Remote working is here to stay and may very well become the new standard for employees' work. But this leaves IT professionals in a bit of a quandary- how can they monitor the activities of their remote employees without breaching privacy protection laws? Let's take a look at how to best go about it.
With in-office work, monitoring employees’ work computers was completely legal to ensure they were doing company-related work on time. Everything from browsing Facebook and spending too much time on YouTube was flagged, and some employers even went as far as creating their own music streaming network so employees wouldn't spend valuable time fiddling with Spotify.
In any case, this level of monitoring has been the norm, especially since the IT equipment used in the office is company property. It even extends to employees working outside the office but still using company-owned equipment, including cars, laptops, mobile phones, etc.
However, what if the employee works remotely but uses their personal computers or smartphones to do the work? How do you monitor that? More importantly, is it even legal?
READ ALSO: Secure Remote Access VPN: Everything You Need to Know
Table of Contents
The Short Answer…
Yes, it is indeed possible for IT professionals to monitor their remote employees’ personal computers, provided the employee is using it for company work. This means the employees are connected to the work network during that period.
The network firewalls of the company network can pick up unauthorized activities, such as browsing social media or playing online games, during work hours. If you really think about it, the network is where the bulk of the work gets done anyway regarding remote work. Everything from emails and cloud storage to file sharing and other digital assets is hosted on the company’s network.
However, firewalls generally offer entry-level monitoring. This has resulted in the rise of add-ons and alternative programs designed to monitor employee activity more closely.
What Does The Law Say About Monitoring Personal Computers?
More importantly, how much disclosure should employees receive about such monitoring? There’s no straight answer, as a uniform law has yet to govern this type of scenario. However, if a country has specific provisions for personal computer monitoring, then such laws are subject to interpretation by the legal system of that region.
In the United States, the Electronic Communications Privacy Act of 1986 allows companies to monitor the activities of their employees using their systems. This means network administrators can track other non-work activities as long as the employee is still logged in to the company’s network and it involves a legitimate business need.
As you can see, this can conflict with other laws with specific provisions covering digital privacy. For instance, across Europe and some regions in the U.S., the General Data Protection Regulation (GDPR) laws give individuals control over what third parties access their personal data and how much information they can access. This means there must be consent on both ends — the party doing the monitoring and the party being monitored.
As the employer or IT leader, this grey area may require further interpretation. For example, the employee might log in to their personal Facebook account while on the company network for a quick chat with a friend. You may be allowed to track this activity, but you may breach the GDPR law since monitoring the activity can give you access to the employee’s friend’s information.
READ ALSO: What Is The Best Country For VPN Anonymity?
What You Can Do About It?
As the idea of remote working becoming a new norm gets further cemented, it’s only a matter of time before we start seeing new legislation that provides clear guidelines for tracking remote employees’ activities using their PCs for work.
In the meantime, you can tackle such matters by setting up a comprehensive company policy to govern remote working. If necessary, get a lawyer to provide professional guidance so there are no grey areas, and everyone knows what is expected of them.
For instance, the policy can state that employees may not launch any non-work-related emails and chatting apps while logged into the company network.
As long as the employee consented to this rule, the network admin can monitor work activity and simply delete any data pertaining to third-party communications outside of work. The company’s HR department can also take disciplinary action against employees for doing non-work-related activities during company hours.
Since employees are more productive when not spending time on outside distractions, it can be safe to assume that companies can reasonably ban the use of all non-work programs while logged in to the company network.
What Do Employees Need To Know?
Generally, employees must be informed if the employer is tracking their work-related activities on their personal computers or mobile devices. However, the employer is not necessarily required to obtain their consent.
Still, providing disclosure and obtaining consent can go a long way in preventing potential issues, especially as remote working takes more center stage.
READ ALSO: 20 Online Security Tips For Remote Workers
What If The Employee Is Still Logged Into The Company Network Outside Of Work Hours?
Perhaps it’s the end of the workday, but the employee stays logged in and is now browsing their favorite online store or scrolling down their Twitter feed — it is their PC, after all. In this instance, there’s no need to actively monitor the employee’s online activity since it does not pertain to the legitimate business needs of the company.
However, this doesn't mean that the network’s firewall or tracking program will not track the activity. The data may be helpful in some cases, such as if a security issue occurred during that period, but otherwise, the administrator should simply delete it.
READ ALSO: Essential Cyber Security Plan for Small Business
The Bottom Line
Even as governments worldwide lifted their imposed lockdowns and declared it relatively safe to return to the office, many employees remain reluctant to resume the daily grind and prefer to continue working from home for remote working.
This represents a new workplace dynamic that companies need to include in their policies to avoid violating privacy laws.
Note: This was initially published in September 2020, but has been updated for freshness and accuracy.
SUGGESTED READINGS
- Security Alert: The Most Common COVID-19 Online Frauds and Scams
- Most Effective Cybersecurity Strategy For A Small Business [We Asked 45+ Experts]
- Coronavirus Impact On Cybersecurity – How To Stay Safe Online
- The Crucial Role Of Cloud Computing In The Business World
- How Immigration Law Can Make Law Firm More Efficient
- Home Security: Easy Ways To Burglar-proof Your House
About the Author:
Fiorella Salazar is a cybersecurity expert, digital privacy advocate, and VPN evangelist based in Canada. She holds an M.Sc. in Cybersecurity from a Canadian university. She is an avid researcher and frequent contributor to several cybersecurity journals and magazines. Her mission is to raise awareness about the importance of digital privacy and the benefits of using a VPN. She is the go-to source for reliable, up-to-date information on VPNs and digital privacy.
Christian Schmitz is a professional journalist and editor at SecureBlitz.com. He has a keen eye for the ever-changing cybersecurity industry and is passionate about spreading awareness of the industry's latest trends. Before joining SecureBlitz, Christian worked as a journalist for a local community newspaper in Nuremberg. Through his years of experience, Christian has developed a sharp eye for detail, an acute understanding of the cybersecurity industry, and an unwavering commitment to delivering accurate and up-to-date information.