Employee monitoring software serves one primary purpose: to make sure employees are doing what they are supposed to. It can be installed on computers and other devices and can track an incredible amount of information.
For example, while some software simply tracks when employees log on / off their devices or what websites they visit, other software can go much farther. For example, some can track every keystroke made by an employee. That can include keystrokes in personal, web-based emails that employees thought would remain private. Other software includes the ability to replay each word typed and every move of a cursor.
However, just because the software makes these things possible, does not mean that employers should be using them. In many cases, they should not. For example, its use may breach an employee’s reasonable expectation of privacy. This will depend on whether the company specifically prohibits the use of company devices for personal matters, how invasive the software, whether the software is used secretly or with the employee’s knowledge and consent, and many other factors.
Even if it doesn’t breach an employee’s expectations, using monitoring software may breach privacy legislation. PIPEDA – the Personal Information Protection and Electronic Documents Act – and various provincial acts limit how many private organizations in Canada may collect, use and disclose personal information. In most cases, organizations would need an individual’s consent before even collecting that information, much less using it. As a result, keystroke monitoring that happens to catch an employee typing an email about a personal matter – such as a personal medical issue or their financial circumstances – may result in an inadvertent breach of the legislation.
In other words, employers should think carefully about whether they need to use monitoring software and, if so, how to ensure that they only use it with the proper controls, policies and consents in place.
For their part, however, employees also need to beware – many people work in environments where there is no reasonable expectation of privacy or where the information being collected is not ‘personal’ and could, if discovered, put their job at risk.
Author: Stephen Wolpert, Whitten & Lublin