Pin Me

Balancing Privacy and Security

written by: Steve Mallard•edited by: Bill Bunter•updated: 6/18/2010

The main conflict discussed in the article is employee privacy vs. employer security and the main concern for both businesses and judiciary is to bring a balance between the two.

  • slide 1 of 2

    Employee Privacy vs. Employer Security

    Employee Privacy The breakeven point at which the monitoring program achieves business objectives while also protecting employee privacy is dependant on various factors. As technology advances, the popularity and usage would also increase. Employers understand that they cannot do without these systems and if they opted to use them, they would be required to use other technology to oversee. In spite of this advancement, employees would not want to surrender their privacy rights. EU jurisdiction notices the importance of informing employees about being monitored. However, their overall monitoring technology should meet a reasonability test that takes into consideration the concerns of both parties.

    This article suggests that no one factor determines the decision of a case. A legal obligation to be solved would need a combination of factors that need to be considered. Consequently, law being so subjective, the same case decided by different individuals would require different factors and case decisions would also differ from country to country. However, all, i.e., balance between privacy and security, hold the same goal.

    A typical case would be like when the system administrator discovers that e-mail has been used by an employee for personal purposes to transfer confidential or offensive information and is reported to the department head. With his authorization, the administrator may be allowed to scan the employees entire mail box and hard drive. If the employee is guilty, he could face anything from a warning to termination. Following this, the employee would file a suit against the company for breach of privacy. The arbitrator’s decision usually depends upon factors that are discussed below.

  • slide 2 of 2

    The Four Factors (Contd.)

    a. Target

    What needs to be considered is who is being targeted. Is it just one person or a group of people or all? Discriminating and monitoring a single person would not be acceptable to the law. Assuming that there is no discrimination or a group of people are getting monitored, some level of surveillance is preferred and acceptable. For example, if a stock broking firm needs to ensure that its employees are not transferring confidential information about stock price tips to outsiders, it would make no sense for them to monitor the support, admin or human resource personnel. Also according to jurisdiction this is acceptable as it is less privacy invasive and more effective. However what is important is that employers should not go overboard by monitoring and getting too much information as that would not be acceptable.

    b. Purpose of the surveillance

    Employer Security 

    Law expects employers to have a reason or a purpose for monitoring e-mails and internet usage. The various reasons have already been discussed in the paper above. Reasons range from productivity to company liability to confidentiality. If the purpose seems fair and a reasonable level of surveillance is used, law would allow it.

    c. The Surveillance technology

    The kind of surveillance technology used also is a factor that is taken into consideration in the reasonableness analyzation. The decision to adapt the best technology would be the less intrusive to gain its purpose as well as respect privacy interests. This has been found in the EU Data Protection Working Party’s Opinion 8/2001 that concluded, “[a]ny monitoring must be a proportionate response by an employer to the risks it faces taking into account the legitimate privacy and other interests of workers and [a]ny monitoring must be carried out in the least intrusive way possible." In addition, employers should not have the right to store or review their employee’s personal conversations with other colleagues.

    d. Adequacy of notice

    Before monitoring e-mail accounts, an employer needs to inform the employee about the purpose and method of surveillance. The Australian Office of Privacy has provided six guidelines that should be incorporated into company policies. These have been used by various other nations and are:

    1. The policy should be disseminated to all employees to ensure that they understand and do not expect complete privacy in their e-mails and internet usage. Ideally, the policy should be linked from the screen that the user sees when they log on to the network.

    2. The policy should be explicit as to what activities are permitted and what are forbidden.

    3. The policy should clearly set out what information is logged and who in the organization has rights to access the logs and content.

    4. The policy should refer to the organization’s computer security policy as improper usage could create an unnecessary legal liability for the company.

    5. The policy should outline how the organization intends to monitor or audit staff compliance.

    6. The policy should be reviewed on a regular basis in order to keep up with the accelerating development of the Internet and information technology.

    The above policy should be re–sent to all employees occasionally to remind them and necessary changes are made as per technology advances. In a particular case, its employees sued a company because they could not access the e-mail policy on the intranet. The employees used e-mail to sexually harass colleagues and when found guilty said employers should not have been reading personal e-mails. The case was taken to court and it was held that the employees view was not unreasonable but the importance of ensuring e-mail policy to employees had been alerted.

    The US Supreme Court, in a 1987 decision, identified three key considerations when studying a privacy case. These were: does the employee have a reasonable expectation of privacy, does the employer have a justified suspicion or purpose and finally the scope of the search should be limited to what is necessary.