Employer Use of Remote Monitoring Software on Teleworkers: Management Rights v. Privacy Rights21-May-20
by McLennan Ross Labour & Employment Team
As employees continue to work from home during the COVID-19 pandemic, employers may ask whether to use remote monitoring software to surveil employee performance such as keystroke recording, logging into the websites visited by employees, taking screen shots of employees at random intervals, and tracking employee screen time and mouse use.
Alberta’s Personal Information Protection Act (PIPA) governs the privacy rights of employees in the private sector while the Freedom of Information and Protection of Privacy Act (FOIP) applies to public bodies such as government ministries, municipalities, school boards, and universities. These statutes guide employers in their assessment of acceptable remote collection of employee information:
a) Under PIPA, employers are allowed to collect, use, and disclose personal information about employees without consent if that information is reasonably required for the purposes of establishing, managing, or terminating the employment relationship. However, when collecting personal information for this purpose, the employer must also provide prior notification to its employees about the information it is collecting and using, and the purpose for the collection and use. Personal information of employees which can be collected without consent is referred to as “personal employee information.”
b) Under FOIP, public body employers are entitled to collect personal information about their employees if the information relates directly to and is necessary for an operating program or activity of the public body. It is generally accepted that collecting and using certain personal information about employees is needed in order to manage the employees of the public body and operate the programs of that public body.
Under both statutes, employers must remember that collected information which is used about employees must either be “reasonably required” or “relate directly to” and be “necessary” for employee management purposes. These tests are objective; often the Privacy Commissioner will not agree as to what information an employer decides is “reasonably required” or “necessary” for work.
Reasonable/Necessary Collection and Use of Personal Information about Employees
Employers are entitled to collect and use information that is produced by employees in their work; this is viewed as “work product”. However, information about the way an employee performs his or her job (e.g., work speed, when work is performed, the number of keystrokes, etc.) constitutes personal employee information, and the collection and use of that type of information is subject to the requirements of reasonableness (PIPA) or necessity (FOIP).
The methods used by employers, the information they collect, and their level of intrusion into employees’ private lives inform the assessment of reasonableness and necessity. Remote monitoring methods of teleworkers must be reasonable and connected to the purpose for which information is collected and used, as highlighted by the following three decisions of Alberta’s Privacy Commissioner:
Case #1 (2005)
- The employer surreptitiously installed keystroke logging software on an employee’s work computer to monitor productivity. The Privacy Commissioner found this monitoring approach to be too intrusive noting that:
a) information allowing an employer to know how employees use their work time may be necessary for employee management. However, the keystroke software overreached and collected unnecessary information for employee management purposes (for example, collecting personal banking information).
In this case, there had been no real concerns about employee productivity prior to the policy implementation; even if there had been concerns, the employer did not need all of the information collected through the software;
b) monitoring methods should collect information related to the type of productivity expected of an employee’s type of work, and not more; an intrusive method such as keystroke software may be acceptable if there are no other, less intrusive alternatives, or if the employer had to investigate possible fraud and prior notification might compromise the investigation. The analysis is fact driven and assessed case by case.
Case #2 (2013)
- The employer traced the telephone calls made by employees on the employer-provided Blackberry and identified non-work-related phone numbers, calling them to identify the nature of the employee calls. While the Privacy Commissioner found this approach could be relied upon for investigating employee conduct, in this case, the employer had not implemented a policy that employees could only use the company phone for work-related purposes. In the absence of such a policy, there was no breach, and the employer had also failed to provide the required notice to employees about when personal information might be collected and used.
Case #3 (2019)
- The employer installed a GPS tracking device on employee vehicles which had the default setting “on” and which could be turned off when the employee was no longer working. The reason for the device installation was to promote safe driving and to quickly locate and respond to safety issues.
- The employer had implemented adequate privacy policies, had appointed a privacy officer, and had properly notified the employees of the device, its function, purpose, and the data that was being collected.
- The Privacy Commissioner found the employer’s purpose - to comply with regulatory occupational health and safety obligations - was reasonable. Additionally, while the employer’s collection of personal information unrelated to work was unnecessary for managing the employment relationship, it was characterized it as incidental and reasonable for this method (based on the facts of that case).
These cases inform employers that employee productivity and efficiency do not trump employee privacy if the employer’s remote monitoring policy does not have a legitimate purpose that is clearly linked to the type of information collected. Remote monitoring methods must include safeguards and limitations on the employee personal information being collected.
Tips and Takeaways
Prior to investing in a remote monitoring system to track employee productivity, employers should consider the following risk management strategies:
- Ensure appropriate and reasonable privacy policies are in place that will withstand scrutiny by the Privacy Commission and the courts. To this end, employers must ensure their remote monitoring methods include safeguards and limitations on obtained personal information:
a) remote employee performance monitoring must be reasonable and legitimate: employers should carefully select the productivity measurements they wish to monitor and ensure they adequately correspond to the type of work of the monitored employees. Consider less intrusive methods, if they exist;
b) the selected monitoring method must only collects information that is needed to meet the purpose behind it. If the method over-collects information, consider whether it can it be changed to only collect what is necessary or reasonable;
- If a method is selected, ensure employees are notified about the remote monitoring and provide employees with the information about what information is being collected, how it will be used, and the purpose for the collection and use;
- Ensure the information being collected is secure.