I Spy With My Corporate Eye: The Employee Services Conundrum
Note from the Editor:
Ruby will lead a breakout session at this year's IAPP Privacy Academy in Seattle, WA.
It’s a conundrum: Companies want employees to be satisfied with their corporate services, but great user experiences in this context can require a certain amount of employee tracking that could affect employees’ views about workplace privacy. Even M doesn’t really want to know whether James Bond prefers his martini shaken, not stirred, but it may be incidental to the CCTV cameras in the MI6 café that keep assassins at bay! Companies have to manage potentially complex trade-offs between employee privacy, company security and user experience, including services such as BYOD programs, context-aware apps and even call monitoring for quality assurance.
Why do companies track employee data and behaviors?
In some instances, they have legal obligations to do so—safety and security, for example. But companies also want to prevent data/IP loss, improve productivity (are we cyberloafing AGAIN? Of course we are!), set appropriate cost standards, avoid liability for employee malfeasance, investigate misconduct and improve—or even predict—user experiences. In addition, a recent study by Aruba Networks states that 40 percent of Middle Easterners, 45 percent of Europeans and 66 percent of Americans fear loss of personal data from their employer, which leads them to try and hide their use of personal devices at work, and fail to report data loss or breaches. So we can’t necessarily trust all employees to appropriately manage their own behaviors.
Yet many users have notions about privacy that don’t match their actions—recently I was at an employer event where a coworker was complaining quite strongly that he was concerned about his privacy rights because of the recent publications about the NSA’s PRISM program. Not five minutes later, an employee none of us knew waltzed up and requested that we allow him to take photos of our employee badges—which contain our names and facial photos. My fellow employee promptly held up his badge for the taking of said photo without even asking who the person was, why he wanted the photos, and what he intended to do with them. Huh?
So it can be tricky business for a company to balance individual notions of privacy with real privacy rights, legal obligations and the desire to improve the workplace for all of us. Employee services that can collect personal information and hence impinge on an employee’s perceptions of privacy—justified or not—date back to historical and mundane things such as work-sponsored clubs, birthday parties, photos, on-site health services, travel arrangements and the age-old inebriated prank of photocopying one’s rump at the annual holiday party. Fast forward to today’s environment and we have seemingly innocuous services such as badge entry systems and call recording for quality assurance, social networking, ergonomic wellness tools, BYOD programs and exciting new devices such as Google Glass that could potentially record our every movement. Further, companies may contemplate offering additional helpful services, such as smart vending machines that serve up computer peripherals but track your purchases, Friend Finder, where you can find where your favorite mobile coworkers are located at every moment and options to “get us out of password hell” that may require collection of biometric information.
Regarding technological aids, context is becoming king: If I want to have increased access to corporate apps when I’m not on my corporate PC, then who I am, where I am and my trust level can unlock that door.
But taken even further, we can encounter what I like to call privacy-impacting “anti-services”. Did you know that CVS Caremark, a large US drugstore chain, recently said it would require its 200,000 employees to report their weight, blood sugar and cholesterol or be forced to pay an annual penalty of $600 for healthcare? It also will require that smokers try to quit. Several other major employers have also adopted such policies.
All this tracking, whether for good or not, brings potential legal risk. A cornucopia of different types of laws can be involved: Data protection laws, security laws, human rights laws, constitutional laws, contract laws, data transfer, data access and labor laws. Often these laws are not harmonized, making it difficult for a large global company to standardize certain services. Simply offering employees social media services invokes a number of different laws, including common law privacy rights; employment laws regarding discrimination based on personal information a hiring manager may find on a candidate; labor laws regarding free speech about the company; IP laws regarding loss of trade secrets or who owns a twitter handle, and newer state laws prohibiting employers from requiring social media passwords. According to Gartner, Inc., 60 percent of corporations are expected to implement formal programs for monitoring employees’ external social media for security breaches and incidents by 2015. Many organizations already engage in social media monitoring as part of brand management and marketing, but less than 10 percent of organizations used these same techniques as part of their security monitoring program in 2012.
So what can employers do when they are offering services that may not be justified solely as continued obligations to reasonably manage employee security risks?
The first step is to analyze the new service under a privacy risk assessment process; questions poking at exactly how these services are being offered can help design them appropriately. The second step is to remember that companies need to be practical and determine reasonable criteria to prioritize service launches globally and find the right return on investment between the benefits to employees and the legal and reputational risks of getting it wrong.
Corporate-sponsored employee services can be beneficial for all of us, especially given the increasing co-mingling of our work and personal lives. We can improve employee health and safety, engage in social networking, facilitate finding expert help amongst our employee base, allow employees to use their own devices at work, allow them to access work-related systems while away from work and allow them to continue engaging in a reasonable degree of personal activities on company-owned systems. Doing it right—i.e. launching every new service with appropriate forethought and transparency as to the trade-offs—can make all the difference between a real service and a perceived “anti-service.”
If I were M, I would always want to know how James Bond wants his martini and would gladly go to the effort of personally posting many obvious notices of CCTV monitoring of same.
 Of course social media carries other risks, such as improper posting of confidential information, erroneously appearing as an authorized spokesperson, and too much cyberloafing if we’re on our Facebook accounts all day.
About the Author
Ruby Zefo, CIPP/US, CIPM, is Intel’s Chief Privacy & Security Counsel. Zefo manages Intel’s global privacy and security legal practice, where she is responsible for the development and implementation of legal strategies that advance Intel’s worldwide opportunities related to privacy, data security and cyber security, while appropriately managing associated legal risks. In addition, Zefo manages the teams responsible for all legal support of Intel’s IT department, and Intel’s global trademark practice. She joined Intel in 2003. She has a B.S. in Business Administration from the University of California at Berkeley, and a J.D. from Stanford Law School.