Employee monitoring software: is it legal?

Included in I3 Information rights and privacy. Dated .

For most law firms time recording constructs and the idea of annual billable hours have always meant that “productivity” could be monitored. Any of the managing partner’s typical calls to action of “you’re not billing enough” or “your time recording is down” can be justified where fee-earners have to account for every minute. Even if time recording tools are blunt instruments which do not necessarily provide accurate indications of valuable, usable output, they provide a metric against which a lawyer’s annual hours and salary are based.

So, an obvious next step for a law firm might be to install a more finely tuned piece of software that gives much more granularity of data about fee earner uptime. This might be the type of software that includes employee activity monitoring that records time spent connected to a CMS or the firms’ network and that logs what applications are in use by the employee. Some of the employee monitoring software available logs every keystroke, mouse click, subject line, internet search, social media use and other metadata and it can take screenshots or provide live video feeds via staff devices that are monitored in an attempt to ascertain when the employee is focusing on a client matter and when they are not. This is not the extreme, however; this is the norm for a particular type of software commonly termed “bossware”, and it is increasingly in use by many businesses, including law firms.

The employer’s perspective

Recently publicised use of bossware by giants such as Microsoft and Barclays has been widely criticised as sinister snooping by cynical corporates. Assurances from these organisations that that “productivity scores” maintain trust between the employer and staff working from home ring hollow and workplace surveillance of this type has proved deeply unpopular with staff (both the FT and Barclays have had widely-publicised U-turns on its use). Whilst overt use of this type of software could arguably be justified in the legal environment to monitor work methods, it may also go some way to assuage concerns of insurers and identify risks arising from:

  • circulation of client records which could impact client confidentiality;
  • release of client-confidential information;
  • data protection;
  • release of trade secrets;
  • copyright infringement (through staff not using licensed software at home);
  • cyber security issues such as phishing and hacking;
  • reputational issues where a firm is managing a crisis and needs to close down gossip or limit employees use or comments on social media.

Since the Covid-19 pandemic and widespread instruction to work from home, the challenges of adequate and meaningful supervision have been thrown into sharp relief. This is inevitably the reason why use of bossware has rocketed and some suppliers of such software have seen new business growth of 30 per cent. It helps too that the information returned from the monitoring bossware is available to managers (and to permissioned HR and technical staff) in easy to read graphic form and presented as a reflection of productivity or trustworthiness of time recorded.

Although some bossware is visible to employees, allowing them to clock in and clock out of their firm’s bossware app, others are invisible and the employee has no idea they are being used. This is particularly worrying as many people forced to work from home during the pandemic weren’t provided with hardware by their employers so the bossware is able, in effect, to wander around the personal property of an employee and even to keep tabs on where they are via GPS monitoring. Even for people who were given a company laptop or device to use to work from home (where bossware was installed), during the extended lockdown those people may have found that as of necessity it was being used by their children to complete or submit school work, or by a partner to “just do this one thing” and this could mean that the actions of non-employees are also monitored, without their knowledge or consent. Even the cleverest programmes with the smartest AI can’t distinguish who is typing on a keyboard nor what computer use/screen time is work-related or personal and cannot automatically redact personal details such as bank account or medical information.

For most employers, the data use and privacy policy in the employee handbook is the only interface that exists between staff and monitoring and that is not often updated.

The Information Commissioner provides useful guidance on what needs to be included in an electronic communications policy for staff and most standard policies include:

  • clear standards of conduct and performance online;
  • examples of what constitutes appropriate and inappropriate use of the technology;
  • a prohibition on social media participation naming the company/employer;
  • prohibitions on downloading software without the consent of the IT department (including instant messaging software);
  • advice on email etiquette;
  • a reminder that the content of emails must not breach equal opportunities, anti-harassment policies or be defamatory;
  • a statement that inappropriate use will be dealt with under the employer’s disciplinary procedure and could result in dismissal;
  • a warning that emails can be used as evidence in court proceedings;
  • warnings that emails can be forwarded easily and should not be treated as confidential (any confidential information should be encrypted);
  • statements that the employer’s standard disclaimer must be used at all times;
  • rules for private use of office equipment when used away from the workplace or at the employee’s home and whether personal use is permitted and if so, what level and at what times personal use is acceptable; and
  • detail of subject access rights.

How many employers reviewed these policies when they sent staff home to work in March and November? The answer is almost certainly “not enough”!

Is it legal?

The fact remains that even if an employee has signed a contract which permits an employer to monitor emails and other use of the employer’s networks, bossware raises much wider issues of privacy. Interventions and access which would not be considered unacceptable if undertaken in person by managers, seem to be standard across most bossware. Is that justified? Is it ethical? Does that matter?

The first major point is that there is no single law in any realm of the UK that specifically deals with monitoring workers and nothing that either allows employers from monitoring staff or prevents them from doing this. There is no law that provides privacy at work.

The law on monitoring workers, staff (and anyone in fact) is contained across 4 major pieces of legislation:

  • General Data Protection Regulation (GDPR);
  • Data Protection Act 2018;
  • Human Rights Act 1998, which incorporates the European Convention on Human Rights, providing individuals with the right to respect for private and family life and correspondence;
  • Investigatory Powers Act 2016 and Investigatory Powers (Interception by Businesses etc for Monitoring and Record-keeping Purposes) Regulations 2018 (SI 2018/356).

Additionally, common law rights of a duty of trust and confidence are implied into an employee’s contract of employment and exist to protect employees, breaches of which could entitle an employee to resign claiming constructive dismissal. It is also worth flagging that the Employment Practice Code, which is designed to help employers comply with the Data Protection Act and encourages them to adopt good practice, sets out principles for employee privacy and monitoring and whilst breach of the code per se will not be actionable, they will clearly be indicative of wider breaches of statute which could then form the basis for claims.

Employee monitoring under GDPR and DPA

The five data protection principles (GDPR Art 5) apply to employee monitoring as much as to processing of personal data. This means, monitoring must be undertaken:

  • lawfully, fairly and in a transparent manner;
  • only for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes (for which it is processed);
  • in a manner that, through use of technical or organisational measures, ensures appropriate security, against unauthorised or unlawful processing, accidental loss, destruction or damage.

The upshot of this is that monitoring can only be undertaken if the employee is provided with detailed information about how, when and why it is being undertaken and whether the balance of a justified right to monitor outweighs an individual’s right to personal data privacy.

If an employee believes that they have been singled out for monitoring or the communications retrieved are not justified, they may make a data subject access request and this is a good first step to monitoring the monitors.

The Employment Practice Code (para 3.1)

This broadly follows the same principles as those in GDPR and DPA:

  • employees have an expectation of privacy, even if they have been informed that monitoring occurs at work;
  • monitoring undertaken must be justified and proportionate;
  • information obtained during monitoring must be kept secure.

Crucially, the why, when and how questions apply and it is not enough to tell an employee that they are being monitored, they must be told why, how information obtained will be used and who it will be shared with. The code also provides Good Practice rules which let employees know their email accounts may be checked in their absence; that email monitoring is limited to headings unless it is essential for it to be read and that private emails are marked as such, in which case they should not be read.

More recent Working Party (WP29) recommendations go on to outline that employers should only sample and not continuously monitor staff, in specific areas of concern and not where an employee has an expectation of privacy (such as their home). Whilst WP29 recognises that some monitoring out of the office may be justified, such as vehicle tracking for logistics and delivery staff, overall it does not advocate for monitoring out of office – which includes homeworking and BYOD scenarios.

ECHR and Human Rights Act 1998

“Everyone has a right to respect for his private and family life, his home and his correspondence” is a noble aim, but the legislation doesn’t protect this as an absolute right. The right can be overturned in the interests of national security, prevention of a crime, protection of health or morals or for the protection of the rights and freedoms of others. It is hard to see how these would be applied in all but limited circumstances and it would be a brave employer that would reply on “the economic well-being of the country” exception as a broad justification for monitoring staff ‘productivity’ contrary to the ECHR or HRA!

Investigatory Powers Act 2016

Under the IPA, it is an offence to intentionally intercept a communication via a public telecommunications system in the UK without lawful authority. It is not an offence to intercept a communication on a private system, however, if that person has a right to intercept (via employee consent) or they have been granted the right to intercept by the person who owns the system.

Is monitoring ever justified?

Yes. It may be necessary to undertake PEN testing or security testing and so monitoring weak points in a system may include reviewing employee emails and their social media chatter. Alternatively, if a claim of harassment is made, an employer may choose to monitor internet use to prevent a staff member from displaying or circulating inappropriate material. In both instances, the issue of proportionality must be considered and the infringement or privacy weighed against the benefit of an outcome that leads to overall better staff practices.

The ambit of what is considered lawful under IPA is small; interception means the deliberate act of monitoring and capturing (or blocking) and if an employer’s communications network connects to a public network, then it is considered public not private. To overcome the issues that may arise, employers should have monitoring of communications policies clearly set out in the staff handbook which employees must be informed of and, ideally asked to sign to confirm that they have read and understood them.

Employee consent is not normally required for monitoring of this sort (see below), but if the employee has been given a copy of the handbook and continues to work under the contract without formally objecting, they are deemed to have given consent in any event.

Separate regulations under IPA apply to employers where, in a business context, they may intercept communications of staff without consent to establish the existence of facts; ascertain regulatory compliance; prevent or detect crime; ensure effective operation of the system or investigate or detect the unauthorised use of the telecommunications system.

It is this last category that provides an employer with the broadest remit to monitor employee’s communications without consent (and not all employers have monitoring policies in place), but it would be interesting to discover whether a Court would extend that monitoring beyond the confines of a workplace to a WFH environment.

Conclusions

In the scramble to enable home working for as many staff as possible, Zoom was enabled, people were told to use a background that blurred out their home features and family photos. They were instructed not to leave files open in front of them or on screen and to close down and log off at the end of the day. Passwords and two factor authentication for logging on may have been enabled and security reviewed on the network supply side, but most employers did not check who else had access to hardware used to work from home by their staff and bossware has back-filled this gap in employer oversight to some extent.

In the circumstances, where a slow stream of software was already being employed pre-pandemic to monitor workplace productivity, it seems inevitable that that would become a steady tide to monitor staff when they moved to work from home. What is abundantly clear is that some employers have felt the need to go beyond occasional monitoring, either for business expediency or productivity exigency and that the majority of bossware sits in a dark and stormy grey area of the law which will doubtlessly be litigated over in the coming years.

Joanne Frears is IP & Technology Leader at Lionshead Law. She advises innovation clients on commercial and IP matters and is a regular speaker on future law. Email j.frears@lionsheadlaw.co.uk. Twitter @techlioness.

Belinda Lester is the founder of Lionshead Law, a virtual law firm specialising in employment, immigration, commercial and technology law. She specialises in employment law. Email b.lester@lionsheadlaw.co.uk. Twitter @lionsheadlaw.

Image Public Domain via Pixy.org.