Back in 2015, our company, GetApp, ran a survey to get business owner opinions about monitoring employee conversations on internal communication tools. The results came back with a “less is more” attitude: 43% of respondents said they do not monitor employee conversations on internal chat tools, believing it to be an invasion of privacy.
As data privacy concerns continue to make headlines and GDPR continues full speed ahead, we wanted to see if employers had the same cautious approach to monitoring employee conversations in 2019 as they did four years ago.
We recently ran an expanded version of the same survey, asking 173 respondents in management positions or above how they felt about monitoring employee conversations. To our surprise, respondents were far less likely to consider monitoring employee conversations as invasive: Compared with 43% in 2015, only 10% of respondents believed it to be an invasion of privacy in 2019.
The results: then and now
By all accounts, businesses are keeping a close eye on employee conversations as a way to protect their company and ensure productivity.
Summary of key findings from our 2019 survey
- 47% of respondents monitor employee conversations on a daily or weekly basis
- 38% of respondents believe that monitoring employee conversations is necessary to protect their company
- Nearly 30% of respondents say they monitor employees to ensure productivity
Of the 173 respondents surveyed, 72% have access to employee conversations taking place on internal communication tools. This is a jump from 2015, when only 56% of respondents had access to online employee conversations.
- Technological advancements: Technologies for employee monitoring have improved over the past four years, making it less invasive and more cost effective for companies to deploy monitoring tools or adopt tools with built-in monitoring features.
- Shifting work culture: Trends toward remote working and the gig economy make it more difficult to physically monitor employee activity.
- Regulation and data privacy: Revamped regulations such as GDPR make companies more cautious about employees sharing sensitive customer data.
Our survey results support these last points. Nearly 30% of respondents said they monitor employees to ensure productivity, while 25% say they want to ensure that their employees are adhering to internal communication policies.
Monitoring in popular chat tools
According to our research, the three most popular chat apps being used by small business are Google Hangouts, Skype or Skype for Business, and Slack.
- Google Hangouts stores chat history in Gmail. Administrators can set rules so that users cannot change this setting, but the storage settings can be turned off by administrators so that chat history is not archived in Gmail.
- Skype and Skype for Business (formerly Lync) has monitoring features, mostly used for monitoring quality of experience and call detail recording. Skype for Business has more robust monitoring features, which include access to past conversations.
- Slack allows varying degrees of access based on pricing plans. Administrators on the free and standard plan require a legal process and employee consent to export personal conversations, while Plus plan admins have access to a self-service tool which allows export of all data (including private direct messages between employees).
Where there are gaps in access, third-party tools can use a combination of screen monitoring and key logging to monitor not just employee conversations but any employee activity on their workstation.
The key to monitoring is to find the right balance. To do that, you need to know the laws.
Navigating employee monitoring laws
It’s hard to definitively say how much is “too much” when it comes to monitoring employee communication.
Consider the landmark case of Bărbulescu v. Romania to get an idea of just how complex the subject of employee workplace monitoring can get.
Former employee Bărbulescu was terminated after his company (Romania) found him engaging in online personal communication during work hours. This was strictly prohibited, and the company made explicit that his communication would be monitored to thwart this type of behavior.
Bărbulescu appealed his termination, denying having had private conversations at work. The appeal was unsuccessful, as the company was able to prove that he was having these conversations with transcripts of chats that were collected while monitoring him.
These transcripts led Bărbulescu to once again challenge his dismissal, this time for a violation of Article 8 of the European Convention on Human Rights, which encompasses the right to respect for private and family life, including through correspondence.
In 2016, the court sided with the company, saying that it was not a violation of Article 8, predominantly because the possibility of monitoring had been disclosed to Bărbulescu upon employment.
In 2017, however, the case was overturned and came out in favor of Bărbulescu, stating that Article 8 had in fact been breached. Although the monitoring had been disclosed, the scope of monitoring and the degree of intrusion were not justifiable by legitimate means.
If even the courts have trouble defining what an acceptable level of monitoring is, how do small businesses navigate the nuanced world of employee monitoring? Very carefully.
No clear-cut rules
In heavily regulated industries such as finance, anything communicated within and between companies can (and in some cases should) be monitored. For everyone else, the waters get a bit murky.
Privacy laws protect employees to a certain extent, but business is one area where privacy rules and regulations aren’t always applicable.
Some of the most common reasons for monitoring employees can include:
- Protecting proprietary company information.
- Checking for violations of company policy in regards to personal use of company hardware.
- Investigating complaints or claims of harassment or misconduct.
- Investigating potential criminal activity by employees.
- Accessing necessary business information that only certain employees have.
Europe and Canada have notably more stringent regulations when it comes to privacy and data protection, while the U.S. takes a more lax attitude. Certain states and provinces can have their own privacy rules as well.
Here’s a summary of some of the regulations around data privacy in the U.S., Canada, and the U.K. and how they might be applied to monitoring employees in the workplace.
Privacy laws by country
|Country/region||Regulation||Coverage||Application in the workplace|
|U.S.||Electronic Communications Privacy Act (ECPA)||Governs the monitoring of electronic communications||Companies require a “legitimate business purpose” for monitoring employees|
|The United States Constitution||The Fourth Amendment covers unreasonable search and seizure||Complaints can be lodged against employers based on an employee’s “reasonable expectation of privacy”|
|Canada||The Privacy Act||Applies to employee information in federal governmental institutions||Government employees have a right to access personal information held by the government and request corrections|
|Personal Information Protection and Electronics Document Act (PIPEDA)||The federal privacy law for a private-sector organization’s handling of personal information over commercial activity||Can only be applied to federally regulated organizations like banks and telecommunications|
|U.K. and Europe||The Data Protection Act||Controls how personal information is being used by organizations, businesses and the government||Companies can monitor employees as it relates to the business, but must disclose this monitoring save for extenuating circumstances|
|General Data Protection Regulation (GDPR)||Governs the way personal data is collected, stored, and shared online by companies||Companies must apply the same rights to employee personal data as that of customer data, including disclosing how it’s being processed|
|European Convention on Human Rights (ECHR)||Article 8 covers the right to private and family life, home, and correspondence||Can be applied to personal communication in the workplace (as seen in the case of Bărbulescu v Romania)|
The general sentiment is that companies with a legitimate business purpose can monitor employees. In Canada and the U.K., full disclosure is necessary unless in extenuating circumstances, but it’s not a requirement in the U.S., except in certain states.
Things can get dicey when issues arise, especially if personal communication is involved. Following some best practices will put your organization in a good position to be able to protect itself while respecting the privacy of your employees.
Best practices for monitoring employee communication
Company culture has a lot to do with whether your employees perceive monitoring as invasive. Being transparent from the beginning will ensure that employees don’t feel as if they are “being watched.”
Things to keep in mind when monitoring employee communication:
- Set usage rules: If you don’t want employees to use company-owned devices for personal use, tell them. Outline what is and is not acceptable use so that there are no gray areas (or the gray areas are smaller).
- Make monitoring explicit: Tell your employees from the outset that you’re going to be monitoring conversations. Write it in their employment contract so there’s no dispute about disclosure if issues arise.
- Block specific sites: If you’re worried about employees wasting too much time on social networks or other sites, block these sites completely to avoid spending time looking to see if employees are using them.
- Adopt a “less is more” attitude: Unless you notice productivity issues, suspect abuse of company-owned machines, or are investigating specific issues, err on monitoring less rather than more. It’s no longer 2015, but having a more cautious approach to employee monitoring will help you avoid potential privacy infringement.
This article originally appeared on the GetApp website. It is reprinted here with permission.