Big Brother is not only keeping watch on you but is monitoring your e-mails as well. According to a new study by California-based Proofpoint and Forrester Research, more than a third of the big companies in the US and UK hire employees to read and analyse outbound e-mails to protect against legal, financial or regulatory risk. Research by the American Management Association corroborates the results. It attests that while three quarters of large multinational companies monitor employees' e-mail, more than a third track time spent at the keyboard and half of them store and review employees' computer files. Fifty-five per cent admit that they retain and review employees' e-mails.
But there is more to this story than statistical data on e-mail monitoring. With the advent of digital technology it is possible for you to capture, store and review data used by your employees. However, at the same time, this digital boom has created collateral problems concerning employees' privacy.
The privacy debate is a central component of the issue. Does anything like employees' privacy within the workplace exist at all? Even if it does, where do you draw the line between prying on your employees' privacy and protecting your own business interests?
Drawing the line of control
HR leaders across the world strongly assert that employers have an implicit right to ensure that employees' activities during 'employer-paid-hours', using employers' tools, within the employers' premises, are not in conflict with their business interests. K Thiveanathan, director, human resources at 1st Silicon, Malaysia, notes that at the same time, employers are required to demonstrate high integrity while managing employees' personal data,
Employee privacy issues frequently arise beyond monitoring e-mails and phone calls. There are many reported attempts to monitor employee behaviour that sound downright ridiculous at times. For example, according to news reports, an employer is said to have placed a device in his employee's chair to measure 'wiggling', presumably because more wiggling means less working! China has reportedly launched a computerised staff management system known as China Black Files, which is meant as a repository of personal data for employees that employers can access at all times.
The fact remains, however, that these reports represent aspects of a legitimate struggle between the employer's ability to conduct business operations and the employees' privacy rights. Without doubt, the struggle is serious and its boundaries are rapidly moving into HR's arena of responsibility. More than ever before, experts agree that HR's focus is to ensure that resources are not abused and productivity is unaffected.
Will HR be the whistleblower?
Sabyasachi Bhattacharya, senior general manager, corporate HR and personnel at Berger Paints, India, feels that the argument put forward by most pro-monitor advocates is pretty thin. "Professionals have argued that the employer has a right to monitor an employee's activities - be it on the computer via e-mail, et al, or over the phone - provided that the employer is doing so to protect the interest of the business. I feel that employers need to define clearly what they will monitor vis-a-vis an employee and clearly communicate that to the employees," he says.
The proverbial ball is therefore, definitely, in the employers' court. Thiveanathan agrees with Bhattacharya and notes: "An employer has to establish transparent policies on intellectual property and confidential information and ensure all employees are aware of the intention of such policies from the first day of employment. For example, if the employer is monitoring all e-mail communication of his or her employees, he/she must explain to the employees the reasons for monitoring and scope of monitoring before implementation of such policies. Policy explanations supported by facts, business reasons and examples will quite easily get the buy-in from the majority of employees. Such a transparent approach by the employer will enable the building of a lasting trust in the workplace."
In organisations such as banks, where industrial espionage looms large as a constant threat and the confidentiality of customers' data is a primary concern, employers need to be extra cautious. "We have an IT policy which guides our staff on the proper usage of computing facilities and resources - including the internet and e-mail - within the OCBC Group. Being good netizens, our staff are required to comply with [bank policies as well as the] laws and regulations within the environment in which he or she operates," says Gilbert Kohnke, head of group risk management at OCBC Bank, Singapore. He adds: "In order to ensure that all our communications and information technology infrastructure are always secure, efficient and effective, we reserve the right to monitor e-mail usage when necessary."
Organisations like Satyam Computers in India have come up with a unique solution to soften the image of the tyrannical big brother breathing down employees' backs. Its chief information security officer is from within the HR department and the company publishes its information security policy on the intranet, and conducts awareness programs to ensure that all associates use company IT facilities only for business use.
"We have clear guidelines on the usage of mail facilities," says Hari T, senior VP-HR, Satyam Computer Services. "The security policies clearly indicate that mail is to be used for business rather than private use. The mail usage guidelines are comprehensive [in order to] to address the privacy issue as well. These are published on the intranet and are well publicised. We advise associates not to use company IT facilities for private use. Also, we advise them not to store any personal information on IT facilities."
The delicate balance
How many employers actually practise what they 'must do'? Some certainly do. While he agrees that it is imperative for employees to remember that the e-mail and computer systems are the company's property and therefore should be used only for work purposes, Tan Kin Lian, CEO of NTUC Income Singapore, asserts that employers must remember not to "infringe an employees' privacy rights or violate laws prohibiting the interception of private communication".
"To investigate a customer complaint, we may sometimes need to review the e-mail correspondence between the employee and the customer, to arrive at a fair decision. In such cases, our staff is told about this and they are very supportive of our practices."
Similarly, OCBC's Kohnke confirms that monitoring is only done when deemed absolutely necessary. "Although we have controls in place that allow us to trace the various websites visited by our staff, these are primarily implemented to ensure that our computer facilities or systems are only used for official business. While we have put in place Surf Control to restrict staff from visiting inappropriate websites, we recognise that the internet provides a wealth of information and knowledge, and we similarly encourage our staff to use it for learning, research and banking-related purposes and not for personal pursuits.
"We always respect the privacy of our staff's personal information and we separate this from those [employees] that breach the confidentiality of customers' data and/or classified information. All our staff are explicitly required under Section 47 of the Banking Act not to disclose customer information to any unauthorised parties," Kohnke explains.
How do employers know where to draw the line? Privacy laws in Asia, compared to the West, are still not very widespread or developed. "There's no protection for the right of privacy as such in Singapore, whether under legislation or under common law. There are no privacy laws in Singapore," says Celeste Ang, associate director, Drew & Napier LLC.
Ang adds that privacy can, however, be indirectly enforced in the employment context "through a breach of confidence action or through an action based on the breach of the implied term of trust and confidence - provided that the elements for the respective causes of action are established".
Thiveanathan confirms that there are no such privacy laws in Malaysia either. The situation is similar in India and China. "In spite of the recent scams in the BPO businesses, India as a nation has not progressed much in that direction," says Berger's Bhattacharya. "Although employers can and do sign secrecy/confidentiality agreements with employees and such laws and policies exist in the West and even in places like Australia and New Zealand, there are no laws in India today to protect employee's privacy."
While employer monitoring of personal data constitutes an emerging area of law that currently remains uncharted, it is important to note that if you strike a deal on privacy and trust, you must be willing to negotiate the employees' consent and work out a clear policy governing employee privacy. And if you are watching employees, let them know that you are doing so for the overall benefit of the business. HRM