This is a paper I wrote for my Ethics in a Digital World course. Please enjoy and definitely leave a comment on your thoughts, I'd love to hear them!
With technology security becoming a large issue in the work place, there is an increase in monitoring employees. Many workers feel that their creativity or free-time is squelched by “big brother”. While this may be the case, it’s also important to make sure that the company is secure and that they are paying employees to work, not surf the net. A balance needs to be in place with several checks along the way.
In this paper, I will discuss those affected by and some concerns for monitoring, cover background information on different ways employees are being monitored and some reasons employers give for monitoring. I’ll explain some of the problems associated with monitoring in the work place, finally covering some ways employers find a balance with some examples and my experiences creating a new Acceptable Use Policy including my final thoughts.
Who and what can be affected by monitoring in the work place
Depending on the company, who and what they deal with on a daily basis, you can have several different stakeholders. The basic and most obvious are the employees of the company as well as the management and stockholders. There could also be business partners that work along with the company, the purchasers of products and so forth. In the education system, there are not only teachers and administration, but support staff (custodians, bus drivers, etc) as well as students and their parents (customers). You could include other organizations such as education agency personnel and teachers from community colleges. All of these people must be considered. For the sake of time, I will cover the most common groups of stakeholders: employees and their employers.
With the rapid growth of technology and the Internet, employees are asked to work faster and use more of their free time for work. They take home laptops and cell phones to work on projects. Many years ago, workers in factories were monitored by their output and what the manager saw while monitoring the plant. With the explosion of technology, the workers are now monitored by computers, video cameras and output sensors. How has this affected their productivity?
In 2002, a survey of 1,000 American workers revealed that 64% used company Internet access for personal use during working hours. (Mujtaba) Some employees, while concerned with their privacy don’t realize the issues with using their employer’s network. Many employees see others surfing during work hours, playing games or using corporate email for personal uses and believe that it’s alright to do the same.
Many times, It’s not explained to workers in terms they could understand, why they should be monitored, what is being monitors and who is looking. Personnel can feel that there are no clear guidelines to what their behavior could do to the network or what would happen to them if caught doing something wrong. Often companies do not have a written policy for specific equipment or let staff know that they are being monitored. The Federal law regarding phone monitoring “regulates phone calls with persons outside the state, does allow unannounced monitoring for business-related calls” (Privacy rights clearinghouse) as seen in the Electronic Communications Privacy Act (ECPA). Some states have other laws on monitoring.
Employees feel that too much security can hinder their job performance. Too many passwords to remember and slower response time as they have to enter them in different places. Web filters can inhibit research, and depending on the protocols for a company, it could take several hours to days to open up a website that the employee needs to have access too.
Companies have several reasons for employee monitoring, like legal liability and compliancy. Fees and fines from harassment or breaking federal laws have caused companies to lose money or go bankrupt. There are also security concerns, theft of data or equipment, which can become expensive. They find that with many workers using equipment for personal use there is a need to monitor productivity. Managers can also use the information to assist them with performance reviews.
Damage to companies could be very extensive. Without protective firewalls, antivirus, and Internet blocking software, employees could get a virus on a company device. Fear that workers could accidentally or purposely release important data is a huge threat to companies. With the use of video cameras, theft can be prevented and items quickly recovered.
Corporations estimate that there could be more than one billion dollars wasted yearly because of staff using work time for non-job related activities. (Mujtaba) By keeping track of employees’ personal phone calls, Internet surfing and emails, they can hold the workers accountable for lost productivity. In 2007 American Management Association and the ePolicy Institute conducted a survey on monitoring and surveillance (AMA). 66% of the companies surveyed monitor the internet connections with 65% using a web filter. 43% of the companies monitored email, either with technology tools (45%) or with manual review (40%). With telephone and voicemail, 43% surveyed recorded time spent and numbers called, while 25% recorded phone conversations and voicemail messages. Video surveillance was at 48% which companies stated was to lessen theft and sabotage. While another 7% used video to track employee performance. For companies that used Global Satellite Positioning (GPS), 8% used it in company vehicles, 3% cell phones and 1% employee smartcards.
Employers feel the need to protect their assets. From output of a product to protection from liabilities, corporations need to make sure that they are balancing the need to protect the company with the needs of the employees.
Today’s monitoring capabilities and risks
Nearly anything electronic can be monitored. It’s best to assume that if an object is owned by a company, they will find ways to monitor it. Phone calls, email, voice mail, computers, and mobile devices all could be analyzed.
With software, voicemail can be turned into MP3 files, emailed and stored for later use. This can be used as evidence in internal company cases, as well as legal requirements for harassment or theft of data. Users often don’t get a notification when they make a phone call. Although personal phone calls should not be monitored by an employer (See the Electronics Communications Privacy Act, 18 USC 2510, et. seq.) they could be recorded accidentally.
Cell phones can also be monitored. Without a subpoena, companies can see who was called as well as, the date, time, length, and location of the call. They could also have all voice mail and text messages forwarded to a company email address.
Email can be dangerous for businesses, used to spread viruses, distribute confidential company data, illegal material, and personal messages. Filters and scanners must be purchased to protect the business from malicious messages. Businesses must also consider the cost of storage on the email servers and backup equipment needed for the emails and their attachments.
In some states, there is an open records request available for all state government entities, including universities and public schools. These open records include emails and other electronic records. Anyone can make a request, with news agencies doing so most frequently. For this purpose and the need to keep information for legal reasons, many companies store backups of all emails sent in and out of the business for many years.
Computer and Internet
There are many reasons to examine what is added to and removed from computer storage and the Internet. Companies want to avoid illegal downloads of software, music, and movies, which could cost them thousands of dollars in fines. Having users store personal files, pictures, videos, and music increases costs for storage.
Internet browsing and social media can harm or embarrass the company. Managers fear secrets being leaked through social media or Trojan horses installed on workstations through malicious websites. Many policies have been put in place to limit workers on what can be said. Employers hire third-parties to monitor social media and the employees’ activities. In 2010, Teneros began a program calls “Social Sentry” that tracks employee movement on social media. Employers would use the program to ”make sure that employees don't leak sensitive information on social networks or engage in any behavior that could damage a company's reputation”. (Privacy rights clearinghouse)
Video and audio Monitoring
The largest reasons for video surveillance are to deter theft, preserve security and to monitor employee activities. While video monitoring has grown in the work place, some courts have upheld employee privacy when it “has been physically invasive” (Privacy rights clearinghouse), in bathrooms for example. Cameras that record audio can be subject to laws involving audio, wiretapping, and eavesdropping. There are currently twelve states that require consent of all parties before recording any audio. (Privacy rights clearinghouse)
Global Positioning Services (GPS)
GPS is a relatively new form of surveillance and many companies don’t find the need or haven’t yet adopted it due to expense. Company use GPS to monitor the location of trucks, track delivery times, monitor the speed of the vehicles and make sure that truckers are taking their required breaks. Smartcards or electronic ID tags are used by hospitals to find staff quickly. Radio frequency tags can be attached to equipment and tracked wirelessly throughout buildings.
The Impact on Monitoring
Employees feel entitled to privacy while in the work place, not monitored during personal phone calls or when using the bathroom. Employers want to guard against loss of assets, even if that means removing some forms of privacy in the work place. They must also adhere to privacy laws when monitoring employees and equipment.
Currently, there aren’t any federal rulings that regulate businesses on workplace privacy problems. However, the Federal Privacy Act limits “the collection of information and regulates access to information for federal employees and covers private employers who have federal contracts requiring specific recordkeeping obligations” (SHRM). Also the Federal Wiretapping Act and the Electronic Communications Privacy Act halts the “intentional interception or disclosure of any wire, oral, or electronic communication where there is a reasonable expectation of privacy” (SHRM).
In 2010, the New Jersey Supreme Court ruled that an employer violated the rights on an employee by monitoring a personal Yahoo email sent to her lawyer (Stengart v. LovingCare Agency, Inc.). The court decided that attorney-client privilege should be applied to emails, even if there is a policy that private communication should not be sent through company equipment. (Privacy rights clearinghouse) However, in 2011, a California court ruled that emails sent by an employee to an attorney from a work computer where not protected by an attorney-client privilege (Holmes v. Petrovich Development Company, LLC). This was because the employee used a work email account, not a personal email account, the employee had also been told of the business only policy and that the company monitored its computers. (Privacy rights clearinghouse)
Laws can be confusing in circumstances like these. It’s important how the employee went about sending the emails and the policies that were in place at the time. In a 2004 survey, 21% of employers surveyed said that employee email was subpoenaed by courts and 13% battled lawsuits because of employee email. Even though this is a good reason to store email, 65% of the businesses lacked email retention policies and 46% never offered workers email policy training. (The ePolicy Institue, Executive Director Nancy Flynn, e-mail firstname.lastname@example.org)
Businesses must balance ethical obligations and company security, as well as, specific acts federal regulators added to businesses like hospitals and grade schools. If hospitals fail to comply with the Health Insurance Portability and Accountability Act (HIPAA) or Patient Safety and Quality Improvement Act of 2005 (PSQIA), they could lose funding, face fines or be forced to close. The same applies to school districts and the Family Educational Right and Privacy Act (FERPA) and the Children’s Internet Protection Act, which shield children and keep private information from public view.
Finding the Middle Road
With all the issues and problems associated with privacy in the work place, what can be done to protect employees and employers both?
Code of Ethics and Polices
It’s important to see from the above court cases, that a proper policy or code of ethics needs to be in place. Organizations should not only provide a policy, but train their employees to help them know what is expected of them and when personal usage is appropriate. There should be clear signs that state that business equipment is for business use only. The following is list of things to consider when creating or updating a policy. (McNamara)
- Review all applicable laws and regulations and adhere to them
- Identify behaviors of highly ethical and successful traits
- Address any current issues
- Identify the company’s strengths and weaknesses
- Consider the expectations of all stakeholders
Point of view: Bahaudin G. Mujtaba, Nova Southeastern University
Majtaba pointed out that monitoring can be seen as policing, guaranteeing that misuse and stealing doesn’t occur. He states that utilitarianism supports employee monitoring, seeking the “greatest good for the greatest number” (Mujtaba). Companies must make sure that they stay in compliance of any laws and avoid liabilities, theft, and guarantee resources workers require to be successful. He commented on the cost of human and financial resources such as lawsuits, employee morale, and a bad public image of the business from unethical acts. This misuse of resources could lead to major losses.
Point of view: American Civil Liberties Union
The ACLU believe that the following changes should be made to the ECPA: (American Civil Liberties Union)
- “Robustly Protect All Personal Electronic Information.” Making sure that all electronic communication gets full warrant protection.
- “Safeguard Location Information.” Believing that government should have to obtain a warrant before accessing a person’s personal cell phone information.
- “Institute Appropriate Oversight and Reporting Requirements.” Believing there should be an extension for wiretapping orders to include all types of surveillance.
- “Require suppression Remedy.” Requiring the same rules to apply for electronic information and non-electronic information as it’s used for court cases.
- “Craft Reasonable Exceptions.” Records should only be view in emergencies and only with informed consent and notification.
In my experience as an Information Technology Director of a mid-sized school district, I’ve had to learn quite a bit about privacy, FERPA, and CIPA. To remain in compliance with CIPA, I had to initiate a review of our Acceptable Use Policy that was in place and extremely out of date.
Keeping in mind the information listed above, I requested input from instructors, support staff, administration, students, and parents. Unfortunately, I got only a few teachers and one student that saw the importance of the task.
We began by noting changes, including adding terms such as social media and mobile phones. Next, we discussed an opt-in versus opt-out process for students’ Internet privileges. Many students forged parent signatures and staff found it difficult to check each student every time they needed to use a computer. There were few students whose parents didn’t want them on the Internet and the committee thought it would be easier to manage.
After finishing our changes, we submitted it to the superintendent and attorney. They made a few changes, recommending we not change the opt-in policy for Internet Privileges as it would be harder to support in court. Finally, we submitted it to the school board, who approved it.
Monitoring in a school district is extremely difficult. We’re required to monitor students of all ages and adults, who want more freedom. Using a special web filter, we decided to heavily filter the elementary students, loosening the reins on the middle school, and a bit more for the high school students. Our teachers were filtered for pornography, malicious web sites and downloading software. We restricted streaming video and gave students and staff a web page to request a website be available.
Due to cost of storage, we saved very little of our email and video, but had plans to store more in the future. There were several times when video surveillance caught theft, damage to property or people, and was used in court. At the time, we had video systems in the middle school and high school, but due to their success in protecting assets, we discussed adding surveillance at the elementary schools as well.
I believe there needs to be a clear understanding to all stakeholders on the need to behave professionally and ethically. Monitoring should not be used as the only source to prevent loss, but people that work for or with the company should be held to a high standard. Privacy must be respected and should always be considered when monitoring and policies are put in place. Workers should understand the policies and what the intent of monitoring is for. There should also be annual reviews of policies to make sure changes are made when new issues or technologies arise.
I’ve discussed the points of view of two major stakeholders of company monitoring, employees and employers, stating reasons for monitoring and against it. Different types of monitoring with their pros and cons where also listed. Followed by some of the issues, including recent court cases, that monitoring has caused and prevented. Finally, I gave a couple separate view points and added my own experience and thoughts on employee monitoring.
It’s important to keep in mind that there needs to be open communication between employers and employees when it comes to monitoring. Employees must be aware of what is being monitored, what is expected of them and what the monitoring is for. Employers must have a set of clearly defined rules in place and should be held accountable to make sure the workers understand the need for monitoring. Monitoring should be used as a protective measure and not as the ethics police.
AMA. 2007 electronic monitoring & surveillance survey. 28 Feb 2008. 20 Jul 2012. <http://press.amanet.org/press-releases/177/2007-electronic-monitoring-surveillance-survey/>.
American Civil Liberties Union. Modernizing the electronic communications privacy act. 12 Oct 2011. 21 Jul 2012. <http://www.aclu.org/technology-and-liberty/modernizing-electronic-communications-privacy-act-ecpa>.
Baase, S. A Gift Of Fire, Social, Legal, And Ethical Issues For Computing And The Internet. 3rd. Upper Saddle River NJ: Prentice Hall, 2008.
Cornell University. 18 USC Chapter 119 - WIRE AND ELECTRONIC COMMUNICATIONS INTERCEPTION AND INTERCEPTION OF ORAL COMMUNICATIONS. n.d. 23 Jul 2012. <http://www.law.cornell.edu/uscode/text/18/part-I/chapter-119>.
McNamara, C. Complete Guide to Ethics Management. Ed. D. Gebler. 23 Jan 2003. 20 Jul 2012. <http://managementhelp.org/businessethics/ethics-guide.htm>.
Mujtaba, B. Ethical Implications of Employee Monitoring: What Leaders Should Consider. n.d. Journal of applied management & entreprenuership. http://www.huizenga.nova.edu/Jame/articles/employee-monitoring.cfm. 20 Jul 2012.
Privacy rights clearinghouse. Fact sheet 7: Workplace privacy and employee monitoring. 2011. 20 Jul 2012. <https://www.privacyrights.org/fs/fs-7work.htm>.
SHRM. "Workplace Monitoring Laws." 23 May 2012. Society for human resource management. 20 Jul 2012. <http://www.shrm.org/legalissues/stateandlocalresources/stateandlocalstatutesandregulations/documents/state%20surveillance%20and%20monitoring%20laws.pdf>.
The ePolicy Institue, Executive Director Nancy Flynn, e-mail email@example.com. 2004 Survey on Workplace E-Mail and IM Reveals Unmanaged Risks. 2002, 2003. 20 Jul 2012. <http://www.epolicyinstitute.com/survey/index.asp>.