Privacy
Employee Monitoring
An overview of technologies, treatment, and best practices.
By Andrew Milam Jones
Roughly three quarters of Americans work at a computer.1 It
is not surprising then, that how employees use the company’s networks,
email systems, and web resources is of great interest to employers.
Employers monitor for many well-established reasons, such as ensuring
productivity, preventing theft of trade secrets, minimizing the risk of
harassment or discrimination claims, and more. This article considers
technological and legal developments regarding employee
monitoring.2
Technologies
Increasingly sophisticated technologies are used to observe any
imaginable use of a workplace computer system. The technologies can
record precisely which systems, documents, and files are accessed,
modified, and printed; they can observe and record every keystroke made
on a keyboard; and they can provide screenshots activated by optical
character recognition. They can be viewed in real time and can provide a
recording of a computer screen through entire work shifts. They can be
installed remotely and surreptitiously.3
Employee monitoring goes beyond the mere use of computer systems.
Millions of Americans use badges to access parking lots, buildings, and
special floors and areas of their workplaces. Their movements are also
monitored by closed circuit television, or CCTV. Technology has also
blurred the line between workplace and home: employees’ locations may be
tracked at any time, as may be the very specific nature of their driving
habits (e.g., speeding, rapid acceleration, or braking, etc.).
Growing numbers of employers use biometric sensors and other devices
that measure and analyze incredibly detailed information about workplace
activities in ways unimaginable even a few years ago.
One Boston startup provides employers with a device resembling a
common employee badge that uses Bluetooth, infrared motion sensors, an
accelerometer, and microphones to record an employee’s conversations,
his or her movements about the office, proximity to his or her desk and
to others, posture, and overall activity level. The technology is
coupled with device monitoring technologies. The combined technologies
are used to measure productivity, chart social interactions, determine
who is influential or who is isolated, and ascertain who is overworked
and may need additional team members. The technology allows employers to
better allocate resources, both human and capital.4
Another technology uses artificial intelligence to analyze employees’
conversations—words spoken, speech volume, tonal qualities,
interruptions, and more—to detect joy, anger, or stress or to learn what
sort of project strategies are most effective. The results can be used
to consider organizational changes, modifications to projects, or
specific actions to address individual performance
concerns.5
Legal
Treatment
Emerging methods for employee monitoring raise a multitude of privacy
concerns. While federal law affords privacy protections to telephonic,
email, and internet communications, exceptions generally permit
employers to monitor these communications.6 In Texas, like
the U.S. generally, employers are typically free to monitor their
employees’ internet and email usage. Emerging statutes, both federal and
state, are beginning to place more regulation on assorted forms of
employee monitoring, but not surprisingly, these laws tend to lag well
behind the technological capabilities they seek to regulate.7
In the absence of statutes, common law notions of privacy provide the
best available guidance on appropriate boundaries for employee
monitoring. Like most states, Texas recognizes the tort of invasion of
privacy, and more specifically, the tort of intrusion upon one’s
seclusion, solitude, or private affairs. There are two elements to this
cause of action: (1) an intentional intrusion, physically or otherwise,
upon another’s solitude, seclusion, or private affairs or concerns,
which (2) would be highly offensive to a reasonable person. When
assessing the offensive nature of the invasion, courts further require
the intrusion to be unreasonable, unjustified, or unwarranted.
Plaintiffs must thus demonstrate that a reasonable expectation of
privacy exists in the circumstances in question.8 Reasonable
expectations may be determined by the employer’s interest in the
monitoring, the means employed, and whether notice was provided, among
other things. In considering whether a given kind of monitoring is
justified, it can be helpful to consider whether the monitoring would be
fair and reasonable in the absence of the technology that
permits the monitoring in question to occur.
While employers are generally afforded wide latitude to monitor, there
are numerous instances in which employees have been found to have an
expectation of privacy in their electronic communications at work. For
instance, in Stengart v. Loving Care Agency, the New Jersey
Supreme Court found that an employee had a reasonable expectation of
privacy in emails sent to her lawyer through a password-protected,
personal, web-based account that she accessed on her company
laptop.9
Employees are also afforded protections under existing and emerging
statutory frameworks. Actions under the Electronic Communications
Privacy Act and Stored Communications Act have been used to challenge
monitoring practices, including an employer who used keylogging
technologies to obtain an employee’s bank account password.10
Labor union regulations have also been relied upon to contest
monitoring.11 Employee location tracking by GPS has also been
contested, under state privacy laws, labor laws, and other
theories.12
Certain circumstances support monitoring of employees and reduce an
employee’s reasonable expectation of privacy. For example, a number of
states, including Texas, require employers to report cases in which they
discover that child pornography has been accessed on company systems.
While employers are shielded from liability for failing to report
improper internet usage “except in a case of wilful or wanton
misconduct,” it is not hard to imagine that juries may conclude that
failures to detect such usage meet an exception.13
Another example concerns employees who work with vulnerable persons,
such as teachers or assisted living facility nurses. The need for closer
monitoring of these employees is understandable but raises various
privacy considerations.14
Employers with international employees must consider relevant foreign
laws. Two recent noteworthy European cases are instructive. The first,
Barbulescu v. Romania, involved an employee fired for using a
Yahoo Messenger account for personal emails. His employer had asked him
to set up the account, but later he used it for personal chats. The
Grand Chamber of the European Court of Human Rights, reversing Romanian
courts, found that Bogdan Barbulescu’s privacy rights had been violated.
In its opinion, the Grand Chamber cited a lack of prior information
about the extent and nature of the employer’s monitoring, as well as the
possibility that the employer might have access to the actual content of
the messages.15
The second case, Antovic & Mirkovic v. Montenegro, involved
the use of CCTV in a college lecture room. Math professors Nevenka
Antovic and Jovan Mirkovic complained that their right to privacy was
violated by the overt placement of CCTVs in their lecture halls. The
ECHR, once again reversing the high court of a member nation, found
that, despite the public location of the cameras, their placement
violated the professors’ privacy rights.16
Best Practices for Employers
Employers wishing to take advantage of new, sophisticated monitoring
tools do so at a time in which the rules are arguably playing catch-up.
Nonetheless, certain best practices can help companies make good use of
these tools while minimizing risks:
Employers should carefully consider whether and how to monitor, especially in cases where the line between work and personal life is blurred (e.g. location monitoring or bring your own device policies). For internet use, employers should consider less intrusive alternatives, such as blocking.
Employers should provide thorough and detailed notices to employees in advance of monitoring, for all types of monitoring, and they should make the disclosures part of their employee handbooks. Employers should utilize consent and waiver forms, recognizing that some jurisdictions may deem them ineffective.
Employers should follow strict protocols on the deployment and use of monitoring tools to limit access to appropriate individuals and to ensure that decisions involving collected data are fair and reasonable. Collected data should be securely held and promptly deleted when no longer needed.
Monitoring policies and procedures should be developed and routinely reviewed with consultation among human resources, information security, and legal professionals, as well as third-party experts. The policies should be harmonized with acceptable use policies for employees and with protocols and processes for information security teams.
As applicable, before commencing any new form of monitoring, employers should conduct impact assessments, consult with privacy regulatory authorities, and consult with works councils (notably in cases in which European or similar laws apply). TBJ
ANDREW MILAM JONES
serves as
senior director and legal counsel to Epsilon Data Management, LLC
(Publicis Groupe), a targeted marketing, analytics, and data services
company, where he practices in support of technology and privacy related
matters. His prior experience includes in-house roles at MoneyGram
International, where he focused on privacy law matters, and AT&T,
where he practiced for more than a decade in regulatory, litigation,
transactional, and legislative roles. Jones holds an economics degree
from Kansas State University and a law degree from the University of
Kansas, and he may be reached at andrew.jones@lionresources.com.