This article was written by Mike Gillespie, MD of security consultancy Advent IM.
Monitoring employees for potential disciplinary reasons is a standard part of the HR role, however a lack of awareness of how to do this within ICO guidelines and Data Protection best practice could end up in a costly tribunal for employers.
Do you monitor your employees? At a recent Employment Law Seminar, I asked that question and hardly anyone showed hands. So I asked if anyone used CCTV, indoors or outdoors. I asked if their vehicles had trackers on them and if they did, were the vehicles allowed for personal use. I asked if they were allowed for personal use, did they switch the tracking off outside of business hours. I asked if internet use was monitored or restricted. Lastly I asked if they monitored phone or email use. I pointed out that even something installed for the safety and security of employees like CCTV is in fact monitoring them and the images could potentially form part of a disciplinary if required. Then I asked again if anyone monitored their employees and virtually everyone raised their hand.
OK so there were some areas of monitoring employers might not have realised they were doing as they had not actively instigated them for monitoring employees with a view to disciplining them. There are other areas of monitoring that are started for clear improvement or disciplinary reasons. It might be an employee using company email for more than the occasional personal purpose or an employee constantly online shopping or browsing porn in work hours on a work computer, or an accusation of physical intimidation of one employee by another. These are example scenarios that might require a business to start surveillance on its employees. However, before swinging into action a business needs to be absolutely certain how to proceed or there may be unintended consequences for the business. These unintended consequences could prove to be costly, not only financially but reputationally.
Certain things need to be in place before effective surveillance can take place. Robust policy is obviously the first place to start. For instance, if employees are allowed to use laptops for personal use and an employee uses it to view porn outside of work hours, have they contravened the policy? Was the policy absolutely crystal clear as to whether or not this would be a disciplinary offense? Do they understand it? The other part of the equation is the policy on monitoring. Are both employers and employees clear on the policy and procedures around monitoring? If you are going to monitor them, you have to be certain. You also cannot simply blanket monitor all employees. You cannot covertly monitor them, your intention or objectives must to be clear and consistent. You must be able to explain to employees:
- Why you are monitoring
- What the process is
- What you are monitoring – systems, applications, hardware etc
- When you will be monitoring
- Who will be responsible for monitoring
- Who will have access to the data generated by the monitoring
- How that resulting data will be held, managed and eventually destroyed
It is vital that the last four points are not overlooked. In our IT driven environment, it frequently falls to IT to roll out the software to carry out monitoring or surveillance. This may be the most practicable solution to initiating the monitoring process, but is it appropriate for IT to have access to the resulting data? Any resulting data from surveillance is sensitive and so employees have every right to expect it to be treated with the same care of duty that their other sensitive or personal information is treated. The data generated from monitoring will be covered by the Data Protection Act (1998) and so clear understanding of who can access it, when they can access it or when it should be destroyed, is vital.
Remember, employees have every right to request the data (through a Subject Access Request and this would include CCTV images) that employers hold on them or demand that it be destroyed, if it is felt that retention is not appropriate and in accordance with the Act and local policy. This is because the Act states that the data and images are their property and not their employers. Interestingly a recent survey [Ponemon Institute – The Risk of Insider Fraud – Second Annual Study] on Insider Fraud indicated CCTV surveillance as a new monitoring means being enabled by businesses, specifically to combat fraud by employees and not, as has traditionally been, to ensure their safety and security.
Emails or browser histories are fairly obvious data generators, as is call-monitoring. It is worth noting that this kind of information is possibly best routed directly to HR, rather than monitored by IT. Serious misconduct such as viewing child pornography could be inadvertently compounded if it is handled by someone unaware of the law around such matters. In the case of something like child porn, then a well-meaning person accessing whatever images had been viewed or downloaded and saving or downloading them as proof would perhaps not realise that every time they are viewed or downloaded it is an offence…
So making sure that employees know, understand (and confirm they understand) relevant policies relating to their conduct is the start. Ensuring they know, understand (and confirm they understand) the employee monitoring policy is the next stage and presuming the policy is fit for purpose, monitoring can commence. Employers need to be absolutely certain they are conducting monitoring in accordance with the ICO guidelines and within the Data Protection Act (1998). A simple guide exists on the ICO website, which is a good place to start.
Clarity, openness and best practice – the cornerstones of good business are the bywords for effective employee monitoring and also help keep a business out of Employment Tribunals.
One Response
The flipside
…is the employee pulling documents which detail corporate fraud. After my notification to the exec GM of a discovery of unethical extortion and criminal corruption was then directed to HR, I decided my protection was to print and store offsite as much evidence as possible. Aware I was being monitored (paranoid? as the tech support specialist of a product called Smartwatch, trust me!) I printed apace, to collect invoices, emails and photos. Now that I’ve been singled out for a redundancy, I’ve become the criminal in possession of material which doesn’t belong to me. The reluctance of state & federal police to act (each claims it’s t’others jurisdiction), ombudsman, local MP and regulatory commissions likewise leaves me yearning for WikiLeaks to break free of their shackles. Self regulation of security, ethical conscience of HR have clearly failed when it matters most – the sum at stake is some portion of a $40m Capex. This is Julian’s raison d’etre.