One of the most contentious issues surrounding the rise in remote working is how organisations can monitor their employees.
Bosses have expressed fear that employees are taking a lax attitude to work, clocking in late, leaving early and disappearing from their desk during the day.
Despite plenty of evidence suggesting that they have nothing to worry about, such as a UK government report that found that remote employees worked five hours a week more on average than those who worked in the office, organisations retain the right to check in on their employees.
After all, it only takes a few bad apples to spoil the bunch. If a manager discovers that one of their team is taking liberties, it could erode trust throughout the team.
There are also information security concerns to consider. Without proper oversight, employees could be committing data breaches – whether intentionally or not – that can compromise sensitive data and risk damaging the organisation’s reputation.
For instance, an employee could be sending copies of sensitive information to personal accounts, connecting to an insecure Wi-Fi, or downloading malicious files or executables.
That’s one of the reasons that the GDPR (General Data Protection Regulation), often considered a bane to organisations, permits workplace monitoring. However, as you might expect, it sets clear guidelines on the extent to which monitoring is allowed and organisations’ requirements when doing so.
You must document your practices
Before any surveillance can take place, organisations must create a policy that lets employees know the circumstances of monitoring and their expectations of fair use.
As private communication meets the definition of personal data (as described in Article 4 of the GDPR), organisations must prove that they have a lawful ground to collect and monitor this information.
Many people have mistakenly thought this means getting consent, but not only is consent hard to get and keep, the GDPR says an employee cannot give consent to an employer because of the inherent imbalance of power.
In other words, consent can’t be “freely given” if the data subject faces a potential negative effect from not consenting. It’s reasonable to expect that an employee might fear for their job (or at least fear losing favour among their bosses) if they don’t consent to being monitored.
Organisations should therefore seek one of five other lawful grounds for processing data. The most appropriate ground will probably be legitimate interests, although the rules for this are still murky.
One thing that the GDPR makes clear is that organisations should be as deliberate and as unobtrusive as possible in their monitoring.
Under no circumstances are employers justified in using exhaustive or automated monitoring methods (such as spyware) to look through an employee’s browser history and workplace communications on the off-chance that they’ll find evidence of misuse.
Employers should also refrain from methods that leave no trace of their monitoring, such as physically sitting at the employee’s computer and looking through their private communications.
The bottom line is that, should employees overstep their right to a social life at work, organisations shouldn’t have to dig too deep to find evidence of that.
General Data Protection Regulation – A compliance guide contains a comprehensive overview of the steps you must take to ensure ongoing compliance.
It also includes tips to make sure you understand how the GDPR differs from previous data protection regiments and when processing activities are within scope.
Finally, you’ll receive tips to ensure that you achieve GDPR compliance as efficiently as possible.
Keeping it legal
Organisations’ monitoring policies should form part of their ISMS (information security management system, the best practice for which is described in ISO 27001.
That documentation should cover why monitoring is needed – such as to prevent theft or improper use of data. It should also differentiate between the use of personal and work communications.
Organisations will probably have more leeway in monitoring work correspondence, but they also have an obligation to make sure employees aren’t using personal accounts excessively or with disregard to security policies (by downloading suspicious attachments, for instance).
Similarly, organisations have an obligation to make sure employees aren’t emailing confidential work documents via personal email accounts.
Work-sanctioned instant messaging proves a tricky middle-ground between private and personal communications.
Even if employees primarily use the app for work, communication will almost certainly spill over into personal conversation at times – just as inevitably happens in face-to-face communications.
Organisations are entitled to conduct some level of monitoring, but the nature of the tech creates a dangerous temptation to store excessive and unnecessary personal information.
Control the risk
The rise of remote working crept up on us. For many organisations, it was initially a temporary measure to navigate the pandemic, but as its long-term benefits became clear, it was evident that home or hybrid working was here to stay.
Because this change occurred gradually and without a specific plan in place, many organisations never rolled out designated policies to manage the risks of remote working.
If you don’t already have appropriate documentation in place, IT Governance’s Remote Working Policy Template provides everything you need to know.
It includes guidance on storing devices securely, creating and maintaining strong passwords, and an acceptable use policy for visiting websites that aren’t work-related.
Organisations should also explain the technical solutions they’ve implemented to protect sensitive data and how employees can comply. For example, we recommend applying two-factor authentication to any third-party service that you use.
Although it shouldn’t be a concern during the lockdown, your remote working policy should also address the risks that come with employees handling sensitive information in public places.
For example, when business goes back to normal, staff may well use company devices in places such as trains and cafés, where opportunistic cyber criminals can lurk without drawing attention to themselves.
Security incidents are just as likely to occur even if there isn’t a malicious actor. Consider how often you hear about employees losing a laptop, USB stick or paperwork.
A version of this blog was originally published on 27 September 2017.