Privacy in the office is a difficult road to navigate. Successfully balancing the right of an organization to protect its assets and pursue its interests with the right of workers to enjoy their private spaces is fraught with gray areas that could lead to adverse consequences.
Then came this pandemic which has made just about everything ten times more challenging.
With many people now in work-from-home (WFH) or telecommuting arrangements, locating and enforcing that critical boundary between work from home has become a priority for many.
The Telecommuting Act that is now in place is supposed to address most concerns in this situation, including those relating to privacy and data protection. Unfortunately, the law makes telecommuting merely voluntary for private sector entities and their employees (and says nothing about government work).
The parties must agree to adopt such a setup and establish the terms and conditions. Among such terms are the minimum standards for labor and data protection, and the use of available security and privacy technologies. The law leaves it up to companies and their workers to thresh out the details.
This is disappointing. As things stand, there are bound to be wide gaps in the implementation of different organizations who are left to look for their own references if they want to explore this route.
Thankfully, there are some court decisions to turn to that offer some guidance on the scope and limits of privacy in the workplace.
Take the case of computer use. If you’re wondering whether a company can lawfully monitor and search computers it has assigned to its employees, the local case of Pollo v. David (2011) answers in the affirmative.
In that case, a computer assigned to a government employee was searched as part of an investigation involving that employee. He was being accused of moonlighting and the result of the search confirmed the allegation.
After the employee was dismissed from service, he brought the matter before the courts.
Using the “reasonable expectation of privacy” test, the Supreme Court ruled in favor of the employer. It said the employee failed to prove he had an actual expectation of privacy either in his office or in his office-issued computer. It did not help that they actually had a policy that explicitly says users do not have an expectation of privacy in anything they do on their computers.
The same policy also says password use does not imply that such an expectation exists. The employer has global passwords anyway that it can use to access materials, including those password-protected by employees.
There is a more recent case on this issue, except that it took place in the EU.
In B?rbulescu v. Romania (2017), an employee was fired after the company found out that he used his Yahoo Messenger account to send messages to family while at work. The company had instructed the employee to create that account for office work.
The employee filed a case on the ground that his right to privacy had been violated. His employer countered that it was clear from company policies that office computers are for work purposes only. It had also notified everyone of its duty to supervise and monitor their work.
The case was elevated to the European Court of Human Rights (ECtHR) which ended up siding with the employee. Once again, the “reasonable expectation of privacy” principle proved to be crucial.
The Court reasoned that while the employee was apprised of the ban on the use of the office computer and internet for personal purposes, it was not clear if he was properly informed that monitoring would take place.
It did not seem like he was aware of the extent and nature of his employer’s monitoring activities, particularly whether it had access to the actual contents of his communications.
The Court also listed down six factors it felt was relevant in its evaluation:
- Notification of the Monitoring. Employers should explain clearly the nature of its monitoring activities and it should do so in advance.
- Extent of the Monitoring. Specific items that should be considered include: (1) whether monitoring applies to the flow of communication (i.e., internet usage) or its content, or both; (2) whether all or only part of communications will be monitored; (3) duration of the monitoring; (4) number of people with access to the result of the monitoring.
- Justification for Monitoring. The employer must have legitimate reasons for its monitoring activities. Since monitoring of content is more intrusive, there should also be a stronger justification.
- Necessity of Methods and Measures. The employer must be able to show that its objective could not be achieved via less intrusive means.
- Consequences for the Employee. It should be clear what the collected information will be used for—specifically, if they are indeed used to attain the declared objective of the monitoring activity.
- Adequate Safeguards. Employers must not be able to access the actual content of communications unless employees are informed in advance.
From these two cases, it is evident that the “reasonable expectation of privacy” test is a critical tool when trying to determine if the surveillance or privacy-invasive practices of an employer are reasonable and capable of withstanding a legal challenge.
Employers would do well to keep this mind and should probably incorporate it in their Privacy Impact Assessment protocols.
One more thing. The factors cited by the ECtHR correspond to a number of data privacy principles many people are already familiar with: transparency, legitimate purpose, proportionality, and security. This is good news because it means that, as long as a company aligns its data processing practices with said principles, it can rest easier knowing it is unlikely to be violating data protection law.
With telecommuting becoming the norm (for who knows how long), organizations and their employees should work together as soon as possible and establish those terms that will guide their relationship for the duration of such an arrangement.
Their combined efforts will create for everyone the best chance to survive this ordeal in a way that upholds the interests of all concerned. One need not be sacrificed just to accommodate those of others. There is a way to go about this as long as everyone has the will to do it.
Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He is currently the Director of the University Data Protection Office of the Ateneo de Manila University, and Policy and Legal Advisor to the Foundation for Media Alternatives.
The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.