Tag: Employees

Monitoring of employees in the workplace: the not so private parts of a job in the EU private sector

Monitoring you? Us?

Monitoring you? Us? 1)Copyright by MrChrome under the CC-BY-3.0

In a case referring to the employees’ rights to the privacy of their correspondence and communications, the European Court of Human Rights (hereafter ECtHR) has ruled that employers are entitled to monitor their employees’ private online communications conducted through means of a messaging account provided for professional purposes.

The details of the case are as follows: the employment’s contract of Romanian engineer was terminated by his employer, back in 2007, after the company he worked for found out that he was using messaging services, such as Yahoo Messenger, to conduct personal contacts, namely with his brother and fiancée. The account was created, at the employer’s request, strictly for professional purposes and a personal use was specifically forbidden by the company policy, of which the employee was made aware. The internal regulation established, inter alia, that “it is strictly forbidden to disturb order and discipline within the company’s premises and especially … to use computers, photocopiers, telephones, telex and fax machines for personal purposes.”

While the company considered that the employee had breached the company rules by using the service for personal purposes, and thus the termination of the employment’s contract was justified, the employee argued that the termination decision was illegal due to be founded on a violation of his rights to respect for his private life and correspondence.

Among the pertinent legal instruments deemed applicable and referred by the ECtHR are, obviously, the European Convention of Human Rights (hereafter ECHR), the Directive 95/46/EC and the Art.29WP “Working document on the surveillance and the monitoring of electronic communications in the workplace”, which I also have addressed here, in regards of the issue of the monitoring of employees.

The core issue at stake was whether, considering the factual context described, the employee could have had a reasonable expectation of privacy when communicating from the Yahoo Messenger account that he had registered at his employer’s request and considering that the employer’s internal regulations, of which he was aware, strictly prohibited employees from using the company’s computers and resources for personal purposes.

Having into consideration that the use of messaging was only allowed for solely professional purposes, the Court deemed that it was not “unreasonable that an employer would want to verify that employees were completing their professional tasks during working hours.” (par. 59)

In this regard, it considered that “the employer acted within its disciplinary powers since, as the domestic courts found, it had accessed the Yahoo Messenger account on the assumption that the information in question had been related to professional activities and that such access had therefore been legitimate. The court sees no reason to question these findings.” Particularly relevant to the formation of that assumption was the fact the employee had initially claimed that he had used the messaging account to advise the company’s clients. (par. 57)

Therefore, despite concluding that an interference with the applicant’s right to respect for private life and correspondence within the meaning of Article 8 of the ECHR indeed occurred, the ECtHR concluded that there has been no violation of such rights, because “the employer’s monitoring was limited in scope and proportionate”.

The claim that the employee’s right to privacy and the confidentiality of his correspondence had been violated was therefore dismissed.

This ruling is in line with that respecting the Benediktsdóttir v. Iceland case, in which the ECtHR concluded that the right to privacy and to correspondence has to be balanced with the other rights, namely those of the employer.

However, the dissenting opinion of the judge Pinto de Albuquerque deserves particular mentioning. Particularly based on the very personal and sensitive nature of the employee’s communications, the non-existence of an Internet surveillance policy, duly implemented and enforced by the employer and the general character of the prior notice given to employees in regards of the monitoring conducted on the communications, it leads one to wonder if the assessment regarding the respect of the necessity and proportionality principles could have been as straightforward as it firstly seemed. Namely considering that the employer also accessed the employee’s own personal account.

Thus said, the specific details of the case should not be overlooked and rushed or generalized conclusions should be avoided.

As pointed out by Pinto de Albuquerque, in the absence of a prior notice from the employer that communications are being monitored, the employee has a reasonable expectation of privacy. Moreover, the  complete prohibition of the use of the Internet by employees for personal purposes is inadmissible. Furthermore, the practice of complete, automatic and continuous monitoring of Internet usage by employees is also forbidden.

The fact that the employee was adequately informed of the internal regulations imposing restriction upon the use of the messaging service for personal purposes and that employer had accessed the communications in the belief of their professional nature are paramount elements in this context. In no way must this ruling be interpreted as a general faculty of employers to monitor or snoop on their employees’ private communications.

Indeed, as clearly put by the Art.29WP in the above mentioned document, the simple fact that monitoring or surveillance conveniently serves an employer’s interest could not justify an intrusion into workers’ privacy.

In fact, as outlined by the judge Pinto de Albuquerque in his dissenting opinion: “if the employer’s internet monitoring breaches the internal data protection policy or the relevant law or collective agreement, it may entitle the employee to terminate his or her employment and claim constructive dismissal, in addition to pecuniary and non-pecuniary damages.”

Therefore, employers should take special care in providing appropriate information in regards of the use that employees are allowed to make of the company’s communication means, namely for personal purposes. Moreover, employers intending to conduct monitoring activities over their employee’s activities should implement a proper and clear monitoring policy, restricted to what is necessary and proportionate to its interests and goals. It is of paramount importance that employees are able to understand the nature, scope and effects of the monitoring, namely how their communications are controlled, what content is accessed, how is it analysed and what information is recorded and kept and for what purposes. In this context, data protection rules fully apply, namely conferring employees with the rights to access all the information held about them and to obtain a copy of such records.

And to completely prevent unpleasant surprises, a word of advice to employees: do not rely on your employer’s good judgement. Avoid altogether using means provided to you for professional purposes to conduct private activities or communications.

References   [ + ]

1. Copyright by MrChrome under the CC-BY-3.0

The Sony data breach: when
fiction meets reality?

You better believe SONY. You have been HACKED!

You better believe SONY. You have been HACKED!

It is not the first time that Sony suffers a massive cyber attack. Back in 2011, due to some vulnerabilities found in its data servers, a hacking of its Play Station online network service enabled the theft of names, addresses and credit card data belonging to 77 million user accounts.

A few days ago, Sony Pictures computer systems were hacked again allegedly by a group of hackers calling themselves Guardians of Peace. As a consequence, a humongous amount of data, including confidential details, such as medical information, salaries, home addresses, social security numbers, regarding 47 thousands of Sony employees and former employees, namely Hollywood stars, as well as contracts, budgets, layoffs strategies, scripts for movies not yet in production, full length unreleased movies and thousands of passwords were leaked to the Internet.

The reason remains unclear. Despite the denial of a North Korea representative regarding a possible involvement of that country, it is being speculated that this attack is a retaliation from the North Korea government as a response to an upcoming Sony comedy, ‘The Interview’, starring actors Seth Rogen and James Franco, which depicts an assassination attempt against the North Korea’s leader Kim Jong-un. If Hollywood comedies are now deemed a sufficient reason to conduct cyber-attacks on real life, fiction and reality are meeting in a very wrong way.

Anyway, considering the volume and the sensitive nature of the information disclosed, this can actually be one of the largest corporate cyber attacks which has ever been known of.

It is a sharp reminder that hacking attacks can be directed to any company and can take all forms, equally damaging. This attack demonstrates once again that not only critical infrastructure is at risk. Sony Pictures Entertainment is one of the largest studios in Hollywood. It is really not the expected victim of a cyber-attack. However, it was an easy prey as its business decisions regarding information security have been publicly stated in previous occasions. Despite their ludicrous nature, I guess someone took those comments seriously.

Considerations regarding the absurdity of having a file directory named ‘Passwords’ aside, this attack outlines that data breach is one of the major threats that companies face nowadays. Cyber attacks are conducted against companies of all sizes. Large companies do eventually recover from these breaches. Small businesses generally hardly pull through after suffering a cyber-attack. It is therefore essential that businesses implement a solid cyber-security programme, namely conducting regular self-hacking exercises to assess the vulnerabilities of their security systems in order to prevent a potential breach.

What about Sony? Well, the value of the damages regarding its employees is incalculable considering that their identities may be stolen, their bank accounts may be compromised and their houses may be robbed. Only time will tell if and how it will recover.

© 2017 The Public Privacy

Theme by Anders NorenUp ↑