. Within that, they might only collect information such as recipient, subject, and time/date, or they may also want to view the actual content of emails.

The major exception here is actual phone calls. According to federal law, audio can only be recorded and listened to if one of the parties consents. Many but not all states extend this rule to in-person conversations.

So what are the caveats for this type of monitoring? The laws vary somewhat between states but generally, in order to err on the side of caution, employers should always inform employees that they are being monitored. This could be in the form of a privacy policy provided upon hire or in an email in the case of a change of policy. Devices could also be adorned with signage indicating that activity will be monitored.

One area where problems arise for employees is when they use personal devices for work. Many companies implement a Bring Your Own Device (BYOD) policy. However, when you use your own device in work and connect to the corporate network, you may be opening up all personal activity on that device to scrutiny. This might also apply to any other personal devices used while at work. Even if they’re not being used for work, if they’re connected to the company wifi network for example, this could be considered company property.

For employees wanting to maintain privacy, it would be best to use separate devices for work and personal use and to avoid connecting personal devices to the company wifi network.

Canada

The Office of the Privacy Commissioner of Canada (OPCC) offers blanket advice to employers regarding employee monitoring. This covers things like video and audio recording and monitoring of web-browsing, email, and keystrokes. Their advice to employers is the following:

  • “The employer should say what personal information it collects from employees, why it collects it, and what it does with it. Collection, use, or disclosure of personal information should normally be done only with an employee’s knowledge and consent.
  • The employer should only collect personal information that’s necessary for its stated purpose, and collect it by fair and lawful means.
  • The employer should normally use or disclose personal information only for the purposes that it collected it for, and keep it only as long as it’s needed for those purposes, unless it has the employee’s consent to do something else with it, or is legally required to use or disclose it for other purposes.
  • Employees’ personal information needs to be accurate, complete, and up-to-date.
  • Employees should be able to access their personal information, and be able to challenge the accuracy and completeness of it.”

It goes on to reiterate the importance of setting clear policies and expectations, as well as keeping the amount of monitoring to a minimum.

UK

In the UK, according to gov.uk website, staff should be informed if they are being monitored, for example by email. This includes use of CCTV, keeping phone call records, logging email or internet use, and searching workstations. However, there are cases in which you can monitor staff without their knowledge, such as if you believe they are breaking the law:

“Monitoring staff without their knowledge

You can monitor staff without their knowledge if:

  • you suspect they’re breaking the law
  • letting them know about it would make it hard to detect the crime

Only do this as part of a specific investigation, and stop when the investigation is over.”

Data protection laws in the UK set down rules about how and when monitoring should be carried out. As such, employers should:

  • Have good reason and be able to explain the benefits of monitoring employees
  • Conduct an impact assessment to determine any negative impacts monitoring might have
  • Consider alternatives before jumping in, alternative options should be considered
  • Inform employees (with some exceptions)

While employers should inform employees, they don’t actually need their consent. As long as they’ve tried to inform employees of the monitoring, how it relates to the business, and the equipment being monitored is provided partly or wholly by the company, then they pretty much have free reign on what they look at.

A recent landmark ruling by the European Court of Human Rights ruled in favor of an employee who was fired for sending private messages over Yahoo Messenger on a company-owned device. The decision overturned a previous ruling in the employer’s favor, and stated the employer violated the employee’s right to privacy by spying on his messages without notice. This sets a precedent for future similar cases across Europe.

See also: Can you employer read your emails?

Australia

When it comes to Australia, rules differ for certain states. The New South Wales Workplace Surveillance Act 2005 and the Australian Capital Territory Workplace Privacy Act 2011 protect workers by stipulating that employees must be given at least 14 days notice of the monitoring commencing. However, in the rest of the country rules are much looser. While the Privacy Act 1988 states that employees should be notified about their records, it’s a little ominous about whether their email can be monitored without notice. What’s more, there’s not a lot to go by when it comes to other types of monitoring such as phone calls and cameras.

Social media

The advent of social media has provided yet another potential minefield for both employees and employers. While it’s widely accepted that an employer might view your public social media accounts when making a hiring decision, there are more things at play once you’re actually working for a company.

Of course, with many social media accounts having public access, employees can never truly be sure of what an employer has seen. Therefore, it’s prudent for anyone to ensure that the privacy settings on their social media accounts block as much access as possible. Even if employees feel they nothing to hide, it can be surprising what can surface to harm one’s reputation.

US

In the US, monitoring of social media can be expected when, as mentioned above, the employee is using a work-provided computer, network, or system. However, it is also expected that employers inform employees of the monitoring. It is strongly recommended for employers to have a social media policy in place, even if they’re not monitoring employees.

Aside from monitoring through computers and devices, some employers actually ask for usernames and passwords to access employees accounts at any time. However, some states including California and Washington have passed laws prohibiting this.

See also: Best VPNs for America

Canada

Canada’s OPCC website has the following to say on social media monitoring:

  • “Employees should know that, subject to existing workplace policies and rules, some organizations monitor their employees’ Social Networking Systems (SNS).
  • Employees should be aware that when using SNS in a workplace context — including an SNS hosted by their employer — that their personal information can be collected, used and disclosed by the employer. This could include off-duty comments and postings on a SNS about workplace issues or that may otherwise reflect on the employer.
  • Employers should view tracking existing employees through personal or work-based SNS as a collection of personal information that may be subject to applicable privacy legislation in their jurisdiction.”

The same page offers advice for employers to create a specific policy for social media activity. It should cover things like what usage is allowed in the workplace and in what context, which social media sites are monitored, and what happens to personal information that is collected.

See also: Best VPNs for Canada

UK

According to the ASAS, “Some estimates report that misuse of the internet and social media by workers costs Britain’s economy billions of pounds every year and add that many employers are already grappling with issues like time theft, defamation, cyber bullying, freedom of speech and the invasion of privacy.”

It goes on to offer advice to employers surrounding social media policy making. Policies should cover what is deemed acceptable use of social media while at work as well as what can and cannot be said about the organization. It should also distinguish between business and private use of social media and messaging apps.

See also: Best VPNs for the UK

Australia

In Australia, employers have been known to ask for employee social media access details. It’s murky water, but access to private social media pages is likely a violation of several laws including the Privacy Act 1988 and the Fair Work Act 2009. As such, it’s advisable that any information gleaned from social media is done so with written consent of the applicant or employee and that a detailed record is kept of the information used.

See also: Best VPNs for Australia

Location

Location tracking is not a new concept, especially when you’re talking about vehicles, which are often tracked for various reasons. It might be to comply with safety regulations or perhaps to monitor efficiency of business operations. However, in all countries we’re covering here, the driver of the vehicle must know that the monitoring is taking place.

But what about actual employee monitoring, for example, via a mobile device? There are plenty of companies offering employee tracking via easy-to-install apps. While this may sound a little too ‘Big Brother’ at first, there are actually some legitimate reasons for doing so, mainly applying to employee safety. For example, anyone who needs to make house calls or respond to emergency situations could be made more safe by having a tracking device on them.

Aside from safety, there are also business reasons why employers might want to track vehicles or people. For example, to check they’re clocking in and out on time and to ensure they’re actually where they’re supposed to be and not using company time for personal activities.

As long as there is a legitimate reason for it and the employee knows about it, then this is a viable area for monitoring. However, there have been various complaints of invasion of privacy, especially if an employee’s location is tracked while they are off-duty.

US

In the US, several states such as Texas and Virginia have made vehicle tracking illegal without the owner’s consent. California has the strictest laws surrounding tracking and has prohibited the tracking of a ‘movable thing.’ The relatively new ease of tracking employees means that there aren’t really restrictions in place in many parts of the country. Therefore, we have yet another grey area on our hands.

A recent case of GPS tracking in the US brought this issue into the forefront. Worker Myrna Arias was tracked while off duty via an app on her phone that her employer made her install. She was fired for disabling the app and then sued her employer for wrongful dismissal. The case ended up being settled out of court, but the fact that there was no solid argument from either sides leaves the outcome open for interpretation.

Aside from GPS tracking, there is also legislation surrounding Radio Frequency Identification (RFID) tags. These are microchips that can be attached to a person or their belongings in order to track them. Certain states, such as Missouri, North Dakota, and Wisconsin have prohibited employers from requiring the use of such devices.

Canada

In Canada, companies are allowed to monitor employees via GPS tracking. However, there must be a legitimate safety or business reason as mentioned above. Again, the employer is supposed to get consent. However, as explained by David Fraser, a privacy law expert, that consent is verging on fictional, since it can be really difficult for an employee to say no.

He says employers may have some grounds to monitor employees during off-work hours. He along with other experts imply the US Arias case would have more likely been won by the employee had it taken place in Canada.

UK

The UK has a more defined policy when it comes to employee tracking, one that should leave room for fewer gray areas. For vehicle monitoring, tracking of business vehicles is allowed. However, if the vehicle is also used privately, the tracker must have a privacy button to cease tracking during off-duty hours. Also, employees must be aware that the vehicle is being tracked. Tracking of employees, however, is not allowed.

Australia

According to a recent study, one in three workers in Australia have at some point been tracked by GPS by their employers. In general, the key to using tracking devices is consent.

However, the use of tracking devices is legislated by state, not country, so the rules vary. For example, some states require that written notification is provided within a certain time frame of the surveillance commencing. Other states have no specific legislation at all. This doesn’t mean it’s a free-for-all in these regions as federal privacy acts may still come into play.

Video

Video surveillance is one of the oldest forms of employee monitoring. But as it becomes easier and more inexpensive to install these systems, the rules and regulations around their usage have become increasingly important.

In general, video surveillance via cameras is an acceptable form of monitoring. However, there are obvious restrictions such as the prohibition of cameras in areas where privacy is reasonably expected, such as washrooms or locker/change rooms. Also, video monitoring should be carried out with good reason, such as for the safety of employees, to ensure no theft or other crime is taking place, or to keep tabs on worker productivity.

This typically also falls under the general rule of employees requiring notification that they are being monitored. There are some exceptions such as if the employer is trying to gather evidence of a suspected crime.

US

In the US, it is accepted that employees can be videoed during working hours at their workstations. There is a distinction between cameras in plain view and secret cameras, the latter of which can only be used in very specific cases.

Canada

In Canada, the rules are very similar in that general areas are acceptable for video monitoring. Also, areas where a reasonable level of privacy can be expected are off-limits.

There may be certain exceptions for unionized workforces that can be determined on a case-by-case basis by a labor arbitrator. Questions asked will involve whether video surveillance was the right course of action and whether it was conducted reasonably.

When video cameras are placed in general areas, there should be sufficient signage to notify employees that they are in use. The signs should be in both official Canadian languages, English and French.

Audio surveillance via video cameras is not permitted unless the parties being recorded consent or legal authority is granted.

UK

The gov.uk article pertaining to employee monitoring we talked about earlier also contains a special section regarding using CCTV. In this case, the Information Commissioner’s Office must be informed. Additionally, people should be warned they’re being recorded via clearly visible signs.

It also notes employers should be able to control who sees recordings and that people have a right to see images recorded of them, but that doesn’t need to happen immediately. Employers have 40 days to comply and can actually charge employees for the privilege of seeing themselves on-screen.

Australia

In Australia, again, it depends on the region. The New South Wales Workplace Surveillance Act 2005 and the Australian Capital Territory Workplace Privacy Act 2011 regulate most types of tracking, including video. As with computers and GPS tracking, the employee should be given sufficient notice of being video monitored, including when it will happen and for how long. The Surveillance Devices Act 1999 in Victoria also dictates that employers should give employees notice of surveillance.

Other regions may not be subject to such regulations. Again,  listening is not allowed as dictated by the Telecommunications (Interception and Access) Act 1979.

Mail

The rules surrounding opening mail may come as a surprise to some. While it is illegal in many countries to open mail that is not addressed to you, the law doesn’t extend to named employees at a company location. Technically, if it’s the employer’s address on the envelope or package, then it’s addressed to the employer, even if the employee’s name is on it.

The obvious lesson here is that no one should be having things sent to their work address that they wouldn’t want their employer, or anyone else in the company for that matter, to see.

US, Canada, and UK

Employers can open any mail if it’s sent to their address. Once it arrives at the location, it has technically been delivered. It doesn’t necessarily have to be opened by the person it’s addressed to. Many companies even have dedicated mail openers who open all mail before distributing it to employees. Even if it is marked as ‘Confidential’ or ‘Private,’ it’s fair game.

Australia

In Australia, it’s not an offence to open someone’s mail. But it is an offence to keep it if it doesn’t belong to you. Therefore, it’s definitely acceptable for an employer to open it as long as they don’t hold onto it.

Steps to take to protect your privacy at work

By this point, you can see that while there are limitations, employers are within their rights to monitor a lot more than you might have expected. However, from the employee point of view, there are steps you can take to maintain some privacy at work.

Know your rights

As you can see from the information we’ve provided in this guide, many rules depend on where you are located. This doesn’t just apply to which country you’re in, and things may vary at the state or provincial level too. For example, in the US, only five states have laws explicitly protecting employee privacy. Make sure you know your specific rights by looking up workplace privacy laws for your region. As mentioned, even though there are laws in place, there may still be some gray areas, so it’s always worth erring on the side of caution.

Read policies carefully

In most cases of monitoring in the workplace, employers are required to keep employees informed. While they might not want to broadcast the details, you should be able to find them if you look. Read privacy policies and other relevant documentation carefully. Also, look out for emails or other notices regarding any changes to such policies.

Aside from staying informed about your own privacy, reading these policies should also help you glean information about acceptable conduct while at work. It’s often surprising the types of actions that are deemed unacceptable by an employer. For example, using personal devices for work purposes may be forbidden. There are usually good reasons for these types of policies such as information security to help guard company secrets.

Look out for other indicators

Depending on where you are and the type of monitoring taking place, you may not be able to find out about it within documentation. It’s also worth looking out for other indicators that you’re being monitored. Surveillance camera signage is an obvious one, but there may also be notices attached to computers or workstations.

Avoid personal activity

Employees may be concerned about others in the company having access to things like personal emails or browsing history. Sometimes the best course of action is to simply avoid using work devices for personal activity altogether. After all, most things can be done on a smartphone these days. As long as it’s not company property nor connected to the company wifi, a personal phone or tablet should be off limits for employee monitoring.

Use a VPN with caution

Using a Virtual Private Network (VPN) at work is a way to protect your privacy in general. However, as a result, it may mean you bypass monitoring that is in place. It will also allow access to sites that may be blocked for good reason. Before using a VPN, check contracts and policies carefully to ensure you’re not in breach. If they’re looking out for it, an employer will likely be able to spot when a VPN is being used as all traffic will be going to a single IP.