back to article Big Brother is coming to a workplace near you, and the privacy regulator wants a word

The UK Information Commissioner's Office (ICO) has weighed in on the thorny issue of workplace monitoring with guidance to ensure employers stay on the right side of the law. As far as the ICO is concerned, "monitoring workers" means any form of monitoring of people carrying out work on behalf of the employer. This might …

  1. jake Silver badge

    "or offsite [...]outside work hours.

    Outside working hours they should have no jurisdiction whatsoever. Period.

    1. Neil Barnes Silver badge
      Mushroom

      Re: "or offsite [...]outside work hours.

      But US working hours are apparently 24/7... I'm definitely with you on this one, Jake: if you want me to work - or even to talk to - outside my core hours (for me and my colleagues, 37.5 hrs/wk, though I work part time these days), you damn well pay me overtime for them. That's *significantly extra*, not the default rate, and definitely not zero.

      This concept of 'if you're not prepared to put the company above everything else' expectation is completely and utterly insane...

      1. KittenHuffer Silver badge

        Re: "or offsite [...]outside work hours.

        I remember seeing a t-shirt more than 30 years ago at the Bulldog Bash that said "Cash, gas, or ass! Nobody rides for free!"

        1. jake Silver badge

          Re: "or offsite [...]outside work hours.

          The original was "Ass, gas or grass, nobody ride for free". Often found on a sticker near the passenger doors of '70s fuck vans, or on a bumper sticker.

          I tried to track down the origin of this phrase several years ago, and it seems it came from the early days of selling T-shirts and other merch at drag races and was in reference to the many hitchhikers coming to races who couldn't afford a car of their own or were too young to hold a license to drive. Mid 1960s or thereabouts.

      2. jake Silver badge

        Re: "or offsite [...]outside work hours.

        "But US working hours are apparently 24/7"

        Don't be disingenuous. It's not becoming.

        That said ... Many moons ago (early '80s) we were given pagers to carry "for emergencies". I turned mine on when I got to work, and off again when I left work. My reasoning was that I wasn't being paid when I was off work, therefor they had no right to try to contact me. Needless to say, management wasn't very happy with my interpretation. They called HR, to get me to see reason or to fire me. HR took my side (!!!). Long and short of it, everybody with a pager wound up with an extra dollar per hour for each and every hour we were required to be on call when otherwise off duty.

        A couple years later a few of us were presented with DynaTacs ... we all said "more money, please". This time, we were compensated $1.75/hr. For awhile there I was collecting for both the pager and the phone. It was quite lucrative, added up to a hair over $18,000/yr in mid '80s dollars.

    2. KittenHuffer Silver badge

      Re: "or offsite [...]outside work hours.

      The ICO is big on the words "must," "should," and "could," with only the former comprising absolute rules to follow.

      Outside working hours they must have no jurisdiction whatsoever. Period.

      FTFY

      1. graeme leggett Silver badge

        Re: "or offsite [...]outside work hours.

        ICO on "should"

        "Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law."

        1. Helcat Silver badge

          Re: "or offsite [...]outside work hours.

          Yup - it's the same with road laws: Must is a requirement backed by legislation, Should is best practice and could is advice on how to be nice.

          And just like road laws, there can be exceptional circumstances where the courts will allow that an action was justified that would otherwise be a breach of the legislation/law. However, much like road laws, there will also be people who think they're the exception and do what they want. Until caught. That's when you find out what teeth the law has.

          1. T. F. M. Reader
            Big Brother

            Re: "or offsite [...]outside work hours.

            From

            wget -o /dev/null -O - https://www.ietf.org/rfc/rfc2119.txt | sed 's/specification/law/g':

            3. SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

            [I was always slightly amused by the (quite correct) reference to "must" in the above sentence: it is an absolute requirement of the law to understand the full implications...]

            [The icon is obvious.]

      2. hoola Silver badge

        Re: "or offsite [...]outside work hours.

        The interesting caveat on this is where corporate devices are also used for personal use.

        If someone is using their corporate laptop outside of work hours for personal use should it be monitored?

        Is personal use of that device permitted?

        If yes then is that personal use subject to corporate policies?

        If the last is "yes" then monitoring is probably acceptable.

        Where I work there is the option to have a company phone or they will simple take over your number and you have one phone, they pay the bills. I chose to have a separate corporate phone, then when I an not at work I can ignore it!

    3. A Non e-mouse Silver badge
      Mushroom

      Re: "or offsite [...]outside work hours.

      I'm going to disagree here.

      If I'm using a work supplied device (Laptop, mobile phone, tablet, car, etc) then I think the business is justified in ensuring I'm not misusing the business asset it has given me to perform my duties.

      If you're using your personal devices to do work, then you're a muppet.

      1. Jellied Eel Silver badge

        Re: "or offsite [...]outside work hours.

        If I'm using a work supplied device (Laptop, mobile phone, tablet, car, etc) then I think the business is justified in ensuring I'm not misusing the business asset it has given me to perform my duties.

        First, define misuse. It's one of those things that cuts both ways. I hire someone to do a job. That might be to produce 100 widgets a day, or 100 lines of usable code. As long as the job is done, I am not that fussed about how it gets done. Which is one of the problems with workplace monitoring. Just because you can, it doesn't mean you should. When I was an employee, and a permanent home worker there was a manager who insisted that everyone must have their laptop cameras uncovered and available at all times. Which would mean I'd have to get dressed. Sure, the company did have a dress code, but that was to keep the offices looking vaguely respectable. There are plenty of videos on the 'net where unexpected objects end up in the viewing area though on video calls.

        There's also fun stuff like activity monitoring. So Mr Eel, your activity log show you've been idle for 3mins or more 72 times this week. Explain yourself! Which for many of us should be easy. We typically get paid to think how the hell we're supposed to implement whatever it is that's just landed as a task in our inbox. Until neural interfacing is more advanced, thinking time can't be measured. Which is also a bit of a shame because then thinking about work-related stuff outside of contracted hours also can't be invoiced.

        It''s probably also an IR35 issue, ie if my work is going to be closely monitored and scrutinised, it's going to be harder to argue that I'm independent. Pay me, my or chosen delegate to solve a problem and it'll get solved. If it doesn't, don't pay or sue.

        1. jake Silver badge

          Re: "or offsite [...]outside work hours.

          Activity logging is a joke.

          As a consultant, I ran across a guy who "won" the "number of lines per day" sweepstakes several months in a row by constantly re-writing the same bit of code each day.

          Well, to be fair, he'd check out the code in the morning (call it "A"), then in the evening he'd check back in a completely different bit of code that did the exact same thing (call it "B"). The next day, he'd check out B, re-write the comments in "A", and check that back in. The following day, he'd check out A again, re-write the comments in "B", and check that in. Lather, rinse repeat. For well over a year. I almost fell sorry for him when I caught him at it.

          Management was really, really pissed off at me, though ... because I exposed a whole bunch of similar shenanigans that had been happening under their noses. They were fired en-masse.

          Traditional management's feudal derived mindset doesn't work with IT. It can't, because IT is primarily a meritocracy by nature.

          1. Bebu Silver badge
            Windows

            Re: "or offsite [...]outside work hours.

            《Well, to be fair, he'd check out the code in the morning (call it "A"), then in the evening he'd check back in a completely different bit of code that did the exact same thing (call it "B"). The next day, he'd check out B, re-write the comments in "A", and check that back in. The following day, he'd check out A again, re-write the comments in "B", and check that in. Lather, rinse repeat. For well over a year. I almost fell sorry for him when I caught him at it.》

            The real crime here is that he didn't automate the whole process with a few scripts and cron or batch job. ;)

            《Management was really, really pissed off at me, though ... because I exposed a whole bunch of similar shenanigans that had been happening under their noses. They were fired en-masse.》

            Unfortunately I know it wasn't the management that were fired. However deserving never happens.

      2. doublelayer Silver badge

        Re: "or offsite [...]outside work hours.

        And what kind of misuse justifies what level of surveillance? This isn't about things like device management which can prevent you installing software that hasn't been approved. In many cases, it's not even more invasive software that's still designed for technical protection. Usually, we're talking about software that's supposed to check whether you're doing your job or not, but since it isn't smart enough to know that (your manager is, funnily enough), it uses various unreliable proxies like whether it thinks you're typing enough at the right times. What is the misuse you think needs protection, and how extreme can a surveillance measure get before you have a problem with it?

        1. jake Silver badge

          Re: "or offsite [...]outside work hours.

          "And what kind of misuse justifies what level of surveillance?"

          If you can't be trusted not to misuse the device, it should be removed from your care, end of.

          Surveillance of employees is a whole 'nuther issue. All it is is micro-management taken to its illogical conclusion, and usually is a complete drag on the entire organization.

      3. Dinanziame Silver badge
        Angel

        Re: "or offsite [...]outside work hours.

        I watch a lot of porn with my work supplied service — nobody has complained so far...

        Fabricati diem, pvnc

        1. Kane
          Joke

          Re: "or offsite [...]outside work hours.

          "I watch a lot of porn with my work supplied service — nobody has complained so far..."

          Working for PornHub doesn't count.

      4. jake Silver badge

        Re: "or offsite [...]outside work hours.

        "If I'm using a work supplied device (Laptop, mobile phone, tablet, car, etc) then I think the business is justified in ensuring I'm not misusing the business asset it has given me to perform my duties."

        So turn it off, and leave it in your desk drawer when you're off duty. The car is different, it's at least partially a perk, not just a business tool ... usually. Have your lawyer read the fine print before signing the lease documents.

        "If you're using your personal devices to do work, then you're a muppet."

        Correct. If my 9-5 job requires a laptop (phone, breakout box, TDR, VOM, wirewrap gun, screwdriver, bigger hammer, or any other tool) my employer can damn well provide it. If I have to provide the hardware, I'm a consultant, and you will pay me accordingly.

        If I am required to carry it 24/7, they will pay me accordingly. I am not an indentured servant.

        1. Electronics'R'Us
          Thumb Up

          Re: "or offsite [...]outside work hours.

          Even though I am back in full time employment, I typically work from home 4 days a week. There are times I need to go to the main office (a few hundred miles away) for a complete week. New hardware needs some TLC, usually.

          At home, when it gets to 5PM, all the employer supplied equipment gets turned off and my office is not revisited unless I need to use one of my own devices to do something (print labels perhaps).

          I am fortunate that my immediate boss understands the concept of 'I need to solve a problem and I need to think about it' so my 'productivity' is measured by results

          I have heard tales from elsewhere (from those seeking to find employment elsewhere, usually) where things are not as civilised.

    4. Anonymous Coward
      Anonymous Coward

      Re: "or offsite [...]outside work hours.

      Outside working hours they should have no jurisdiction whatsoever. Period.

      That's nice, but as you're from the US and therefore about 100 years behind the rest of the western world in employment rights, it's just a dream. You know, like if someone in Europe said there should be flying cars or nuclear fission or something.

  2. A Non e-mouse Silver badge

    And consent is always needed

    Oh consent is simple: Either you consent or you don't work for us.

    1. KittenHuffer Silver badge

      In that case my consent would only last long enough for me to find another role elsewhere.

      1. Anonymous Coward
        Anonymous Coward

        Fortunately, consent is transferable.

  3. Anonymous Coward
    Anonymous Coward

    " "monitoring workers" means any form of monitoring of people carrying out work on behalf of the employer.'

    So the PHB looking through the office window, poking his head round the door or even listening to office chatter drifting through the building would count as "monitoring" under that definition.

    1. Killfalcon

      Probably, unless the full wording specifies 'electronic' somewhere.

      Thing is, I don't think that's a problem. It's known and understood that the boss can see and hear people in his physical vicinity, and can often be encountered in the workplace. It's not a novel or secretive form of monitoring (nor does it create records relevant to data protection laws).

  4. Anonymous Coward
    Anonymous Coward

    Meh.

    It's why I have privacy covers on all the laptop cameras. I don't trust *not* having them fitted and the cameras blanked until *I* decide I want to show my ugly mug to someone.....

    Plus my job has me working across different laptops (customer requirement), so when it comes to productivity checking, my employer is going to have a bit of a struggle if they want to go down that route.

    I don't have a problem with my employer making sure my work provided assets are used for company business, but I draw the line at them being able to access the camera to invade my privacy any time someone feels the need.

    1. UCAP Silver badge

      My company laptop is switched off and closed up when I am not working, good luck on getting any images from it then. During work hours I also have a cover on the laptop's camera unless I am actively using it. Again, good luck getting any images unless I am in a meeting.

      My personal computer at home does have a camera on it, but if my company ever attempted to access it they would find themselves in the wrong end of a court case so fast you would here the sonic boom.

    2. Kane
      Joke

      "privacy covers on all the laptop cameras"

      Gaffer Tape. It fixes most of the worlds' ills.

  5. Howard Sway Silver badge

    Dumb companies equate activity with productivity

    Measuring activity gives no insight at all into whether an employee is earning their keep. To measure productivity you have to look at how much output they produce and evaluate the quality of the work. Which is harder to do for management, and the reason why unproductive managers often go for the lazy option of activity monitoring in the first place.

    If employees know that they're being judged by activity they will generate plenty of it, in the easiest way possible, whether it's useful or not. Often to the detriment of producing better work, which may require doing things that don't look as active as more inefficient ways of doing them.

    I can't think of any area of IT where this doesn't apply.

    1. MichaelGordon

      Re: Dumb companies equate activity with productivity

      Exactly. Monitoring, for example, lines of code produced will just result in a lot of incredibly verbose code. Fixing code to run twice as fast or be half the size of existing code will show up as zero or negative productivity and therefore never happen.

      1. teebie

        Re: Dumb companies equate activity with productivity

        Some managers would rather pretend they have never heard of Goodhart's law

    2. Anonymous Coward
      Anonymous Coward

      Re: Dumb companies equate activity with productivity

      Getting dangerously close to becoming a cynical BOFH.... Another management change, another management model. Rolled out as the 'new thing' but it is really the 'same thing' we saw several managers back.

      We know how to win at that model and all the other models. We will make the metrics look positively glowing. Bonuses & atta-boy's for everybody!!

      Actual productivity...what's that?

      1. Bebu Silver badge
        Windows

        Re: Dumb companies equate activity with productivity

        《Getting dangerously close to becoming a cynical BOFH....》

        Embrace the dark side. :)

        The management restructuring possibilities of the open window can then be fully appreciated. :)

        I mean the assisted plummet of a manager invariably results that manager's restructuring.

    3. Headley_Grange Silver badge

      Re: Dumb companies equate activity with productivity

      A company I worked for was about to make a bunch of people redundant. I was in a meeting with some other managers and all the directors discussing the the (UK) process and the criteria we would use to decide who should go. The subject of productivity came up and as we discussed it it became clear that many of the people in the room were talking about utilization, not productivity. One of my peers got a bit fed up of this and pointed out that how occupied or busy someone was is not a good proxy for their productivity. When the HR director started arguing the manager pointed out of the window at the cars in the front car park - where all the directors parked their company cars - and said something like "those cars are probably used for about two hours a day on average - about 10% utilization - so I assume they'll be going before we get rid of any staff.

  6. Tron Silver badge

    Article 8 of the Human Rights Act 1998

    Isn't Cruella abolishing that?

    1. abend0c4 Silver badge

      Re: Article 8 of the Human Rights Act 1998

      I presume Chris Philp, when he's run out of passport photos, will also be wanting access to your work webcam to compare with his database of most wanted Lurpak rustlers. I think they'll be forming a disorderly queue to abolish any notion of privacy.

  7. Anonymous Coward
    Anonymous Coward

    How do you measure work? You employ me to do a job. I do that job and we are both happy. If I don't do that job then you have a case for me not doing my job. A lot of the work I have done in the past in relation to analysis have meant I am not using the computer. I might have a pad in front of me (old school I know but mainly doodling possibilities in some strange language only known to myself) working out the myriad ways I can do something and thrashing it out in my head to decide the absolute best and most efficient option that will get me what I and my boss wants. I might even go for a walk for 15 minutes still thrashing out these ideas then after I've determined the right one off I go to do it. I'm nothing special but using this method means I rarely get stuff wrong which saves me and the company time in the long run. How do you measure that? I'm not at my computer. You can't see me on the camera. What the fuck do you think I'm doing? Having a wank? No, I'm working and as long as you get what you need that's all you need to know. Not to mention switching from my work laptop to my home workstation as I have no internet restrictions to get stuff done and also have no intention of moving all my shortcuts to a system I'm running through a VPN and firewall when my machine is on over a 1gb internet connection. This is just dumb. What next? Using the cameras in supermarkets to monitor the staff? What are we becoming?

    1. Headley_Grange Silver badge

      %Utilization

      "...as long as you get what you need that's all you need to know..."

      You're thinking like an engineer, not a manager (a compliment).

      They also want to know that you took the amount of time that they costed in because if you did it with less hands-on time (but still delivered and booked the planned time) then it means you've got more capacity and could be doing something else productive and the company could be more profitable. That's the main reason why they don't like WFH - the terrifying thought that they could be making more profit by sweating people who they think could be working harder.

    2. Anonymous Coward
      Anonymous Coward

      Stopping work at home for a quick hand shandy has been more productive for me than being on-site and dragged into yet another pointless meeting to which I didn't contribute.

      1. Anonymous Coward
        Anonymous Coward

        Not sure which is harder.

  8. Caspian Prince

    We will be monitoring your acti-

    "Goodbye then."

  9. Anonymous Coward
    Anonymous Coward

    Interesting note

    Some employers actually retain personal data and if someone leaves, it "accidentally" gets leaked to predatory loan companies and scammers.

    Good luck recovering from that, its not like you can change a passport, driving license etc assuming you get it back at all.

    The usual excuse given is "third party" or "You can't prove anything"

    Happens a lot in some circles, seems that it is often (mis) used as a way to enforce draconian workplace discipline.

    AC for I'd hope, obvious reasons.

    .

    1. Killfalcon

      Re: Interesting note

      I think it's potentially provable, unless they're being very, very thorough, but expensive.

      Just sue them (this is the expensive bit). Provided you can convince a judge that the bullshit started coincidentally close to when you left the firm, and that no-one else had the info.

      Get a court order for emails to and from them and the debt resellers, you'll find it quickly enough - chances are the dodgy companies won't want to get any legal scrutiny (and will have no loyalty whatsoever to a random source of details), so will just hand over things to make the issue go away, and if your former employer lies you can catch them with the differences.

      If it's a real concern, six months or so before you walk, get a new unique email address and update your HR records to that. Fingerprint the sods, makes the rest of the business much simpler.

      1. doublelayer Silver badge

        Re: Interesting note

        Before I start, I've never had this happen, never known someone who said it happened, and I kind of doubt that many companies would want to do it. However, if we just assume that a company is going to, your suggestion is not likely to prove anything about it. For example, you suggest that we prove that only the company had the information necessary to do this. The problem is that they don't. Depending on your country and personal finances, probably every bank or other financial business you've dealt with has had all that, places where you rented things may have had enough, and any subcontractor who checked about you would have had access to enough data. Any of those places could have stored data longer than they needed to and been hacked, and it's not even that illogical to assume that's what happened and they're scared of fines (if you live in a country with a regulation that could fine them for doing so).

        If a company decides they want to harass you, they have lots of options. It wouldn't be very hard to decide to delete the emails reporting information about you right after sending them or to use a system that's easier to hide. The only way that this works easily is if they're completely incompetent on how to unnecessarily retaliate, but I'm guessing most of those won't bother trying, so if you're facing retaliation, they probably know at least some things about how to get away with it.

  10. s. pam
    Holmes

    He's been here for years

    In case you've seriously thought your IT group was doing you a favour with some of the "system management apps" like Jamf, what they've actually been doing is slowly but Shirley grabbing more data on your use of their asset.

    Yes your $work computer is their property and yes, you should never do anything contrary to company policies, but every week another idiotic website, etc sets off their alarms. Same is true for using VPNs like they provide as its proof of the time you do/don't work.

    Wot? Me paranoid? no me realistic.

  11. Zakspade

    Sacked

    I was sacked purely on the strength of one manager's opinion he gained from snooping on my conversation with a non-employee.

    When asked how I was liking the job by the non-employee (a friend of mine), my reply was that they were not only an American company, but they operated as such, loud and clear, and I thought I may begin looking elsewhere because it wasn't sitting easy with me.

    Said manager confronted me with a transcript of the conversation and sacked me. The CCTV in the foyer recorded audio as well as video...

    I'd name the company, but I suspect that it would result in this Post not making it past a Moderator (and on one person's word, I would probably jump on the Post as well). Suffice it to say - it is a real thing and it hurts. Okay, by the time I was sacked (the day after I had that conversation in the foyer), I was convinced by a good night's sleep that I would start looking elsewhere, but being summarily fired meant having to start my search that day as an unemployed person. Annoying.

    I realised a couple of years later that I could have, and SHOULD have, sued, but I was now working for a proper employer by that time and having resolved to make the job interview process as much about interviewing the employer than being interviewed - I let it go.

    But I wish I could name the offending employer (and the manager!).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like