Get your staff's consent before you monitor them, tech inquiry warns Companies that monitor their employees should only do so after they consult with and get consent from the staffers they are watching or tracking. That's according to a report published this week after a year-long inquiry by the department formerly known as DCMS into the harms and benefits of connected technologies. The report …
If it really came down to it, any such company would just add a "Consent" clause to the default employment contract. Most already do, I imagine.
Consultation won't come into it. Or at best, you'd get "consulted" regarding whether you want to a) Like it or B) Lump it.
Another HR tick-box, Hooray.
you signed the employement contract, didn't you
Ah, but that dog may be a tad too geriatric to hunt anymore: remember the 'explicit' part of GDPR notification?
I think it could be argued that that applies to contracts too. Would be interesting to get that in Court at some point to have that confirmed because if it doesn't apply it ought to be changed.
Agreed - it will be in the small print that no-one reads (just like privacy policies.... I have read and understood <tick> <click>).
I have come across both bad and reasonable examples in my time as an IT consultant.... the UK Bank that monitored call centre employees to see if they were wasting time at their desk instead of handling calls, and even had a badge lock on the toilets (washrooms) to monitor how often they were using them. A more reasonable one was a pharmacy that was dispensing nuclear medicine for hospitals... monitoring safe handling practices was for the good of both employer and employee.
.. but of course they rather omitted the fact that if you do so, you will be treated the same as non-UK passport holders are treated by the UK.
It's interesting that neither side of that idiocy is prepared to show they're a tad more intelligent and benevolent than the other side, politicians always opt for tit for tat all the way.
Because if AI hasn't improved on that, then tell me again what it is good for.
It will have identified better bottles so employees can be back at work sooner, of course. It would be rather naïve to assume that Amazon was going to spend computer power on anything that benefits employees..
Peeing in a bottle at amazon 'forfillment centers'* will soon be a thing of the past as the employment contracts are going to be modified for more efficiency
In other words, you'll be forced to wear a catheter and the bottle will be strapped to your leg and you'll empty at the end of your shift...... although more likely it will be a special amazon bottle that will filter/process the liquid and return drinkable(if slightly warm) water to the user so that they can take a drink break without stopping.
* that phrase is just so cave johnston
This post has been deleted by its author
I once asked my boss's boss if the company would implement staff monitoring on PCs. He said, "That would be a very bad idea. We have to have trust in those we employ and from a personal point of view, if I have to monitor what my staff are doing across the whole dept then it means my under-managers are not doing a very good job and by dint of that neither am I.".
And the 1st time the company gets hit with a ransomware attack, then the monitoring begins!
Companies don't want to know every key stroke you enter, every work you write, but we must know what sites you are visiting. This is not used to produce evidence to fire someone. If they are screwing off at work, their manager should already know that and doesn't need this to make that decision.
we also need to know, if/and/or prevent you from installing in authorized software on your PC/Phone!
Most employers will need to obtain consent even if they’re not intentionally spying on their staff, making this all a bit pointless.
For example, everyone using Microsoft 365 is subject to monitoring. Employers can trial Priva and/or E5 whenever necessary and view metrics on which private conversations could be construed as ”targeted harassment” from electronic monitoring which already happened long before the licences were trialled. Likewise for Windows event logs, which show when users logged on/off, booted their workstations, locked/unlocked screens and many other productivity metrics. Phone systems will have extensive CDR logs, email systems will monitor how many messages are sent by any given user per day, and who those messages are going to, This is all long before we get into the realm of best practices for auditing the accessing of files on servers.
This data is being collected by default and every company will simply issue a boilerplate agreement saying that they’ll use the data for pretty much anything (refine business processes, aid in training, monitor general productivity as well as ensure system security) will end up in the oft-unread Office Equipment Policy and Data Protection Policy sections of the employee handbook, where all the cheeky cant-believe-theyre-not-NDAs end up anyway. Nobody in IT, HR or middle management will accept anything less, since novel uses for this type of data to protect company interests when sharks circle will almost always pop up.
We are not part of the EU any more. UK-only requirements for tech design will just cut the UK off from technologies. As well as becoming a third world toilet courtesy of the economic impact of Brexit, we will revert to the 1970s in our technology. Nothing new will be legal here.
Unless there are very stiff penalties for companies that fire employees for refusing to consent.
That being said, if I'm using the company computer for work, the company can monitor that all they want. They can monitor their phone as well as their email. But that's it. Any webcam will stare at the computer it's monitoring. It doesn't need to see me. The one on my laptop that I have no admin control to has a nice piece of tinfoil taped over the camera. It can monitor itself. Or, the docking station it's in is behind one of my monitors, go crazy.
Yeah, may as well not bother.
I don't think companies use the webcams of their devices for monitoring. Somebody would have to view the material and that costs money.
Also, what would they do with their knowledge of you doing whatever in front of the work laptop screen?
Don't think it's worth it.
Although strictly speaking it should not make a difference, I suspect that any practical [1] distinction will fall on the motive for monitoring.
If you only establish user identity after you know that a malicious link has been clicked and that you may need to remediate then that is one thing.
If on the other hand you are deluged with line management requests to establish how much time employee X is home shopping, that is another thing. A specific inquiry comes close to fishing.
1. practical distinction - never mind what this OII says; show me judgements and actual fines
2. some proxies don't track user identity - they simply allow or block depending on the destination category
It's fine to monitor as long as you tell them you are doing it, permission should not be required, that is just nonsensical.
Back in early 2000 i worked for a company called London web, who were secretly monitoring all staff, recording every keystroke and taking snapshots of desktop.
I was mortified when i found out, as this meant the boss had been reading my personal email, messages to my girlfriend, had all my login for my online banking and everything else I did from my work pc.
Obviously had I known, i would never have done anything personal or logged into anything from work and I would have been fine with that.
Before you start with all your troll comments about how those things shouldn't be done from a work pc, yada yada, wind your neck in and take note of the fact this was over 20 years ago, everyone was oblivious to such things back then, including me and most people still are, which is the point.
"I was mortified when i found out, as this meant the boss had been reading my personal email, messages to my girlfriend, had all my login for my online banking and everything else I did from my work pc."
We would NEVER do this, and if any one was caught doing this, they would be terminated immediately!
This is a blatant HR violation. We do not grant Managers access to staff mailboxes, if they ask they must go to HR and present a valid justification. That usually ends the conversation at that point!
The argument, "don't do that on you work PC" is fine until you realize that it's just not possible to stop. People have lives, kids they need to be in touch with, personal business that must get done during business hours.
But PLEASE, don't sign up to personal use websites with your company email address! And then complain to IT you are getting bombarded with SPAM!
Although it can go too far.
Our corporate overlords are in the Eu and their reading of GDPR is that anything on an a user's company computer is private, even work email.
So when somebody leaves, IT wipes the disk and archives email away somewhere. It takes a search warrant signed by 2 popes to get details of any work they've been doing that wasn't checked in or stored on a project fileserver.
You have no expectation of privacy at your place of business, or on their network! (except the rest rooms!)
Act accordingly, and you won't get into trouble.
While we do not actively examine internet traffic, will NEVER turn over traffic reports or browser history to a manager (if you, as a manager, suspect you have a problem with an employee wasting time on the internet, you already know you have a problem, deal with it!), understand, your internet traffic IS being monitored! Your PC IS being monitored and controlled. your company issued phone IS being monitors and controlled. We do not need your consent to do so! Your consent is assumed when you agreed to work here.
Understand, we do not care about your personal life, your political views, your shopping habits (but you should not be doing that at work, but hey, that's your managers problem), we care about protecting our network, protecting our data, and, protecting you! Also understand, if you are downloading torrents, hacking tools, illegal material, abusing the companies bandwidth, etc. YOU WILL GET CAUGHT!
If any of this bothers you then, BUY YOUR OWN PHONE, BUY YOUR OWN HOME PC and use that at home.
> You have no expectation of privacy at your place of business, or on their network! (except the rest rooms!)
>
> We do not need your consent to do so! Your consent is assumed when you agreed to work here.
Sorry, you can say this over and over, and might even think it makes sense, but the law doesn't generally take what you believe into account.
Over on the continent, companies have been finding that excessive* surveillance leads to fines. Employers aren't exempt from the rigours of GDPR just because they own the kit - if you're recording too much and someone starts using their machines in a way that leads to you processing a special category of data, it's going to be a bad day.
*definite excessive is, clearly, a bit tricky so anything beyond the most limited monitoring carries the risk of liability.
"Companies that monitor their employees should only do so after they consult with and get consent from the staffers they are watching or tracking."
Employers have a position of power over employees so consent is likely not to be considered "freely given" as required by GDPR and therefore not lawful. Therefore legal basis would have to be legitimate interests. Clearly consultation is still important, a DPIA for any new technologies used and most important of all is transparency.
If you are busy looking over your shoulder to see who is looking, how can look ahead for roadblocks in your project?
On another note there was a time when I operated in a position that had purchasing authority and in the process of carrying out my fiduciary duties would go on line to maximize the benefit for the agency. Kept getting blocked and after one finger pointing nasty session, it was found and quickly unfound [sic] that buying was done one good guy theory. So it can work both ways and managements brown streak can be unexpectedly aired.
To me this depends upon the ethical stance of the IT Director.
As a former IT director I frequently got requests from senior management to provide access to staff's data without consent. I politely told them to bog off unless they could get consent. I even had the CEO threaten me if I did not provide access - to which I replied, "go on then". He didn't and they either backed off or got consent.
So it is not a given that a company will act evil-ly if there are decent people looking out for the common man/woman and obeying the law....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
