This article was written by John Swinson, Kai Nash and Linus Schibler.
Flexible working arrangements are on the uptick. This was already the case pre-COVID-19. Different terms have been used to describe this shift from a traditional office environment. You may have heard it referred to as remote or distributed working. Creative labels have also been given to flexible workers, such as “digital nomads” and “location-independent professionals”.
With their employees out of sight, some businesses have installed, or are considering installing, software on employees’ computers and other devices to monitor productivity. It is important that any organisation considering implementation of productivity monitoring software understands the associated privacy risks and carefully evaluates the different features of the specific software under consideration. (Monitoring technology is not limited to the workplace. Many universities are considering use of such software to ensure students are adhering to exam regulations while taking examinations at home, and this too has raised controversy.)
There may be privacy risks where personal information is being collected by the software and used by an organisation. The information captured by productivity monitoring software will be personal information if it is attributable to the computer user. However, if information is anonymised and aggregated (for example, amongst teams within the workplace) then it will not be considered personal information.
Understand the software
Organisations planning on implementing productivity monitoring software must understand what the specific piece of software does, and what types of employee information will be collected. Such software should only ever be procured from a reputable software vendor. Market and technical due diligence is important.
There are various forms of productivity monitoring software that provide different features. Common features include the ability to monitor:
- time spent in an application;
- typing speed;
- volume of data entered;
- number of computer applications open at once;
- time spent online and offline;
- websites visited; and
- content of emails sent and received.
If this information is gathered at an individual level, organisations can monitor whether an employee is overloaded and allocate work more efficiently. Some software can also provide personalised feedback to employees, allowing them to see when they are at their most productive during the day, enabling them to arrange meetings and plan their working day to optimise that productivity.
Aggregated data can be powerful for business management decision making. For example, it could enable an organisation to recommend sign-on times to ensure business systems (such as VPNs) are not overloaded in peak traffic periods. Or meeting monitoring could be used to monitor time scheduled vs actual time used to reduce unnecessary meeting times.
Determine the purpose of the monitoring
Productivity monitoring should only be implemented for a legitimate purpose. A legitimate purpose for the monitoring may be to improve workload sharing amongst employees and teams, to improve meeting efficiency or to allow management to see which applications are underutilised (for cost saving purposes). Monitoring should be conducted in such a way that fulfils the business purpose and that purpose only.
Notify those being monitored
Before starting any new monitoring method, employees, contractors and others who may be monitored on their devices should be notified that monitoring is occurring and why it is occurring. Consider whether notification can be built into the employee onboarding process. For existing employees that are working remotely it may be appropriate to notify them via email.
If the purpose for the monitoring changes, the employees must be notified of the new purpose.
Surveillance legislation differs from State to State. The requirements in some jurisdictions is stricter than in others. Depending on where your employees are located, you may need to give employees at least two weeks’ notice before commencing surveillance. Some forms of surveillance, such as computer surveillance, must comply with a policy developed by the employer for that purpose which is published and made available to employees. The notice and policy requirements should be assessed on a case-by-case basis.
Collection of sensitive information requires express consent. Consider the type of information the productivity software is tracking and whether there is a risk of sensitive personal information being collected. Does the software capture keystrokes which can be seen on an individual basis? Does the software take screenshots of an employee’s screen with the possibility of sensitive personal information being captured?
Put appropriate controls in place
Ensure that there are appropriate business processes and rules in place surrounding the collection and use of information. For example, consider whether employees have the option to turn the monitoring software on and off at times when they are conducting a sensitive or personal activity on the device. On the business side, rules should be created in relation to access to information and information storage.
Do not retain information for longer than necessary
Consider how long the information can be retained for a legitimate business purpose. Does the software provider have capabilities to erase the information? Do they already have deletion rules in place?
Security and hosting of data
Some monitoring technology is an on-premise software solution, and others are a cloud solution. In either case, you must understand where information will be stored, the security measures that the third party has in place and whether the third party agrees to comply with Australian privacy laws (or equivalent). Your organisation be liable if there is a security incident or data breach to your employees’ information, so it is important that you take reasonable steps to mitigate any risk.
Before rolling out productivity monitoring software, consider the following.
- Is the software provider reputable and the software safe to use?
- Are you collecting ‘personal information’ about an identifiable individual?
- Is there a risk of accidentally capturing sensitive information (e.g. through screen captures)?
- Have you engaged with your employees to explain the purpose of the software, and how their information will be collected and used?
- Do your processes and policies deal with:
- Which personnel will have access to the information.
- What (if any) access employees will have to information that is captured about them.
- Where the information is stored and how long is it retained.
- Whether the information is anonymised or aggregated.
- Whether employees can turn the monitoring on and off.
Are your information technology security processes, procedures, training and infrastructure up to date?
 Personal information can be any information about a person or a person who is reasonably identifiable. The scope of the type of information is very wide and can include information about a person’s private life or working habits.
 For example, both the Workplace Privacy Act 2011 (ACT) and the Workplace Surveillance Act 2005 (NSW) require employers to give at least 14 days’ notice on certain surveillance activities. There are also obligations on employers to develop policies on workplace surveillance. The notice and policy requirements are quite specific. You will need to consider these additional requirements if your employees are located in New South Wales or the Australian Capital Territory.