On Time Tech

Can You Legally and Ethically Monitor Your Employee’s Online Activities?

Written by Lance Stone | May 1, 2019 10:55:00 AM

Monitoring employee behavior is nothing new, as supervisors have been stalking their staff for generations. What has changed is the degree to which employee behavior is transparent in the workplace, with sophisticated monitoring solutions in play one could argue that nothing is truly sacred when it comes to being monitored by your business. It is standard practice for all phone conversations to be recorded in a customer service setting, but this is expanding dramatically into detailed tracking of websites that are visited and even emails that are being sent and received. Employees may not often think about the fact that personal emails that are being checked on business-issued phones or laptops are fair game for tracking — but they are. Whether this tracking is meant to identify underperformers or to protect the IP and sensitive data of the organization, there are laws in place to protect both the employer and the employee.

What Are You Trying to Accomplish With Monitoring?

When you are considering monitoring your staff members or contractors, the most important question to ask yourself if what you’re trying to accomplish. Do you have some underperformers, and are trying to gather information about their work habits? Do you suspect corporate espionage? Do you simply want to protect your organization from the productivity drains that occur when staff members spend an inordinate amount of time on social media? Understanding the business driver will help you more fully define the legal reason for gathering this type of information from your employees. You might even have someone who seems to be absent — even though they are technically “at work” every day. Monitoring of their access badge would fall under these same rules for electronic monitoring. As you’re defining your monitoring program, also look at the success metrics. Are you attempting to reduce the time spent on social media? If so, you also need to have in place a way to communicate that employee behavior is outside the expected norms.

Employee Notification of Online Activity Tracking is Crucial

The majority of employees are simply going about their daily work, unconcerned that their employer could be potentially tapping into conversations on email or their phones. These individuals probably have nothing to hide, because they are being good stewards of time and resources and only doing a little light shopping at lunch, for instance. Others might be extremely concerned and secretive about their online behavior, going so far as to surf in incognito mode or clear out browser activities when they close down for the day — never realizing that these steps probably don’t make a bit of difference in whether their employer can still see their activities. If your organization plans to do any kind of monitoring at all, it should be detailed for employees as they are onboarded. A safer practice would include asking employees to sign the most recent version of the policy on an annual basis to indicate that they understand and agree with the monitoring that is being done.

Handling Second-Party Notifications of Recorded Activities

In many states, there are legal standards that require that both parties to a conversation must be notified and agree that the tracking may take place before the activity is deemed legal. There are some workarounds such as a conspicuous posting on your website or an email signature that warns all parties that continuing the conversation with a staff member is considered their agreement to recording the messages. However, this remains a legal challenge in many states. As the government begins to look more deeply at personally identifiable information (PII) and exactly who has access to that data, you might run into additional legal challenges due to the various data breach notification statutes that are currently in place in 48 states.

IoT in the Workforce

Perhaps on of the most controversial conversation around employee monitoring is around connected devices, such as wearables. These items can be capturing data that is extremely personal to the employee, much of which would be considered protected health information (PHI), including things such as heart rate, miles walked, calories consumed and more. Mobile phones that are provided by the company could easily contain apps that would record the information. If you’ve installed keystroke logging on these phones, are you capturing more personal information than you intended?

While you may feel as though you can list the key legal concerns with employee monitoring, the best course of action is to engage an attorney to ensure that you are staying clear of any legal implications of your actions. This is especially true before you take action based on your monitoring findings, such as a formal employee write-up or termination. While triggers can be written to turn monitoring into an effective tool to ward off data loss, there are still plenty of pitfalls to consider before creating a widespread online activity monitoring program.