Beware of Privacy Pitfalls When Remotely Monitoring Lab Telecommuters

Before the pandemic, 80 percent of U.S. employees worked primarily from an external workplace; today, only 21 percent do. Coaxing employees to return to the workplace will be an uphill battle, with recent surveys, including one from Pew Research, suggesting that 54 percent of those who are currently working remotely want to continue spending at least some of their working hours at home. In short, as with other employers, labs need to adjust to the realities of telecommuting. Among the biggest challenges will be maintaining productivity. One potential solution is to deploy technologies that monitor employees’ whereabouts and use of computer and other work equipment to verify that employees who work remotely are actually doing their jobs. Unfortunately, doing this exposes your lab to liability risks under privacy and other laws. Here’s a look at the risks and how to manage them.

Remote Monitoring & Teleworker Productivity

Remote monitoring technology may include apps that employees upload onto their personal computers and network software that can monitor the network, internet, and email usage of a large group of employees to collect data showing when they’re idle, how often they surf the internet, how and how often they email and make phone calls, etc.
In addition to helping maintain telework productivity, these solutions enable labs and other organizations to protect confidential business information and keep work hour, overtime and other records required by federal and state labor standards laws.

Remote Monitoring & Telecommuter Privacy

Labs need to be aware that use of remote monitoring solutions may run afoul of employees’ privacy rights under the following laws.

Federal ECPA Law

The main federal law that comes into play when labs remotely monitor employees who work from home is the Electronic Communications Privacy Act of 1986 (ECPA), including:

• Title I of the ECPA, aka the Wiretap Act, which makes it illegal to intentionally intercept, use, disclose or otherwise obtain any wire, oral or electronic communication;
• Title II, the Stored Communications Act, which requires maintaining the privacy of stored electronic information; and
• Title III, which regulates pen registers and trap or trace devices that record identifying information about communications, e.g., the phone number dialed, but not their actual substance.

While these ECPA restrictions would seemingly ban employer monitoring of telecommuters, they’re also laden with exceptions. The most important of these is the business use exception, which allows employers to monitor employees’ oral and electronic communication, as long as they do so for a legitimate business reason. In addition, the ECPA doesn’t protect the privacy of stored information on the employer’s own servers or equipment. Last but not least, it also leaves the door open for employees to consent to the employer’s collection, use and disclosure of their protected information.

State Privacy Laws

Some states have their own, more restrictive personal privacy laws that may apply to remote monitoring of lab employees. For example, some states like California, Maryland and Illinois, have “two-party consent” laws requiring everyone involved in a phone call or electronic communication to consent to its monitoring. Other states, including Connecticut and Delaware, require employers to give employees notice that they’re being monitored before monitoring can take place.

Contract & Labor Law

Telecommuters may also have reasonable expectations of privacy under their collective bargaining agreement (CBA) or individual employment contract. In addition to violating the CBA, the National Labor Relations Board has issued case rulings finding that use of cameras and surveillance technology on employees constitutes an unfair labor practice, at least to the extent it occurs while they’re engaging in organizing or union-related activity.

Common Law

Another potential source of employee privacy rights is “common law,” or non-statutory law made by judges in deciding court cases. Cases have found that use of surveillance technology to spy on employees may constitute a tort such as intentional infliction of mental distress. Routine use of remote monitoring solutions to manage telecommuters probably wouldn’t cross the line. To rise to the level of intentional infliction of mental distress, the privacy violation would have to be pretty flagrant. Specifically, the telecommuter being monitored would have to prove that:

• The employer engaged in not just privacy-invasive but “outrageous” conduct;
• A reasonable person would consider the invasion highly offensive and causing distress, humiliation or anguish; and
• The employee actually did experience distress, humiliation or anguish.

4 Ways to Keep Remote Monitoring Solutions Compliant

If your lab uses or is thinking about using technology to monitor employees who work remotely, you need to ensure that you do so in a way that doesn’t get you into legal trouble. The problem is that this is a new area of the law and we don’t have any cases or official guidelines specifically addressing how to do that. The best source of guidance we have is indirect in the form of analogy to the rules that courts and arbitrators (“courts”) have used to evaluate the legality of cameras and other workplace surveillance technology.

1. Use Must Be Reasonable

Rule of Thumb: Employers can collect, use and disclose personal information only for purposes that a reasonable person would consider appropriate under the circumstances. Courts typically use a four-part test to determine whether use of surveillance technology is reasonable and appropriate:

• The use of the technology must be demonstrably necessary to meet a specific need;
• The technology must be likely to be effective in meeting that need;
• The loss of privacy to the employees being monitored must be proportional to the benefit gained; and
• There must be no less privacy-invasive way of achieving the same end.

We know from surveillance technology cases, that courts are more open to use of privacy-invasive technology in the workplace when it’s used for health, safety and security purposes.

Example: A court found that a locomotive company’s use of surveillance cameras to safeguard employees’ health and safety after a number of safety incidents was reasonable.

Example: A court found it reasonable for an employer to install a GPS in employees’ vehicles to promote safe driving and ensure compliance with OSHA laws.

Remote monitoring solutions can be used to ensure a telecommuter’s health and safety while working from the lab, of course; but their primary purpose is to monitor telecommuter performance or productivity. Historically, courts have been reluctant to allow employers to install cameras, GPS and other privacy-invasive surveillance solutions for such purposes.

Example: A food company installed surveillance cameras in its factory to monitor who entered and exited the plant, trace sources of food contamination and prevent theft. The union contended that use of the surveillance cameras was unreasonable and violated employees’ privacy rights under the collective agreement. After balancing the employer’s interest in security and food safety against the employees’ privacy expectations, the court ordered the employer to remove the cameras in the food production areas while allowing it to keep the cameras at the entry and shipping areas in place.

Example: A court concluded that an internet service provider’s use of surveillance cameras to manage the productivity of its sales, marketing and technical support staff was unreasonable because there were less privacy-invasive alternatives available.

It remains to be seen whether the prevalence of telecommuting will cause courts to loosen up and give labs and other employers more leeway to perform monitoring for productivity purposes.

2. Information Collected Must Be Kept to Minimum

Another key factor is what and how much personal information the employer collects to monitor telecommuters remotely. Collection must be limited only to the information necessary to accomplish the purpose of deploying the technology and not include non-work-related personal information in which telecommuters have reasonable expectations of privacy. Accordingly, software or apps that tap into lab employees’ personal calls, emails or computer use will be highly problematic.

Courts will also consider the kind of technology used. Spyware and technologies that enable labs to intercept communications, scan or capture images for content, monitor keystrokes or covertly listen into phone calls are particularly invasive and likely to raise privacy red flags.

3. Telecommuters May Need to Consent

Employers generally need consent to collect, use or disclose employees’ personal information. But there are exceptions. As noted above, the exceptions under the federal ECPA are pretty broad and require nothing more than a legitimate business purpose. However, consent requirements may be much stricter under state laws. As has proven the situation with use of surveillance cameras, the two exceptions most likely to justify use of remote monitoring technology without employee consent include:

• Getting consent would compromise the availability or accuracy of the information collected; and
• The collection of the information is for the purpose of investigating violations of the employment agreement or the law.

Of course, exceptions are unnecessary when employees give their consent freely. This might be the situation with remote work to the extent that employers are in the position to require employees to consent to being tracked in exchange for permission to telecommute. Such consent would probably be legally valid, provided that it clearly spells out what information will be collected and how it will be collected and used.

4. Telecommuters Must Know They’re Being Monitored

Remote monitoring technology is more privacy-invasive when you use it surreptitiously without employees’ knowledge. For example, in a 2005 case, a court ruled against an employer that secretly installed keystroke logging software on an employee’s work computer to monitor productivity. Information allowing an employer to know how employees use their work time may be necessary for employee management, the court reasoned. However, the keystroke software overreached and collected unnecessary information for employee management purposes.

Solution: Create a Written Telecommuter Monitoring Policy

The best way to manage privacy liability risk is to include specific language in your telecommuting policies and arrangements that provides for monitoring. The idea is to let employees know exactly what you’re going to do and how and ensure they don’t have reasonable expectations in the information collected. Like the template on the G2 website your policy language should, at a minimum:

• Explain the purposes for which you use remote monitoring solutions;
• Describe the actual solutions you use and how they work;
• List the specific kinds of information to be collected, which should correspond to the attendance, performance and productivity standards that you’ll use the data to monitor;
• Indicate who will have access to the information and how they’ll use it;
• Require lab employees to accept and consent to these terms in exchange for being allowed to telecommute;
• List a contact person or office where employees can direct their questions or concerns; and
• Provide for accommodations to the policy in accordance with federal and state anti-discrimination laws.