Surveillance of Employees' Electronic Communications in the Workplace
It is in the nature of technology that an organization that provides access to electronic communication has the ability to monitor any communication sent by the use of this facility, but in many cases, the right of the service provided to collect and use this information is subject to a voluntary agreement between vendor and customer, the latter of which has the ability to refuse to enter into the agreement without consequence (other than the need to purchase from a different vendor).
However, when access to electronic communications is provided by an employer, the balance of power shifts considerably: it is no longer a voluntary agreement of equal partners, and the employee has no right to refuse any terms the employer cares to dictate. It is this characteristic that merits the attention of legislative regulation.
The monitoring of workers in the workplace is not a new phenomenon. By virtue of the relationship, an employer monitors the actions of an employee, or delegates this task to a supervisor, to ensure that the employee is acting in accordance with the terms of the agreement (i.e., doing his job, safeguarding the property of the employer, etc.).
The technology for conducting this monitoring, however, has changed: from human eyes to monitor actions of the workers, to security cameras to monitor the premises, to call monitoring systems that record telephone conversations, to monitoring every keystroke made on company information systems.
To narrow the scope, the author intends to deal only with electronic surveillance of employee communications at work - specifically, monitoring the e-mail sent/received and the online activities of an individual.
Some of the motives for monitoring employee communications are:
- To ensure the worker is working (not spending their time o personal business or goofing off)
- To protect the employer from liability for unauthorized behavior of an employees (e-mail of offensive materials, hacking from a company computer, harassment and discrimination)
- To detect and react to behavior that could harm the company's business (inappropriate messages to customers, disclosure of trade secrets)
- To monitor behavior to ensure compliance with workplace policies
- To supervise the work itself
It's also mentioned that "employee" is a blanket term for anyone who is paid by the company to work, and authorized by the company to use its information systems (covers agents, vendors, contractors, etc.)
METHODS OF ELECTRONIC SURVEILLANCE
The author goes into painstaking detail about this, as if writing for an audience who has never heard of such a thing and doesn't believe it's possible I'll summarize:
- Any e-mail message sent or received by an employee can be recorded in a log file for analysis
- Any HTTP request (including URL requested, any data uploaded through a Web form, any data sent back to the terminal) can likewise be recorded and analyzed.
- The log-on and log-off times can be recorded, as can every keystroke made on the terminal.
- Any files saved on a computer (or company server) can be accessed
The author also strays across a handful of random factoids that seem to be related to but slightly off the topic of surveillance:
THE LEGAL FRAMEWORK
There is no constitutional protection of the right to privacy, though it is often derived from other rights: freedom of speech, protection against search and seizure, and the basic principle of liberty in the sense of "the right to be let alone." Personal information is also treated as a form of property, belonging to the individual to whom it pertains, who should have the right to determine who may be granted access and under what conditions.
Outside the USA, it is recognized as a basic right by the Universal Declaration of Human Rights, International Covenant on Civil and Political Rights, and other agreements (to which the USA has agreed to abide), insofar as intrusion into private correspondence is listed as an affront to human dignity. Even so, the right to privacy is not an "absolute right" and is subject to restrictions to preserve the rights of others or serve the interests of society (EN: which is to say, it's a principle).
The author mentions the "Code of Practice on the Protection of Workers' Personal Data" - which is not a binding law, but outlines some basic principles. It has a number of provisions including:
- Workers should be fully informed in advance of any surveillance by employers, and in specific detail,
- Covert surveillance should be used only in instances where criminal activity or serious wrongdoing is suspected
- Continuous monitoring should only be done if required for protection of property or the health and safety of the workers
There is also a working document in the EU that specifically addresses surveillance of workers by their employers that echoes the above, and adds that:
- Surveillance should not be used to "control the behaviour of individual workers" except in cases where it pertains to security or the proper performance of their assigned duties
- Electronic monitoring should not be the only factor in evaluating workers' performance
- Routine monitoring of individuals is discouraged (it should be done for a specific purpose, for a specific time, and extraneous data disposed of after the stated objective ahs been met)
- Employers are prohibited from accessing or monitoring private e-mail and private files, notably those explicitly identified as such, even if the use of company equipment for personal reasons is prohibited
- Communication between certain professionals (health professionals, union representatives, et. al.) should "receive particular protection"
It's noted that the EU directive is not binding on participating nations, and there is no enforcement - so like the code, above, it is a suggestion/recommendation without force of law.
Review of the Legality of Employees' Electronic Communications Monitoring
In general, US law affords minimal protection to employees, taking into account the employer's ownership of the equipment and the public nature of the workplace to effectively negate an expectation of privacy on the part of the employee. A few court cases (Smith v Pillsbury, McLaren v Microsoft) are cited as evidence of this interpretation.
In Europe, the law leans toward a balanced approach, recognizing that employees have a "legitimate expectation of privacy in the workplace," even when using employer-owned equipment (case study in which e-mail was compared to phone calls) though this is balanced against the business's interests in protecting itself and other employees from the actions of employees.