by Jim Ashton | Oct 26, 2017
This blog entry deals with the use of employee monitoring software to protect against breaches and how this needs to be balanced with protecting personal privacy rights.
Purpose of this document
This document attempts to set out the pros and cons of using monitoring software and how to create a balanced solution to respect an organisation's and an individual's right to privacy.
Last night I attended a monthly GDPR peer event.
The speakers presented a software solution for detecting data breaches by spying on employee's when using digital devices.
The speakers then stated that most breaches are as a result of internal staff rather than external invaders of a corporate data space. This is a fair comment and it is backed up by statistics from the UK's Information Commissioner's Office (ICO). The ICO figures for Q1 2016 to Q2 2017 show that around two thirds of breaches are as a result of human error rather than malicious attacks.
The software itself is something worthy of a "secret service" classification. It has the capacity to track all behaviour on all digital devices.
I fully understand that any organisation wants to keep its secrets, customer records and intellectual property under lock and key and that this software can provide the required protection.
Having said that, the impression I was left with was something similar to the Tom Cruise film, "Minority Report". Every employee is a criminal in waiting that has yet to commit a crime.
I found the premise disturbing.
Are your employees criminals in waiting?
Without a doubt, there is a possibility of a staff member purposefully behaving badly. There is a possibility that a staff member does something they shouldn't do by mistake. There is also a possibility of a staff member having personal and private communications that use company resources.
The software sees everything so it could be used to spy on employees. It is capable of building evidence on all behaviour: time at desk, files opened, messages sent and read, etc.
The presence of the software is one thing, but how it is used is another.
Unless there is full transparency made by the employer to employees about the monitoring that takes place, the use of such software breaks the law under GDPR. (Working Party 29: Opinion 2/2017 on data processing at work).
This software raises the spectre of Big Brother. The Working Party 29 paper goes on to state:
"A new assessment is required concerning the balance between the legitimate interest of the employer to protect its business and the reasonable expectation of privacy of the data subjects: the employees."
This balance and proportionality is crucial.
Test case for employee privacy rights
In a recent test case, Mr. Bogdan Barbulescu, a Romanian engineer at a sales company, was sacked because he used his work Yahoo Messenger service for personal conversations.
The legal argument presented in Mr. Barbulescu's favour was that, although he had been told not to use the account for personal matters, the company had infringed his rights by spying on his messages.
The European Court of Human Rights agreed by eleven votes to six that Mr. Barbulescu's rights to privacy had been infringed. The company had broken Article 8 of the European Convention on Human rights, which guarantees the right of respect for privacy, family life and private correspondence.
Getting the balance right
While the type of monitoring software demonstrated was admirable for detecting breaches, it is also open to abuse.
A legally verified policy regarding the use of this type of software is crucial for it to succeed. In some circumstances the creation of the policy would legally require approval of a Workers' Council or similar representation of employees in order to be enforceable.
The problem is not the software. The problem is how it is used, or abused. Protecting company assets is one thing, abusing the rights and freedoms of data subject (in this case employees private data) is a GDPR infraction with a possibility of fines and other sanctions at the highest level.
It comes back to the basic problem with software of any type, it offers partial help to a problem but it does not solve the entire problem.
Friends or foes? The decision comes down to corporate culture
The final question has no single answer.
Do you trust your staff and treat them as collaborators for the greater good and well-being of the organisation or do you suspect your staff and treat them all as criminals who have not yet been caught?
In the end it comes down to corporate culture, nothing at all to do with software.
More articles: GDPR and personal data in the USA, Privacy Shield or Model Contract? | GDPR controller to processor contract considerations | Dealing with suspected personal data breaches under the GDPR | GDPR employee monitoring | Are you respecting your employees rights to privacy? | GDPR Human Resource consideration case study covering consent and rights | GDPR scaremongering | a few GDPR myths exposed | GDPR, what is personal data for European organisations? | Information security certifications and the GDPR | Am I OK with an ISO 27000? | How to set up a representative for the GDPR in the EU | When should you appoint a Data Protection Officer?