infoguard-cyber-security-blog-home-office-working-from-home-monitoring-data-protection

Trust is good, but monitoring is better – monitoring and data protection when working from home

For a long time, companies working in both the private and public sectors have had difficulty allowing people to work from home. On one hand, the option of working remotely from home often was (and still is) unavailable from a company standpoint, and on the other hand, there was a general suspicion that employees did not have enough of a sense of duty – although this was expressed more or less off the record. Since 18 January 2021, by order of the government, Swiss companies have been obliged to allow staff to work from home, provided that their work was compatible with it. What for some has been the norm for a long time is virgin territory for many others.

Home office is a blessing for some, but a curse for others. There is limited control and trust in employees does not go without saying. There is an obvious temptation to monitor or check on staff. So does remote working from home encourage superiors to observe and monitor employees? And what does the law have to say about it? In this blog article, we will be looking at these and other questions.

Let us be honest – most of us have succumbed to the temptation to empty the dishwasher, collect the mail or do some personal browsing online. While it is possible to do the last of these in the office, the others are only possible when you are working from home. That is a nice benefit, but maybe that is not the way your boss sees it!

Employers have a legitimate interest in ensuring that their employees are actually working during paid working hours. This is made worse by the fact that staff working from home can largely avoid their supervisor attention. There are other employer interests that could be negatively affected by employee misconduct, both when working from home and in the office, such as the technical infrastructure’s security. This can be compromised by introducing malware, for instance in e-mails or non-secure websites. It is also important to avoid any incidents that could damage the company’s reputation, such as losing confidential information or breaching data protection laws. This raises the question of how the employer can and, more importantly, is entitled to monitor their staff, both inside the office and when working from home.

There is a boom in surveillance software in this era of home office

Modern technology makes monitoring easier, for example by analysing log files. This means that it can be determined exactly when employees access what file and what they have done with it. Monitoring e-mail traffic, including the recipient’s address, subject and content, is every bit as straightforward as monitoring surfing behaviour on the internet. Log files provide information about which programmes were used, how often and for how long.

To ensure that productivity does not suffer when working from home, more and more companies are turning to what is known as “employee productivity tracking software”, i.e. monitoring software like Hubstaff, Time Doctor and FlexiSPY. For instance, the first two record the screen or the environment every few minutes and detect (among other things) whether employees are actually working. According to the internet portal top10vpn.com, demand for surveillance software has increased by around 51 % over the past year. Hubstaff, last year’s market leader, recorded a 41 % increase in demand in 2020.

Monitoring functions are or were also offered by widely used tools for holding online meetings. For example, up until April of last year, a Zoom presenter could use the “attendee attention tracking” function. This function enabled the presenter to check whether the participants had actually opened the software window or to view the private chat history. Thankfully, this function has since been removed.

Now, and rightly so, the question is being asked: to what extent is surveillance of this kind allowed by law makers? And what is definitely against the (Swiss) law?

Ban on behavioural monitoring

According to Ordinance 3 to the Labour Act (ArGV 3 822.113), there are definitely limits on the extent to which employees may be monitored. According to Art. 26 para. 1, monitoring and checking systems may not be used to monitor the behaviour of employees in the workplace. This provision is aimed in particular at protecting the health of workers. When staff are no longer allowed to leave the workplace due to constant video surveillance, for example, or if performance is measured on the basis of analysing e-mails, it is impossible to rule out an impact on freedom of movement or health. Hence, monitoring and checking systems are only permitted where they do not impair employees’ health and freedom of movement.

From this, it can be assumed that constant individual-related analysis of the log files, also known as marginal data, is not authorised for the purpose of monitoring user behaviour. Of course, exceptions are possible, such as in the banking sector, where for regulatory or compliance reasons there is systematic recording of e-mail traffic. This is intended to safeguard against possible lawsuits.

To summarise: monitoring software, whether the kind mentioned above or key loggers that systematically monitor and record activity, is completely banned

Analysing anonymised data

However, it is permitted to analyse anonymised data. If there are any indications of misuse when anonymised data is evaluated, the employer may also conduct personal analyses, but these must comply with the principles of data protection. In addition, staff members must be informed of this.

Furthermore, analysis needs to be designed so that it constitutes the least possible intrusion of the rights of the individual. According to the Swiss Federal Data Protection Commissioner, personal monitoring should be the “last resort” and can only be used when all other means have been exhausted. These include technical and organisational measures that prevent misuse, such as blocked websites.

So what about data protection?

Data protection requires that the principles of proportionality, purpose limitation and transparency in accordance with Art. 4-11 of the Data Protection Act are taken into account during processing.

Furthermore, the processing of personal data must not unlawfully infringe the personhood of the person concerned. Unlawful means that data processing is not justified either by the consent of the data subject or by an overriding private or public interest or by a law.

Analysing log files constitutes data processing under Art. 3(e) of the Swiss Data Protection Act, if this marginal data is not anonymised prior to any analysis

Legality

Justification is required for analysing these log files, for example the fight against corruption, money laundering or insider trading in the banking sector. Employers in less regulated environments may of course cite an overriding private interest.

Proportionality and ring-fencing

Collection of log data must be proportionate to the purpose stated. As far as the collection and analysis of log files is concerned, this means that only data that is appropriate for preventing and/or detecting misuse at an early stage may be recorded.

Transparency and legal certainty

According to Art. 321d of the Swiss Code of Obligations, the employer may issue guidelines on employees’ performance and behaviour in the workplace. These may include, for example, the use of the company infrastructure, e-mail and the internet. On one hand, a set of regulations on use creates transparency by defining what kind of use or abuse is permitted, and on the other hand, it avoids unnecessary arguments between the employer and the employee. These regulations should also define the scope of monitoring and potential sanctions. Needless to say, employees must be familiar with and have access to the regulations. In the absence of regulations, it is not permissible to analyse the log files.

Summary: is monitoring permitted or not?

We can definitively state that employers are not allowed to carry out systematic, non-anonymised employee monitoring. The use of monitoring software is also prohibited in Switzerland. Where abuse is suspected, the employer may carry out specific monitoring, but only as a last resort, once all other means have been exhausted.

Avoid taking any risks with our DPO-as-a-Service

Data protection is a complex issue – and not just since last year. Digitalisation, evolving technologies and cyber-attacks that are increasing at a rapid pace make it difficult to guarantee comprehensive data protection. This is why many companies would be well advised to call in external data protection experts for specific projects or on a retainer basis. Their comprehensive expertise and wide-ranging experience can be invaluable, particularly when it involves data protection.

As part of our DPO-as-a-Service, my colleagues and I will assist you with all issues relating to data protection within your company – from analysing and defining a data protection strategy to implementing and monitoring actions. What issues can we help you with? You can find out more about our DPO-as-a-Service here

DPO-as-a-Service

<< >>

Data Governance

Daniel Däppen
About the author / Daniel Däppen

InfoGuard AG - Daniel Däppen, Senior Cyber Security Consultant

More articles from Daniel Däppen


Related articles
If you don't keep up with the times, time moves on without you – or replacing the Federal DSG
If you don't keep up with the times, time moves on without you – or replacing the Federal DSG

Data protection means the protection of personal privacy. In the digital world, our personal and fundamental [...]
Home office? Why not, but do it “securely” with these 5 tips
Home office? Why not, but do it “securely” with these 5 tips

Until recently commuters were crowded together, one on top of the other, but thanks to coronavirus, now there [...]
[Part 2] Home office? Yes, but do it “securely” – incl. a checklist
[Part 2] Home office? Yes, but do it “securely” – incl. a checklist

It’s all about coronavirus – everywhere you look, so it’s understandable if you don't fancy reading yet [...]

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media
infoguard-cyber-security-phishing-poster-en