All posts

10 Legal Questions on Employee Monitoring in the United States

As the demand for employee monitoring tools has been growing steadily against the pandemic, it has spurred disputes about the legal and ethical sides of this practice. In this article, we will provide answers to the most popular questions and make practical suggestions on embracing workplace monitoring.

Is Employee Monitoring Legal in the US?

The short answer is yes. The basic legal background for employee monitoring is outlined in the Electronic Communications Privacy Act, which prohibits employers from intentionally intercepting or disclosing their workforce’ oral, wire, and electronic communications with two exceptions:

• An employer has a legitimate business reason for implementing workplace monitoring.
• An employee consents to be monitored.

Boost Productivity
of Your Employees!

Free Trial Live Demo

The Stored Communications Act complements the ECPA and prohibits access to the contents of electronic communications but only where an employee can have a reasonable expectation of privacy. Since company-issued devices are not intended for personal use, employers have every right to monitor information stored in their systems.

What Are Other Laws Protecting Employee Privacy Rights?

In addition to the above acts, the constitutions of California, Florida, Louisiana, South Carolina, and several other states expressly guarantee a right to privacy for all their citizens. There are also state statutes regulating various aspects of data protection and electronic monitoring.

The National Labor Relations Act prohibits the surveillance of employees who are engaged in protected union activities. The Fourth and Fourteenth amendments shield state and local government employees from workplace searches, but they don’t cover the private sector.

What Activities Can Be Monitored in the Workplace?

Basically, it is perfectly legal for an employer to monitor:

• Live telephone calls. In addition to having a legitimate business interest, the employer needs either to inform about monitoring or obtain consent from at least one party of real-time conversation. Private conversations must not be intercepted.
• Email, voice mail, and text messages. An employer needs to make it clear that employees must not have a reasonable expectation of privacy when using company-owned communications. Personal emails stored outside the employer’s system are prohibited to review.
• Internet usage. Establishing an acceptable Internet usage policy is not mandatory yet strongly recommended. The employer is not permitted to access personal and secure websites provided by a third party.
• Social media. The same recommendation is applicable. The employer must not review private social media pages or require personal login details from employees.
• Screenshots and keystrokes. If a reasonable expectation of privacy is eliminated, the employer is free to access and view this information.

Is It Legal to Monitor Personal Devices?

It depends. Obviously, personal information stored on a privately owned computer, laptop, tablet, or smartphone is protected by federal and state-level privacy laws. On the other hand, employers still have their legitimate business interests to monitor the equipment used for work. The best way to resolve this conflict is through establishing clear policies that provide for the employer’s right to monitor personal devices for work-related reasons.

If you choose to allow the use of personal devices for work, make sure to craft a Bring Your Own Device policy (BYOD) and link it with acceptable use and security policies. However, the adoption of such a policy doesn’t remove your responsibility to properly handle the personal data of the employees monitored.

Is It Required to Notify Employees of Monitoring?

Generally, employers are free to inform their staff of workplace monitoring at their own discretion unless they are running their businesses in Connecticut and Delaware. The two states require notifying workers of monitoring and specify that the notice must be given in a written or clearly visible electronic form. However, the Connecticut statute stipulates the possibility to do monitoring without informing employees provided there are reasonable grounds to suspect unlawful or hostile behavior.

Meanwhile, Colorado and Tennessee require adopting a written policy on email monitoring, thus implying that employees must be aware of such a policy, which is actually the same as giving notice. You should also keep in mind that the California Privacy Rights Act (CPRA), which will come into force on January 1, 2023, may equalize employees and consumers in rights and mandate giving notice of data collection.

Is It Required to Get Employees’ Consent to Monitoring?

In most states, employers are not obliged to obtain some kind of consent from their workforce when they want to implement employee monitoring. Yet, electronic communications, such as emails or other messages sent via the Internet, come under the provisions of local laws that require receiving consent from one or all parties of communication. Namely, the second rule applies in 11 states, including California, Florida, Pennsylvania, and Washington, while other states and the District of Columbia have adopted a “one-party” consent law.

So, you may or may not need consent depending on the jurisdiction and the data type you are going to record. If you are not sure which way to go, it’s better to opt for employees’ consent, especially when it comes to real-time monitoring governed by the ECPA.

Are There Any Industry-Specific Regulations to Follow?

Yes, the Health Insurance Portability and Accountability Act applies to healthcare providers and third-party companies that interact with the providers and have access to protected health information. So, if your company falls into any of these categories, following HIPAA requirements is a must. Moreover, PHI covers not only patient data but also any information about health status that can be linked to a specific person. Therefore, such pieces of information as healthcare payments recorded in your compensation management app or electronic prescriptions sent via corporate email require the same approach as medical records.

However, HIPAA in no way prohibits employee monitoring; it requires proper protection of PHI and bans its unlawful disclosure. This means that you need to carefully select areas for monitoring to avoid collecting PHI or establish strong security policies if this information is processed within your organization.

Do US-Based Businesses Need to Comply with GDPR?

Even if you don’t have branches located in European countries, but some of your remote workers are EU citizens, you must comply with the General Data Protection Regulation. Article 3 says that the regulations apply to data controllers and processors based outside the EU whenever they monitor user behaviors taking place within the Union. Small and medium-sized companies (having fewer than 250 employees) can be freed from some obligations but only if they process the data occasionally, which is not the case with employee monitoring.

Thus, to spread workplace surveillance on your European staff, you need to come up with a legitimate business interest, conduct a formal data protection impact assessment, and receive explicit informed consent from the workers. In their turn, the employees have the right to withdraw the consent, request access to their data, and ask for deleting this information.

How to Implement Totally Legal Employee Monitoring?

Here you might start wondering how to put it all together and find a perfect balance between your business needs and your employees’ privacy rights. Generally, you need to approach employee monitoring with ethical concerns in mind rather than with a focus on the legal side only. While the laws in your state may not require all the following actions, it would be safer for you (and fair for your staff) to provide:

• Employee monitoring policy. Make sure the policy clearly explains what activities will be monitored; what means will be used to this end; which activities are forbidden and which ones are accepted; what penalties will be imposed on violators; how the data received will be stored, and who will be entitled to access them.
• Notice of monitoring. Build an atmosphere of transparency and trust in the workplace by informing and reminding your staffers about surveillance instead of tracking them in stealth mode.
• Consent form. Ask your employees to give written consent to monitoring for them to fully understand their liability.
• Education. Train your workforce to responsibly use resources and devices provided for work and explain how cyber threats, inappropriate behavior, and sensitive data misuse can affect your business.
• Employee data protection. Ensure secure storage of data collected through monitoring and limit access to a few authorized users only. Also, review these data regularly to remove pieces of private information and avoid privacy intrusion.

Which Tool to Choose for Employee Monitoring?

While there is a whole bunch of diverse employee monitoring solutions, not all of them were designed to comply with legal requirements and workplace ethics. So, you shouldn’t focus just on feature-rich or affordable tools, the more so that you can have the best of two worlds. Take, for example, Controlio by Work Examiner — it is a web-based application that has adopted best practices to ensure legal and ethical employee monitoring. Let’s explore its features crafted specifically to address the above challenges.

Monitoring Notice

It all starts with configuring rules that will apply to certain monitoring profiles. When creating a Monitoring Profile, you can enable warnings notifying your employees about their computers being monitored. When a user launches the Windows OS, the message will pop up to guarantee fair play.

Employee’s Control over Monitoring

The next step you can take is to allow a user to turn monitoring on or off by clicking on the corresponding icon displayed right in the Windows taskbar.

This feature is especially useful for telecommuters and employees working on privately owned laptops since they are more likely to use their devices for non-work activities. As such, there are higher chances that an employee monitoring app will capture their confidential information, which you don’t really need and want to collect. However, it also makes sense to grant this privilege to your in-house workers under certain conditions. For example, if you allow the staff to use work computers for personal purposes during breaks, you can settle that they are permitted to turn monitoring off within these pauses.

Customized Monitoring Policies

As we have already mentioned, Controlio comes with flexible settings for you to decide who will be monitored and which data will be collected. For instance, if you are more concerned about performance than security, you may find it excessive to record keystrokes, emails, or screenshots (the more so that the app can incidentally capture sensitive information like passwords to private accounts). So, you are free to disable these features of Controlio for all users and departments or only for some of them.

As an alternative, use a sidebar available with almost any report where users are named to adjust the settings and depersonalize the data. In fact, the app gives you every chance to tailor employee monitoring according to local laws, your workplace policies, and other factors.

GDPR Compliance

If your company happens to have branches based in Europe, you must collect, process, and store the personal data of your overseas team members in compliance with the GDPR.

Some employers don’t want to tinker with observing all the requirements and choose to refrain from collecting data that can trigger legal disputes. Thus, if you create an account to monitor the European part of your team, you can avail of the GDPR compliance mode, which will disable recording keystrokes, emails, printouts, and some other data. Still, you will be able to receive reports on attendance, performance, app usage, and so on.

HIPAA Compliance

Those companies that work with health care providers have to meet the requirements established by HIPAA and ensure proper data collection, processing, and storage. These regulations cover third-party access to protected health information, which should be limited to “minimal necessity”. Since the on-premises version of Controlio runs on clients’ devices, no data collected, including PHI, is sent outside the companies. Thus, this app version is HIPAA compliant by default and doesn’t need to be somehow adjusted. As to the cloud-based solution, it can be configured to meet the requirements by excluding all users, computers, and apps involved in patient data processing from monitoring. You should also disable screen and keystroke recording to be on the safe side.

Controlled Access to Data Collected

Since we know that user data must be securely protected, we need to thoroughly manage access to the information stored. With that, your business structure may consist of multiple units and hundreds of people, which makes it overwhelming for one or two people to process all the data. To tackle this problem, Controlio offers two options. The first one is scheduling various types of reports to send them to a person in charge without permitting him or her to access the Controlio dashboard. For example, you can configure to deliver weekly/monthly performance reports to the heads of departments and send a daily summary on alerts or keystrokes to your security team. All that is easy to set up through Scheduled Reports.

But if you do want to let certain staffers into the dashboard and the information it contains, you can do it wisely. The app allows assigning roles to authorized users and creating security-wise policies for each role. For instance, you can invite your staffers to view their productivity records either to ensure transparency of employee monitoring or to comply with regulations. Yet, each of them will be able to see only their own reports, without the possibility to peep into other user profiles.

By default, full access is granted to an admin exclusively, with limited rights for the manager role. Not only can you edit the roles as you like but also check any authorized user accessing the system in the Audit Log. This is how you will prevent privilege misuse and ensure compliance with HIPAA, the GDPR, the CCPA, and other regulations.

Personal Data Removal

In addition to all the above settings designed to flexibly manage the information collected, Controlio provides simple data removal tools. Say, one of your Europe-based employees requires deleting his or her data, quoting such a right under the GDPR. To fulfill the request, you just need to go to the Users tab of System settings, tick the employee in a list of connected users, and select Delete Data in the Actions drop-down list. The same option is available for each device in the Computers tab.

Besides, if you need to delete individual pieces of data from your account, submit a corresponding request to Work Examiner’s support team, and they help you out.

Tough Data Protection

Controlio shields clients’ data stored on its servers from cyber-attacks and does not pass the data to third parties. Being an ultimately legitimate and trusted app, it does not clash with the most common antivirus software. It provides clients with the possibility to connect their accounts in Controlio to two-step authentication solutions like Google Authenticator or 2FA Authenticator. With one-time passwords generated for each access, your company’s data will get one more security layer for the toughest protection.

In Conclusion

Although employee monitoring is generally legal in the United States, federal, local, and foreign laws create plenty of little traps, which may result in huge problems. To avoid them, make sure to refrain from misusing employee monitoring tools and simply spying on your workforce. Instead, build a strong workplace culture and choose a smart tool perfectly suited for implementing your policies.

Article Photo © Ian Ransley | Flickr

Share a post