Commentary: Weighing employee privacy

A new study shows that 27 percent of workers worldwide are having their e-mail monitored. That may seem alarming, but the statistic shows only one side of a tricky question.

3 min read
By Joyce Graff, Gartner Analyst

A newly released study by the nonprofit Privacy Foundation shows that 27 percent of workers worldwide are having their e-mail monitored. At first glance that may seem alarming, but the statistic shows only one side of a tricky question.

It's tricky because companies are increasingly faced with balancing the privacy rights of workers, consumers, patients--the list goes on--against the possible liabilities the company might incur if it takes insufficient precautions against preventing its workers from doing anything illegal or immoral.

On the one hand, there's a trend toward increased privacy legislation worldwide, led by the European Directive, the Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach-Bliley, to cite a few examples, all of which stipulate serious penalties for infringing on consumer and patient privacy.

On the other hand, there's also a new wave of legislation concerning corporate responsibility. In Japan, for example, a company can be held liable for the actions of its employees, whether or not they were aware of the employees' actions.

It's no surprise that companies feel themselves between a rock and a hard place on this issue. If a company is liable for the actions of its employees, and if one of its employees accidentally or deliberately transgresses the privacy of a customer or patient, then that company is liable for serious civil penalties (that is, fines) or in the case of HIPAA, criminal penalties (in other words, someone goes to jail).

What's an employer to do? Monitor transmissions, of course, including e-mail, HTTP, FTP and, potentially, instant messaging, to check for adherence to policy.

How all these different forms of information are collected, stored and handled is the most important question for employee privacy. Although all messages might be routinely checked for inappropriate language or the presence of viruses, specific individuals should not be targeted for closer scrutiny by their managers unless that scrutiny is carefully monitored by the human resources department.

Privacy laws in many European countries now require that before a worker can be monitored, the requesting manager or police agency must document what information is to be collected, what they are looking for and how long the surveillance is to go on. If the request is approved, the human resources department must monitor to make sure the surveillance is not misused. Logs collected can be shown only to the people with a specific need to know and must be shown to the employee in question on request.

See news story:
Costs, caution spur monitoring of workers
The bottom line is that while monitoring is important to limit corporate liability, companies must take care to first enroll workers in the best practices for using technologies such as e-mail and the Internet and to prevent misuse of surveillance tools by rogue managers.

It's a delicate balance, and each company must ensure that it is in compliance with all the relevant laws governing privacy and responsibility in all the nations where it does business.

(For related commentary on corporate policy for monitoring employee e-mail and Internet use, see TechRepublic.com--free registration required.)

Entire contents, Copyright ? 2001 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.