What happens to privacy in a world where there is no physical boundary between professional and private life?
This article first appeared in the Australian Financial Review on 16 July 2020.
With a large proportion of the Australian workforce currently operating remotely – and one in three Australians expecting to attend their workplace less often in a post-pandemic world – employers are being exposed to unique challenges in managing and motivating a distributed workforce.
New issues are emerging relating to worker safety, cyber security, compliance with company policies, and employee productivity.
The NSW Court of Appeal has recently confirmed that an employer may still be liable to pay workers compensation for injuries suffered by employees working from home if the injury occurred during the course of employment.
This will likely be the case where the injury was sustained at home while the employee was usually working and the employment itself was a substantial contributing factor to the injury.
Beyond the safety of workers in a distributed context, the safety of data has become a significant issue.
The UK has recently seen its first class action concerned with cyber risks and a data breach by an employee.
The UK Supreme Court held that the employer was not vicariously liable for the employee’s breaches, as the conduct was motivated by a personal vendetta and not done in the course of employment.
These cases highlight the need for employers to examine their preparedness for the future of remote work.
Specifically, the risk of data breaches and cyber attacks, both external and internal.
A 2019 Verizon analysis of data breach incidents found that more than a third of breaches involved internal actors.
The spectre of cyber security is exacerbated when employees who have access to confidential information are working remotely, as the boundaries between personal and professional lives are blurred.
What are businesses doing?
So how are businesses managing these risks to avoid liability for data breaches by employees?
Businesses already gather and analyse data relating to employee behaviour and compliance with policies. Swipe cards, video surveillance, and email monitoring during work hours is nothing new.
But with the increased freedoms and risks associated with the ‘new normal’ of distributed work, employers are looking to deploy more invasive technologies to be the remote eyes and ears of an organisation – to monitor their workforce, ensure productivity and reduce risks of non-compliance with legal and regulatory obligations. Specifically, to avoid any liability and loss which may arise from employees disclosing confidential data.
New surveillance technologies move beyond tracking employee productivity on specific activities and enable employee monitoring 24/7 – treading a fine line between legitimate surveillance and an Orwellian Big Brother.
These surveillance tools promote total control over digital assets by mitigating internal risks through monitoring all data generated by employees.
This may include their GPS co-ordinates, computer and phone activity, and communications over email and social media.
The use of natural language processing and AI combined with these datasets allows the tools to flag risky behaviour and obtain insights which can be used to improve security practices.
Beyond the considerable ethical concerns about the use of AI in business, intensive workplace monitoring not only has legal risks but also may lead to a culture of mistrust which undermines workplace productivity.
But when will the line be crossed between legitimate workplace monitoring and excessive employee surveillance?
Who will monitor the surveillance?
Australia does not currently have uniform workplace surveillance laws (or general surveillance laws) and only two states and one territory have enacted specific legislation to deal with the issue.
In the other states and territory, general surveillance laws are unfit to deal with the employment relationship and would generally not apply.
Any protections afforded to employees under the enacted laws are minimal.
For example, under existing NSW law, surveillance of almost any form will be allowed if an employee has been appropriately notified and it is undertaken in accordance with an established workplace policy.
One of the few ‘no go’ zones for the types of activities which cannot be subject to surveillance by employers is CCTV in changerooms and toilets.
The result is that employees have limited protections from intrusions into their privacy and often won’t be privy to how the information mined about them is used.
In line with this, the federal Privacy Act contains a relatively broad exemption for employers in respect of ‘employee records’ that they hold about their employees, meaning that, for the most part, an employer does not have to comply with the Privacy Act in respect of the majority of personal information held about an employee.
With many employees expecting flexibility in a post-pandemic world, the need to manage issues related to remote working are here to stay. But what happens to privacy in a world where there is no physical boundary between professional and private life?
How can privacy be left at the door of the workplace when the workplace has become your home?
In the absence of specific and comprehensive legislative guidance on workplace surveillance in Australia, employers must seriously assess whether in undertaking proactive risk management strategies they are striking the right balance with employee privacy and promoting, not eroding, workplace trust and productivity.