Employee monitoring: deciding whether to monitor and how
Section three of the Personnel Today Management Resources one stop guide on employee monitoring, covering: impact assessment and how to deal with employee monitoring in practice. Other sections .
|
Use this section to Produce an impact assessment to help decide whether to monitor staff. Deal with various common scenarios arising from workplace monitoring.
|
The most common approach to employee monitoring is to monitor use when suspicions arise that the system is being abused. Twenty-three companies out of 63 surveyed by IRS in 2003 took this approach. But 18 respondents said they routinely monitored all e-mail and internet use, with 12 saying they monitored a random sample, five when criminal activity was suspected and one a defined sample of user access.
Twenty-four respondents monitored just the address or heading on e-mails and 12 the main body of text.
Although not legally required to do so, employers are advised in the Data Protection Code to carry out an impact assessment before deciding to monitor staff.
The code lays down guidelines for steps employers should take in deciding whether and how to monitor.
Assess whether benefits received from monitoring will outweigh any adverse impact on staff
Decide whether monitoring is indeed a proportionate response to the problem.
If so, then you will need to establish what monitoring method you want to adopt.
Aims of impact assessment
An impact assessment should, according to code recommendations:
Identify the purpose behind the monitoring arrangement and the benefits you expect it to deliver
Identify any possible adverse impact
Consider alternatives to monitoring and examine different ways in which it can be carried out
Take into account obligations that arise
Judge whether monitoring is justified.
Assessing adverse effects of monitoring
The Data Protection Code recommends you look at things such as:
How much and what kind of intrusion there will be in private lives
How much information staff will be given on how and when they will be monitored
Whether confidential, private or sensitive information will be seen by those with no business need to see it
What impact there will be on the relationship of mutual trust and confidence between the staff and employer or with trade union representatives, for example
Whether the monitoring will be oppressive or demeaning.
As part of the assessment, it is important to consider the least intrusive method of monitoring possible and to look closely at alternatives. Ask questions such as:
Can established or new methods of supervision, effective training and/or clear communication from managers, rather than electronic or other systemic monitoring, deliver acceptable results?
Can investigating specific incidents or problems be relied on, for example, accessing stored e-mails to follow up allegations of malpractice rather than undertaking continuous monitoring?
Can monitoring be limited to workers about whom complaints have been received or about whom there are other grounds for suspicion?
Can monitoring be targeted at areas of highest risk only?
Can monitoring be automated so as to be less intrusive, with information only 'seen' by a machine?
Can you undertake spot-checks rather than continuous monitoring?
Bear in mind, however, that continuous automated monitoring may well be less intrusive than spot checks involving human intervention.
The Data Protection Code's supplementary guidance section recommends employers take account in impact assessments of the ability of automated monitoring to reduce the extent of information being made available to people other than those party to the communication. It suggests the following can generally be automated:
Monitoring to protect the security of a system
Monitoring to detect references to matters of particular sensitivity, for example, the name of a company involved in a merger.
When deciding whether an existing or proposed method of monitoring is justified, you need to focus on the need to be fair to staff and make sure there is no more intrusion than necessary.
Significant intrusion is only justifiable if the employer's business is at risk. It is frequently helpful to consult with staff and/or trade unions on these issues.
Dangers of taking monitoring too far
When deciding whether to monitor or not and if so, how, employers need to bear in mind the potential for detrimental impact. Excessive monitoring undermines staff, leading to greater job-related depression and poorer well-being.
Stress levels among frontline call handlers in UK call centres were found to be significantly higher than among benchmark groups in other occupations, according to research by the Health and Safety Laboratory (HSL) reported by IRS (see Hanging on the telephone). Frequent or constant performance monitoring is blamed for poorer well-being among call handlers, particularly those working in telecommunications and IT and in organisations employing more than 50 staff.
The HSL report, Psychosocial risk factors in call centres, reveals that eavesdropping - electronic performance monitoring by supervisors listening in to calls - is a major cause of work-related stress.
Mitigating working practices
The HSL study recommends several management interventions to minimise stress among call handlers:
Individual autonomy, avoiding scripts for conversations with customers where possible
Group autonomy, giving teams responsibility for planning job/task allocations for a shift, including time spent on phones and other back room tasks, and training
Tackling role conflict, looking at genuine team-working among call handlers, involving greater self-regulation, coaching support, task variety and devolved autonomy.
Monitoring telephone calls and voicemails
The code's supplementary guidance section recommends that employers do not introduce monitoring or recording of the content of calls in all cases. Recording should be limited to those calls involving or likely to involve transactions. The code recommends that if the itemised call record alone is insufficient, assess whether it can be used to help ensure monitoring is strictly limited and targeted. It gives the example of an organisation having evidence that commercial secrets are being passed onto a competitor. By examining itemised call records, the organisation might be able to narrow down those under suspicion rather than introducing blanket monitoring.
Monitoring e-mails
The code also recommends keeping e-mail monitoring down to a minimum, such as whatever is necessary to ensure the security of the system. For example, protection from intrusion and from malicious code such as viruses or 'Trojans', or the detection of the misuse of passwords.
Organisations must consider:
analysing e-mail traffic rather than content - confining e-mail monitoring to address/heading unless it is essential for a valid and defined reason to examine content
if the traffic record is not sufficient, using it to narrow the scope of content monitoring such as restricting it to those mails being sent to a rival organisation
putting in secure lines of communication for transmitting sensitive information to occupational health advisers or trade union representatives which are not monitored or are monitored differently
providing facilities allowing messages to be sent not bearing the organisation's official heading
encouraging employees to differentiate between private and business mail, marking any personal e-mails as such and telling those who write to them to do the same
Only opening personal mail in exceptional circumstances such as where a worker is suspected of harassing other employees
if workers are allowed to access personal e-mail accounts from the workplace, monitoring such e-mails only in exceptional circumstances
limiting monitoring to external mails - monitoring internal mails can be more intrusive
if personal use is prohibited, identifying personal messages by header or address information and thus taking action against the sender or recipient without opening mails.
There have been reports in the press of a publishing company installing a software filter which searched for the word 'salary' in a bid to stop staff being poached. The Information Commission is unlikely to look kindly on such a search as it could easily mean employers accessing private information.
Internet access monitoring
The code's supplementary guidance recommends considering using monitoring that prevents rather than detects misuse, such as blocking access to inappropriate sites or material by using web-filtering software. It suggests:
taking advantage of state-of-the-art technology which can undertake complex analysis of images and prevent display of sexually explicit material without disrupting normal business activity
preventing misuse of systems by recording time spent accessing the internet rather than monitoring the sites visited or the contents viewed
limiting the use of the information collected.
Video and audio monitoring
As with any other kind of monitoring, the Data Protection Code recommends only using video or audio monitoring when the benefits justify the adverse impact. To comply with the DPA, you will need to meet certain standards if you go ahead:
establish who is responsible legally for the monitoring scheme
assess the appropriateness of, and reasons for, using CCTV or similar surveillance equipment
establish the purpose of the scheme
ensure that the notification lodged with the Office of the Information Commissioner covers the purposes for which this equipment is used.
The CCTV Code states that CCTV equipment can be used for purposes such as preventing, investigating or detecting crime; apprehending and or prosecuting offenders; ensuring public and employee safety; and to discipline staff.
In terms of best practice, the Code of Practice on CCTV recommends also:
documenting the assessment process and the reasons for installing the scheme
documenting the purpose of the scheme
establishing and documenting the person or organisation responsible for ensuring the day-to-day compliance with the requirements of the code
establishing and documenting security and disclosure policies.
When doing an impact assessment for video and audio monitoring, employers should take into account how information is stored. In the case of an employee requesting access to personal information, it could prove onerous to retrieve such information from the system.
Video and audio monitoring should, where possible be targeted at areas of particular risk and confined to areas where expectation of privacy are low.
Continuous monitoring of particular individuals is only likely to be justified in rare circumstances, recommends the code. Video and audio monitoring is deemed to be particularly intrusive, particularly if it is combined.
When doing an impact assessment for video and audio monitoring, the code recommends considering the following:
Can video and audio monitoring be targeted at particular risk areas, for example, where there is a risk to safety or security?
Can monitoring be confined to areas where workers' expectations of privacy will be low, such as areas to which the public have access?
Can video and audio capability be treated separately?
Are you in a position to meet your obligations to provide subject access and where necessary remove information identifying third parties from audio and video recordings?
In-vehicle monitoring
The code recommends considering the following:
Can monitoring be conducted without yielding information that relates to the private use of vehicles? Information about the location of the vehicle will be the most intrusive
Is private use of vehicles supplied by, or on behalf of the employer allowed? Where private use of vehicles is allowed, monitoring their movement when used privately without the freely given consent of the user will rarely be justified. This means there should be a privacy button or some other disabling arrangement
Is monitoring of workers' own vehicles to take place? Monitoring will only be justified where the vehicle is being use for business purposes, the worker has freely consented to the installation and use of any monitoring device and the information collected by the employer is strictly necessary for its business purposes, such as to reimburse the worker for the cost of business use.
Monitoring information through third parties
As with any other impact assessments, you should start with the presumption that workers are entitled to keep their private lives private and that employers should not intrude into this unless they face a real risk to which the intrusion is a proportionate response.
You should not, for example, monitor a worker's financial circumstances unless there are firm grounds to conclude that a worker in financial difficulties in the job in question actually poses a significant risk to the employer. One area where this might be the case is in some parts of the financial services industry where there are particular opportunities for fraud.
Remember that Section 55 of the Data Protection Act makes it a criminal offence to obtain personal information without the authority of the data controller. An employer using a facility for employee monitoring that is provided to assist it in making credit decisions about customers is likely to be obtaining information without the authority of the agency. You should bear in mind that information held by credit reference agencies is not compiled with employee monitoring in mind.
The code says you should not monitor workers through information you have as a result of a different relationship with them such as a customer, unless it is based on a condition of employment and the intrusion is justified by the risk faced. Monitoring to detect serious indebtedness by bank workers with a particular opportunity for fraud might be justified on the basis that preventative action can then be taken, for example. But this would not, however, justify examining the details of payments made by these workers unless criminal activity was suspected.
Scenario
You record your workers' phone calls for training purposes and are concerned about whether this is lawful.
Solution
Yes, it is lawful as long as you satisfy certain conditions.
Law
Recording worker telephone calls, along with intercepting other telecommunications such as e-mails, in the course of transmission, is subject to the Regulatory of Investigatory Powers Act 2000 (RIPA) and the Lawful Business Practice Regulations (LBP regulations) as well as data protection legislation. Provided the call is being monitored for training purposes and workers have been notified in advance of the monitoring, recording the call will be allowed under RIPA and the LBP regulations.
For the purposes of data protection, the code recommends carrying out an impact assessment to determine whether the benefits justify the adverse impact. It may be possible to avoid monitoring call content, using itemised call records instead.
Scenario
You want to check workers' e-mails and voicemails while they are away.
Solution
If e-mails need to be checked for business purposes while workers are away, the Data Protection Code recommends informing workers that this may happen and that it may be unavoidable that some personal messages are heard.
Scenario
You want to make sure staff are complying with company policy and procedure.
Solution
Before putting in place employee monitoring, try changing methods of supervision and training and open up communication channels.
Scenario
Staff in your sales and customer advice departments process customer queries via e-mail and the telephone, but you believe some are blocking the lines, spending time looking at pornographic material on the internet and sending personal e-mails. You want to check what staff are doing.
Solution
You need to establish what your staff policy is on electronic communications. Does it establish boundaries on what the company considers acceptable behaviour in terms of internet usage and e-mail exchange?
Law
You must make sure you are not in breach of the RIPA and LBP regulations. Interceptions are not permitted without the consent of the sender and recipient unless authorised under these regulations, such as where it is for the purpose of running the business and all reasonable efforts have been made to inform internal users of the interception.
Once you have established the purpose of monitoring, examine any adverse impact and suitable alternatives.
Analyse e-mail traffic rather than content. If you monitor content, you could be risking breaching duty of trust and confidence.
It should be possible to detect personal communications from the heading or address. Content of personal e-mails should only be accessed where there is a pressing business need to do so.
Establish whether any methods of monitoring can be limited or automated: automated systems can provide protection from intrusion and malicious codes and detect references to particular matters.
Consider installing technology to prevent rather than detect staff accessing unauthorised websites. You can also detect time spent accessing the internet rather than monitoring sites visited or content viewed, particularly if web access for personal reasons is not allowed.
You can also monitor on an aggregated basis by examining logs of which sites have been visited and by focusing on specific individuals who have been identified as problematic. Such a log is also likely to identify sites accessed automatically.
|
Example |
Category |
Level of intrusiveness |
Guidance comment |
|
|
E-mail from company accountant to supplier querying why invoice has been submitted for goods not supplied |
Pure business communications |
Low |
Disclosure of contents unlikely to cause damage or distress. Sufficient that workers aware in general terms that work may be checked |
|
|
Work contact details submitted by health and safety officer to website so information about fire safety equipment can be returned |
Pure business communications |
Low |
As above |
|
|
E-mail from worker to line manager requesting leave of absence from work due to serious sickness in family |
Business communications including personal information |
Medium |
Worker must not be misled into thinking communication is private if not. Whether or not monitoring is proportionate response depends on the case. Those monitoring should be trained and clear on procedure, should keep information obtained through monitoring secure, only use it for purpose for which it was obtained and delete it once purpose is complete |
|
|
Worker visiting patient support group website for advice on non-work-related condition |
Personal communications |
High |
Circumstances in which workers can reasonably expect communications to be private unless told clearly will be monitored. Even if told, monitoring will be intrusive and should be kept minimum. Ban on personal communications and existence of alternative facilities do not in themselves justify monitoring content although are relevant factors |
|
|
E-mail between two workers complaining to each other about how treated by employer |
Personal communications |
High |
As above |
|
|
Definition of categories: |
|
|
|
|
|
l |
Pure business communications |
|||
|
|
Communications dealing only with business matters, containing no information of particularly personal or intimate nature. Typically includes letters sent on the business's headed paper or electronic equivalents |
|||
|
l |
Business communications including personal information |
|||
|
|
Communications taking place at work clearly for business reasons, but containing information of personal nature. Includes many personnel-type communications where often the worker would object to the information being widely available at work |
|||
|
l |
Personal communications |
|||
|
|
Employers are not obliged under the Data Protection Act to provide communications equipment for personal use, but many choose to do so and need to manage any risks to the business arising from such usage. Thus even where personal use of communications systems is allowed, there may be exceptional circumstances in which monitoring is necessary. |
|||
Source: Data Protection Code of Practice, Monitoring at Work, supplementary guidance
Other common scenarios
Scenario
One of our customers for our products is seeking to impose the condition that we monitor our workers. Do we have to meet this demand?
Solution
Such as condition cannot override your obligation to comply with the Data Protection Act - monitoring of workers must be based on the outcome of your own assessment. The Data Protection Code's supplementary guidance section gives the example of a contractor working in a defence establishment being required to undertake periodic security checks on workers employed on a relevant contract, concluding that if this monitoring involves processing personal information about workers, it will not be justified simply because it is a condition of business. But although monitoring by the supplier or the contractor must be based on the outcome of their own assessment, this does not stop them being guided by any assessment the customer might have undertaken for itself, says the code.
Scenario
A larger than usual amount of stock is being ordered and you suspect some is being stolen.
Solution
First, consider whether your suspicions are reasonable - could there be another reason for this increase in demand for stock? If you genuinely believe your suspicions are valid, look at alternatives such as security checks on staff leaving the building before installing video monitors.
If you do want to install video monitoring, be clear what you hope to achieve - evidence that theft is taking place, to deter future thefts or to catch any perpetrators. You need to be prepared for any likely outcomes. If you do go ahead with CCTV, take steps to reduce any adverse impact on staff. Confine monitoring where possible to areas where staff do not have high expectations of privacy, for example, not the staff toilets.
You should make it clear to staff that monitoring is taking place, why and where. Consider putting up a sign, identifying the organisation responsible for monitoring, who is to be contacted and why it is being carried out. This is particularly important in public areas where people other than staff may be inadvertently caught on camera.
In limited circumstances, the Data Protection Act 1988 allows covert monitoring. It should be authorised by senior management who should satisfy themselves that there are grounds for suspecting criminal activity or similar malpractice. They should also be satisfied that notifying individuals would prejudice the prevention or detention of this malpractice. A reliable test is to ask yourself whether the activity is sufficiently serious to warrant police involvement. But if covert monitoring is to be carried out in a private area, suspicion of a serious crime and intention to involve the police is required.
You should only collect personal information for the purposes of monitoring, unless it is in the individual's interest to use it or if it reveals an activity no reasonable employer could be expected to ignore, such as serious harassment.
|
One stop guide on employee monitoring: other sections Section one: The issue of monitoring employees Section three: Deciding whether to monitor and how Section four: Developing the right policies and practices Section five: Monitoring methods
|
