Managing privacy whilst working from home

As the dust continues to settle for many of us on our usual office environments we are having to setup more permanent working spaces in our homes - spaces where we’ll be spending an undetermined amount of time at our make-shift desks in bedrooms, dining rooms, kitchens and spare rooms.

In the height of the first COVID lockdown in March 2020, 60% of the UK adult population was working from home, with 40% of workers still staying clear of the office even after many restrictions had been lifted. It seems as if working from home had become not only a necessity, but was desirable for many. 83% of employees admitting to not needing an office to be productive, and 26% of Brits saying they’d like to work from home permanently or at least occasionally after the first lockdown. A more recent study shows that 52% enjoy the work-life balance that working from home can provide; swapping the daily commute for meal times with flat mates and family.

It’s likely that part of our current productivity stems from a wider lack of social distractions along with inevitably longer working hours. Video calls and chat have replaced personal interaction; more efficient than travelling to meetings and faster to get everyone together.

With most business now being conducted virtually many companies have started to look at software to help them monitor their remote employees; with broader implications for managing personal privacy than the usual considerations for office environments.

The line between home and work have been blurring for many years. Smartphones have ensured we are all connected to our work email 24/7 and many industries have been allowing flexible working practices for some time. Up to now this has been a choice on the part of the individual - do I work from home today, should I check my email in the evening - and has favoured companies with the working cultures already in place to support virtual work. With the pandemic this has been thrust on many more of us, rapidly driving up the usage of remote working services and further clouding the distinction between home and work life with no time to adjust.

Personal privacy in one’s own home has always been a given as has the need for protection of business assets and data within traditional working offices. The move to remote work has opened up risks for both of these areas. How can a company protect its core data and the way that its employees access and use it remotely, and can they do it in a way that protects their employees personal privacy?

Businesses need to review their legitimacy and deployment approach for any remote employee monitoring tools. The Information Commissioner’s Office (ICO) has already handed out severe warnings and fined several major companies due to data privacy breaches. Companies are within their rights to ensure control and protection of company IP and data along with maintaining a productive workforce - as employees are within their rights to protect their personal data, especially when working from home.

Employers have previously been able to monitor teams through regular personal contact in the office, CCTV cameras, time-punching cards and internet activity. These activities were constrained as they were mostly carried out within the physical space of the office, where it is significantly easier to keep in line with the Data Protection Act 1998 (DPA). 

The DPA states that it is perfectly legal to monitor employees, but any usage of their personal data, including sensitive details of bank accounts and salary, CCTV footage, and internet history captured at work, must be both:

a) processed in a ‘fair and lawful way’

b) explicitly express what is being recorded, for what reason, and who has or will have access to it and why

In a working from home setting, where a home is protectable and private under Article 8 of the ECHR, it is significantly harder to keep with both GDPR laws and human rights. The main reason this kind of surveillance is being called into question is due to the personal and sensitive nature of what is being recorded, for what reason, and who has or will have access to it and why. Whilst some form of control of company data is necessary some of the solutions used for monitoring go above and beyond legitimate company interests. 

Across the past few months, many news articles have challenged certain surveillance software companies that provide remote work monitoring, yet many of these enterprises have seen tripled sales over lockdown. There is good reason for the use of these systems to come under scrutiny, as the potential level of intrusion means that what they actually capture is increasingly hard to justify.

Some solutions regularly capture screenshots, record keystrokes, track GPS via phone apps, and productivity reports are being generated about websites and app usage. Whilst many of these technologies have been in use for many years the content they were capturing was not previously pointed into our homes. If you are using your dining room table as an office, then not only your home, but those you live with; such as children, flatmates and partners, will likely also be captured in the background of a video call - not only by entering the shot whilst handing you a cup of tea, but also through photographs or calendars pinned to the wall. This puts their own personal data at risk, particularly when companies are regularly screen-grabbing employees desktops, and raises additional questions on who has access to that data.

Alongside employer monitoring there have been reports of “Zoombombing” where hackers have been able to enter Zoom video calls and manipulate and record content; but more worryingly perhaps, if employers are not explaining who they share their access with, this could cause lasting damage for your partner or your flatmate’s professions, health, reputation and more, if such information was leaked. When other people who have no connection to your work are brought into the equation there needs to be wider governance of the monitoring tools used and practices that are in place for protecting data.

How can employees be sure that any personal data that is captured is only being used to track company data usage, and not something else that breaches their own privacy? Is notification alone enough?

Adam Satariano, a journalist for the New York Times, experimented with some such software and discovered that it tracked him out on a family bike ride and participating in an online exercise class, taking screenshots along the way, which also put the people he connected with online at risk of a data breach. Furthermore, documentation stretched to monitor between 9 and 14 hours during the day, i.e. whenever his laptop was open (a personal one that he uses for work). Are employees meant to simply trust their employer to manage their personal data correctly under GDPR laws, even when they are being monitored outside of working hours?

Employer and employee trust is another avenue to explore. Many articles suggest that this kind of surveillance, where employees are monitored by the hour or even minute, expresses a key lack of trust which leads to the exploitation of privacy.

UK-based developer Culture Shift conducted a recent report where: 92% of British tech workforce agreed that trust from an employer was key to their overall happiness at work, which in turn, improved productivity rates, with 86% expressing that autonomy was key.

Nick Matthews, general manager and Vice President EMEA of Culture Amp has also suggested that trust is a better avenue for employers than “snooping”, arguing that adaptability and prioritisation of employee needs, particularly those surrounding mental health, is a more positive way to ensure company loyalty, hard work and good practice. A study by the Harvard Business Review found that companies that adopted this approach, earned a 15% boost in annual revenue than others in the same industry who were less adaptable. However, as important as trust is to overall employer and employee relations, how can companies legally back themselves if such a risk was to incur some kind of breach? 

When the home duals as a physical office space, it is hard to find the line between what is private, and what needs to be surveyed. It seems inevitable that through whichever software, for whatever legitimate reason, and whoever will access it - the collection of personal data will be carried out. Perhaps employees should be given the option to officially consent, rather than just be notified. It seems logical that employers and employees need to come to some sort of an agreement about personal data collection, based on openness, honesty and an explicit knowledge of what is being captured. In order to maintain both the security of company data, and the privacy of the individual both parties should know and understand how their data is being used, for what logical reason and who has access to it so we can all prepare our home environments and behaviours accordingly.

References:

1. https://www.finder.com/uk/working-from-home-statistics#:~:text=working%20from%20home%3F-,Quick%20overview%3A%20the%20latest%20statistics,home%20during%20the%20Coronavirus%20lockdown.&text=Two%20different%20surveys%20both%20found,productive%20when%20working%20from%20home.

2. https://inews.co.uk/news/politics/coronavirus-remote-working-uk-employees-shunning-office-work-home-626266.

3. https://www.finder.com/uk/working-from-home-statistics#:~:text=working%20from%20home%3F-,Quick%20overview%3A%20the%20latest%20statistics,home%20during%20the%20Coronavirus%20lockdown.&text=Two%20different%20surveys%20both%20found,productive%20when%20working%20from%20home.

4. https://www.echr.coe.int/Documents/Convention_ENG.pdf (p.11).

5. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-british-airways-20m-for-data-breach-affecting-more-than-400-000-customers/.

6. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-takes-enforcement-action-against-experian-after-data-broking-investigation/.

7. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-marriott-international-inc-184million-for-failing-to-keep-customers-personal-data-secure/.

8. https://www.tuc.org.uk/sites/default/files/tuc/privacyatwork.pdf (p.3-4).

9. https://mindmatters.ai/2020/09/covid-19-technology-trends-that-are-sneaking-up-on-us-faster-now/.

10. https://www.wired.co.uk/article/work-from-home-surveillance-software.

11. https://www.bbc.co.uk/news/business-54289152.

12. https://www.nytimes.com/2020/05/06/technology/employee-monitoring-work-from-home-virus.html.

13. https://www.ilo.org/dyn/normlex/en/f?p=NORMLEXPUB:12100:0::NO::P12100_ILO_CODE:C030.

14. https://techround.co.uk/news/how-employers-can-retain-staff-talent/.

15. https://business-reporter.co.uk/2020/10/30/trust-your-employees-dont-spy-on-them/.

16. https://www.nytimes.com/2020/03/20/style/zoombombing-zoom-trolling.html

Images accessed:

1. Title image: From “Sneek” website - faces blurred by Pimloc’s Secure Redact

2. All other images from Shutterstock