How To Track The Productivity Of Your Remote Workforce Without Breaking The Law

The demand for remote working options has been present well before COVID-19 forced employers to patch together a crisis-driven work-from-home arrangement for their employees.

According to the 2019 State of Remote Work report from Owl Labs, 80% of US employees surveyed indicated a desire to work from home at least some of the time.

Should you accommodate remote workers in your organization, it’s critical that you are aware of the legal limitations of using the employee productivity monitoring software that you may be accustomed to using with your in-house employees.

DATA PRIVACY LEGISLATION

As the global data privacy landscape continues to evolve, leading legislation such as the California Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR) are highly likely to serve as the cornerstones.

While the purpose of this article is not to break down each available piece of data privacy legislation in detail, understanding the frameworks of existing legislation at a high-level is critical for understanding the why that will inform future data privacy legislation.

Employee Data Privacy Highlights

• Transparency & Consent: Data subjects (such as employees) need to be adequately informed about the nature of the data collection that is taking place in order to consent to the collection and use of their data. This can include why/how the data is being collected, what entities will have access to the data, and how the data is being secured.
• Proportionality & Necessity: Methods used to collect data and the benefits of collecting that data must not excessively or needlessly infringe on the privacy rights of the data subjects. When multiple methods exist to achieve the same intended result, it is prudent that you opt for the option that is the least invasive.
• Finality & Legitimacy: If the data processor (such an employer) has a legitimate need for the data and the data subject provides informed consent for their data to be used in a given manner, that must be the only manner that the data is used for unless the data subject indicates otherwise.
• Data Security & Breaches: The data controller is responsible for the safe handling and proactive security of the data in their custody. When a breach of data is detected the data controller must notify a designated authority of the incident and take necessary actions to reduce the impact of the breach. Depending on the relevant legislation a data breach can lead to hefty fines through regulatory bodies or by litigation pursued on behalf of the affected data subjects.

It’s important to note that while the majority of existing data privacy legislation largely pertains to consumers, employers must be aware that these protections may further extend to employees following amendments and clarifications.

The extent with which you can use productivity tracking software with your remote workers will also be heavily influenced by union agreements, the culture of your company, and any privacy concerns your employees may have.

ETHICAL & LEGAL CONSIDERATIONS FOR EMPLOYEE MONITORING

Employee monitoring technologies are commonplace tools for bolstering an organization’s capabilities for managing productivity, ensuring the security of their networks and the data in their custody, and for collecting digital evidence that may be relevant for use in e-discovery.

If you will be using computer monitoring software to track the productivity of your remote workforce, there are ethical and legal considerations that you will need to factor in first.

1. Data Governance, Security, and Privacy Responsibilities

By its very nature, employee monitoring software used to track the productivity of employees generates a large quantity of data. As the data controller you will have an extensive list of data security and privacy responsibilities that will greatly inform your data governance plan.

Aside from the benefits of staying on the right side of the law, respecting data privacy is an advantageous business management decision. A recent study from Cisco found that over 40% of the companies that invested in privacy saw an ROI of at least 2x from their efforts.

Is Employee Monitoring Data Considered Sensitive?

While employee monitoring data will provide enhanced insights into how your remote workforce is managing their time and interacting with the technology they use to perform their tasks, some of this data can be highly sensitive.

If your data governance strategy does not adequately account for your security and privacy obligations as it pertains to sensitive employee monitoring data, your organization could be subject to hefty fines and litigation should that data be breached or otherwise used inappropriately.

Example 1 – Personally Identifiable Information (PII) & Personal Data

While what constitutes as PII varies slightly between different legislations, the best practice is to treat any information that can be even potentially linked to a given individual as PII and secured accordingly.

The reason for this is that as artificial intelligence and machine learning continue to advance in their capabilities the inferences that are possible with seemingly abstract data will increase, potentially leading to data that was once not considered linkable PII being linked to individuals.

If the following data is collected by your monitoring program you should be aware that you are likely to have legal obligations (now or in the future) to secure it against unauthorized access and misuse:

• Data regarding protected classes (race, age, religion, etc)
• IP Addresses & Device IDs
• Geolocation data
• Names (full or partial)
• Email addresses
• Postal addresses
• HTTP Cookies
• Date of birth

The above list is not extensive – it serves as an indicator that even seemingly non-sensitive data such as internet cookies, device IDs, and IP addresses can be sensitive in some contexts.

The FTC has previously stated that they consider any data that can be reasonably linked to a particular person, computer, or device to be personally identifiable, thus warranting the same data privacy and security protections as more obvious forms of sensitive data such as SIN numbers.

Example 2 – Sensitive Search Queries

Queries entered into online search engines have the potential to be incredibly sensitive. Consider all of the queries you’ve made in your life – research into medical conditions, queries that could be considered troubling when taken out of context, NSFW content, and more.

If your employees are using company-owned devices and they have been clearly informed to the extent of the monitoring that will be taking place the likelihood that they will perform sensitive search queries is significantly reduced, however there is a non-zero risk that unanticipated use can and will happen.

Depending on the nature of the searches, a misuse or breach of the monitoring data collected could lead to the blackmailing of monitored employees or legal complications with the Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA), and other federal laws that pertain to protected classes.

Data Minimization

GDPR mandates that data collection efforts are executed in a manner that is proportional and strictly necessary for the stated goal.

When using employee monitoring data to address productivity, it is critical that you only collect the data that is necessary to suit the specifically identified purpose.

Once the data is no longer required, it should be culled as a proactive security and privacy measure rather than opting to store it indefinitely.

Technical Safeguards

As with any form of sensitive data, the data collected from your remote workforce must be secured against unauthorized access and limited to exclusive access by parties that have a legitimate business need for the data.

In addition to limiting the number of users permitted to access employee monitoring records, technical safeguards need to be implemented to prevent unauthorized parties from accessing the data.

Technical safeguards can include privileged access management practices that enforce multi-factor authentication (MFA), anti-intrusion detection for networks that store monitoring data, and the enforced encryption for monitoring data.

Pseudonymization and Anonymization

Pseudonymization and anonymization are proactive data privacy measures that obfuscate the PII contained within monitoring data.

The key difference between the two is that pseudonymization can be reversed by using additional information such as a password or encryption key, whereas anonymization permanently removes information that can be used to identify the data subject.

By using either of these methods you can leverage the insights provided by employee monitoring data while reducing the potential for a direct link to be made to a specific employee.

2. Defining the Scope of Monitoring Activities

In order to use employee monitoring software to track the productivity of your remote workforce without breaking the law you need to clearly identify the data and metrics that are truly necessary for accomplishing that goal.

You should also ensure that the methods used to capture the data are as minimally invasive as possible to reduce the privacy impact it has of your employees.

Under GDPR employers must perform a Privacy Impact Assessment (PIA) before they implement their desired employee monitoring software. The intention of the PIA is to ensure that the balance between the employer’s legitimate business interests for monitoring does not needlessly or excessively harm the privacy of their employees.

Some employee monitoring softwares breach the line between ‘monitoring’ and ‘spying’ by tracking far more than basic productivity metrics such as the amount of time spent on distracting websites and applications.

Particularly invasive computer monitoring software can be unethically used by employers to capture keystrokes, take screenshots of desktops, capture live webcam feeds, and store recordings of audio captured through an employee’s microphone.

Worst yet, the softwares that provide these excessively invasive monitoring capabilities are often designed to operate in a way that intentionally avoids detection by the user by using ‘stealth mode’ features.

Should the scope of an employer’s monitoring activities enter into this level of invasiveness they can be reasonably certain that it far exceeds what is truly necessary to effectively manage the productivity of their employees, leading them to run afoul of laws pertaining to wiretapping, electronic surveillance, and the reasonable expectation of privacy.

Remote Workers and BYOD

While employee monitoring is commonplace for traditional workplaces, the prevalence of personal device use among remote workers means that these methods cannot always be relied upon for productivity tracking.

The installation of software agents that track and report computer usage data are highly invasive when personal devices are monitored.

Even with features that allow monitoring to be limited to standard work hours, employees are likely to have concerns about whether or not the software is truly dormant or if it is simply engaged in the aforementioned stealth mode.

For this reason if productivity monitoring software is going to be used to monitor your remote workforce it is prudent that your company either directly provides a work-only device or a stipend to purchase equipment for that purpose.

3. Transparency of Tracking

While not currently required in every jurisdiction, transparency is explicitly required by both GDPR and CCPA. Even if your organization is not required to be compliant with either regulation, full transparency of the electronic tracking methods you intend to implement as well as the intentions for the data that will be collected is paramount for generating employee buy-in as employees can be provided with the opportunity to voice any privacy concerns they have with the proposed monitoring methods prior to their integration.

Companies that opt to monitor employees without full transparency run the risk of ruining their relationship with their employees.

In a Harris Poll commissioned by Dtex Systems, 77% of Americans surveyed stated that they would be less concerned about digital activity monitoring if their employer was fully transparent – 70% indicated they would consider quitting if they later discovered that the monitoring was performed without their knowledge.

Informed Consent

To ensure that their privacy is respected, employees need to be fully informed of the scope and intent of monitoring activities so that they can adequately weigh the potential privacy impact that the data collection will have on them against the benefits to them and the organization.

It’s important to note that while documenting evidence of informed consent is a legally prudent measure, the inherent power imbalance present in an employee-employer relationship means that it cannot be relied on as the cornerstone for demonstrating compliance with data privacy. GDPR emphasizes that employers should have a clear lawful basis for monitoring that does not rely solely on employee consent as employees may worry that refusal to consent may have negative consequences on their employment.

Should you opt to use acceptable use policies and employee monitoring policies to establish a precedent for your monitoring efforts, it is the opinion of the Article 29 Working Party (WP29) that a representative sample of employees is consulted to ensure that the accessibility of the policy and necessity of related monitoring methods are adequately assessed by the impacted parties.

HOW TO EFFECTIVELY USE PRODUCTIVITY TRACKING DATA

According to a 2017 Gallup poll, 85% of employees worldwide are not engaged in their job. Managers that are not accustomed to accommodating remote workers often struggle with concerns that without direct supervision, remote working will exacerbate the disengagement of their employees by providing them with added opportunities to become distracted by unrelated tasks.

Concerns about employee disengagement often lead to the implementation of productivity tracking applications that produce reports on how remote workers are using the internet and computer applications during work hours.

While this form of workplace analytics is a valuable tool for identifying actively disengaged workers that are misrepresenting how they are spending their time, it’s important that managers avoid ruining subjectivity by relying solely on productivity tracking data when making management decisions.

By exercising their discretion and focusing on outcomes rather than perceived efforts, managers can provide their remote employees with the autonomy needed to enhance productivity while simultaneously building the level of trust that is necessary for a successful remote workforce to function.

How to Best Use Productivity Data

• Identify actively disengaged workers that are misrepresenting their time spent on tasks.
• Use data insights to discover projects that require additional resources.
• Use data as a tool for informing management decisions, not as the final determiner of disciplinary action.
• Provide employees with access to their productivity data so they can benefit from the insights provided when self-managing their time
• Collect historical evidence of the time and effort required to complete projects.

CONCLUSION

As the data privacy landscape continues to evolve, the core principles outlined in this article will serve as a fundamental basis.

With a well-planned combination of results-based management, employee monitoring practices that emphasize employee privacy as a top priority, and the strategic use of workplace analytics, the productivity of your remote workers can be tracked in a manner that is effective and lawful.

Further Reading

• GDPR: The Article 29 Working Party (WP29) Archives
• GDPR: The European Data Protection Board (EDPB)
• GDPR: Full Text – The General Data Protection Regulation (GDPR)
• CCPA: Full Text – AB-375, The California Consumer Privacy Act (CCPA)

Note From the Author

While we’ve done our utmost to ensure the accuracy and validity of the information present in this article, we are not legal professionals and the advice is this article does not constitute legal advice. It is our hope that the research present in this article provides actionable guidance that will help you make an informed decision, however before any action is taken you should consult with a lawyer with experience in your industry and the jurisdictions with which you will be enacting your employee productivity monitoring.

About the Author

Dale Strickland is a Canadian digital content creator that specializes in voice over, content writing, and graphic design. He is a Marketing Coordinator for CurrentWare, an employee monitoring software company headquartered in Toronto.