People often recite the cynical phrase that ‘privacy is dead.’ I enthusiastically disagree and believe, instead, that anonymity is dead.
One area where this is being increasingly demonstrated is in the workplace. Employee surveillance has been rising steadily in the digital age. And because it’s difficult, if not impossible, to keep ones digital work life separate from ones digital private life, the potential for abuse to happen while carrying out an employee surveillance program is real.
Related video: SXSW panel hashes over employee monitoring
However, I firmly believe that, together, we can preserve the employee privacy through clearly stated social ‘contracts’ and fair enforcement of same.
Let’s begin with the notion that employees, unless advised otherwise, have a right to privacy in the workplace. However, the scales also tip in favor of the employer to monitor threats to the company’s intellectual property.
Employers and employees share a unique relationship built on trust. When it comes to assets of the company, it is in the mutual interest of both that they stay protected. Generally, employees will sign a contract, in the form of a Non-disclosure Agreement that yields to the company’s required expectations and practices of protecting the information assets and intellectual property.
Companies wishing to monitor employees’ behaviors to protect company assets should start with some basics in the nature of clearly stating policies and communicating expectations to employees of what is private activity and what is not.
A pre-employment Criminal Background Check and an acceptable Email Use Policy are common examples of setting expectations in the workplace. Employees have been accustomed to these more controls for decades.
The types of monitoring and controls available to employers in the 21st century present new challenges, however, in terms of maintaining a balance of the employees’ reasonable expectations of privacy and the employer’s legitimate business interests.
For example, to achieve the legitimate business interest of preventing workplace violence, companies can monitor everything but there needs to be notice to employees and controls over who has access to what information on human behaviors, and there needs to be a hierarchy of responses to suspicious activities. Only those with a need to know should have access to certain types of information.
Social media scrutiny
Let’s take the hypothetical example of an employer, who, for whatever reasons, feels that it is necessary to begin monitoring employees’ use of social media accounts while at work. Employer monitoring of employee’s social media activities might be necessary to achieve the legitimate business interests of monitoring productivity of both onsite and telecommuting employees and/or of preventing disclosure of intellectual property and other proprietary or confidential information. There might also be a legitimate need to investigate allegations of cyberbullying of fellow employees or concerns about unstable or violent behavior on the job.
As with all forms of employee monitoring that existed in the last century, in the 21st century employers must continue to balance legitimate business interests with reasonable expectations of privacy. What worked yesterday still works today – provide notice. For example, it has been common for employers to require employees to report certain non-workplace activities like an arrest or change of marital status. Similarly, employers need to publish and consistently enforce social media policies that advise employees that activities in their own social media accounts and company social media accounts will be monitored during and after business hours and why. When enforcing this policy, employers should be careful to enforce the policies without discrimination and without violating the rules of the NLRB which allow employees to confer about the terms and conditions of their employment.
As long as employers clearly communicate the company’s legitimate business interests and clearly explain the controls in place that will monitor those interests, employees should view workplace monitoring as part of the bargain of employment. It is when employers fail to advise employees that monitoring is in progress or when monitoring occurs in completely private places like bathrooms and locker-rooms that employees should feel violated.
Cyber monitoring in the workplace is already engrained in the financial sector, and is likely to steadily gain momentum in other vertical industries. It can help deter network breaches at a time when cyber-attacks continue to accelerate. As employers do more employee monitoring, it critical to avoid discrimination. If you monitor, you must monitor all.
The tools available to protect a company’s intellectual property, information assets and the safety of the workplace have the potential to be used as a shield and a sword. Employers must proactively protect company assets and employees but should also be careful to not unfairly target or profile members in protected classes, such as minorities or people with disabilities.
It’s critical that companies preserve the sanctity of the relationship with employees by having a strong governance model and by respecting the right of people to be let alone unless there are compelling and counterveiling legitimate business interests.
(About the essayist: Elizabeth Rogers is a privacy and data security partner at the law firm of Michael Best & Friedrich. Rogers is formerly Chief Privacy Officer for the state of Texas, the first person to hold that post.)
This is a Security Bloggers Network syndicated blog post authored by bacohido. Read the original post at: The Last Watchdog