Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing

        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing

        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing

        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing

        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training

        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing

        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review

        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention

        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise

        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle

        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

I'VE BEEN BREACHED

Employee Monitoring – What Are The Data Privacy Rules?

Employee Monitoring – What Are The Data Privacy Rules?

With more people working from home than ever before, many financial institutions are using employee monitoring software to observe remote working practices. Iain Bourne discusses the data privacy implications.

Recording client phone conversations is a regulatory requirement for many firms in the financial sector, supporting fair treatment of customers and good conduct. This can also provide a good evidence trail for audit or dispute resolution.

Under lockdown, however, many firms have rolled out these tools more broadly, using employee monitoring software to track productivity and improve oversight. Some of these tools take regular screenshots of what their people are working on or what they’re browsing online. Many also use webcams to take frequent photos of their employees. Bad press around some of these programs even accuses them of monitoring toilet breaks.

With stories circulating of things accidentally seen over video conferencing, such as a politician who took a shower during a Zoom call, there is a very real danger that monitoring software is capturing things it wasn’t intended to.

While these programs are not illegal, per se, and in some cases, are necessary for regulatory purposes, firms should consider how to manage their usage effectively and in compliance with the relevant laws. The focus of this article is data protection law, but other laws could also be relevant, for example, interception of communications rules.

Data privacy and employee monitoring

When an employer collects personal information about an employee, for example by making a voice recording or video, or using software to monitor the employee’s keystrokes, the employer will be collecting the employee’s personal information and data protection rules will apply.

Firstly, this means that the default position is that there must be transparency around the employee monitoring. All employees subject to monitoring must be made aware of:

  • the fact that they are being monitored
  • the purpose of the monitoring
  • what the relevant legal basis for the activity is
  • retention periods for the information being collected
  • what rights the employee has in respect of the information
  • their right to complain (in the UK) to the Information Commissioner’s Office, if they have a concern about the monitoring

Usually, the information above will be provided in an employee-facing privacy notice. But this isn’t always the case and, from a regulatory standpoint, sometimes there isn’t full transparency around employee monitoring.

Awareness of employee monitoring is key

There is often a disconnect between the team managing the employee PC monitoring software – generally the IT or InfoSec function – and the data privacy team.

Given the sensitivities around employee monitoring, some firms are issuing standalone documents and awareness materials to open the discussion. This is certainly good practice.

Remember that the usual transparency rules are suspended if there is a suspicion of criminality or other serious wrong-doing. Specifically, if telling a particular employee about a monitoring operation would prejudice the prevention or detection of crime, by constituting a tip-off.

That said, explaining how employee monitoring takes place in the broad terms required under the law, should not normally prejudice law enforcement, fraud prevention or national security.

Also read: 9 Policies For Security Procedures Examples

Is employee monitoring data relevant?

The information collected through employee monitoring software must also be relevant, necessary, not excessive, and otherwise compliant with the requirements of the data protection principles. This is where compliance becomes a very grey area.

Newspaper reports have detailed some potentially intrusive techniques, such as using facial recognition technology to monitor via webcams. Developments such as empathic computing make it easier to assess employees’ attitudes, motivation levels, and moods remotely. Note that data protection law’s ‘automated processing’ rules may also apply here. For example, if an employee is being sanctioned because a purely automated assessment system – counting keystrokes for example – then additional protections will apply. The employee would have the right to have the decision re-assessed with an element of human intervention. More generally, employers using automated decision-making techniques must be transparent about this, including providing ‘meaningful information about the logic involved’ to the employees being monitored. (Again, this should be provided through the relevant privacy notice or other awareness material.)

There is a strong argument that intrusive monitoring techniques breach data protection laws’ basic principles, and it may sit uneasily with human rights laws. But, so far, there has been little activity by regulators in this field and perhaps they are unwilling to ‘grasp the nettle’ in terms of intervening in the sensitive realm of the employer-employee relationship.

I worked on the last significant piece of Information Commissioner’s Office (ICO) guidance on this, back in 2005, and producing the Employment Practices Code was certainly a politically charged and difficult mission. I wouldn’t be surprised if the ICO and other data protection agencies revisit this subject soon, in response to complaints from employees, possible case-law and the use of more advanced tools to monitor employee computer activity.

Need to know

The whole issue of employee monitoring has come to the fore because of the rise of home working due to the COVID-19 lockdown. Many people may expect to be monitored if working in highly regulated or other high-risk industries. But in the home environment, there may be higher expectations of privacy than when working from an office. This means monitoring can become much more of an issue, and I believe, this would more likely to result in complaints to regulators with a potential impact on the privacy aspects of the employee-employer relationship. That is why monitoring must be as transparent and carefully targeted as possible. The adage that this is about ‘need to know’ not ‘nice to have’ is more relevant than ever.

This means monitoring can become much more of an issue, and I believe, this will result in complaints to regulators with a potential impact on the employee-employer relationship. That is why monitoring should be as transparent and carefully targeted as possible.

Also read: 4 easy guides to data breach assessment

0 Comments

Let us help you out.

Grab your free consultation NOW!

Privacy Ninja

Data Protection​

Cybersecurity

Support

Company

Locations

Singapore

7 Temasek Boulevard
#12-07, Suntec Tower One
Singapore 038987

Thailand

The Royal Place 1
2, 2/399 Mahatlek Luang 1 Alley, Lumphini, Pathum Wan, Bangkok 10330, Thailand



email-icon
Facebook Twitter Linkedin Youtube

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
TALK TO US
×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

× Chat with us