Published on Friday, July 24, 2020 - 11:17 by Camilla Winlo
PwC recently faced heavy criticism after developing a tool to track the habits of staff working from home.
The accounting giant is in talks with other financial companies about the technology, which uses facial recognition software to determine when staff leave their desks and how long for.
Many organisations have been reluctant to let staff work from home, because they are concerned that employees would work shorter hours or take longer breaks.
In the finance industry, there’s also the risk that employees might commit ethical violations, such as insider trading. PwC claims its tool would mitigate this risk, but critics say it infringes on employees’ privacy.
We spoke with Camilla Winlo, director of consultancy services at DQM GRC, about this story and the role that employee monitoring should have in organisations.
Organisations have the right to implement measures to ensure that employees work responsibly, whether at home or in the office. They can do this with preventive controls, which prevent risks, and detective controls, which identify when risks are present.
PwC’s monitoring technology might seem flawed simply because it’s a detective control. That is to say, employees are being tracked extensively because the organisation thinks they might eventually do something wrong, even though there is no evidence that they would.
However, detective controls are an essential part of business. Consider, for example, that the majority of organisations monitor employees’ browsing history for violations of acceptable use policies.
As Winlo says: “A detective control must by definition be examining ‘nothing to see here’ as well as ‘the risk is crystallising now’. And it’s likely that ‘nothing to see here’ is examined overwhelmingly more often than ‘risk crystallising’.
“So, to use access controls as an example – if you are surveilling your employees to figure out who is attempting unauthorised access, you will be overwhelmingly surveilling people who are either not accessing anything or doing so with authorisation, just in the hope of spotting the needle-in-the-haystack anomaly.”
So the problem isn’t the monitoring itself, but the fact that the intrusion into employees’ privacy doesn’t match the scale of the threat.
Although most detective controls will require some trade-off between an employee’s privacy and their safety, in this instance, it’s not just a case of monitoring an employee’s work habits but their overall lifestyle choices.
“When employee surveillance happens in someone’s home, you have a potential double whammy of ‘nothing to see here’ and ‘I am acting in a private capacity right now’,” Winlo notes.
“And of course, employers generally have more of a legitimate interest in observing an employee’s working activities than their private ones. As a rule, that’s only not the case where the private activities could have a direct effect on the employer.”
Responding to criticism, PwC emphasised that its technology would be used only on traders who are already used to working under strict FCA (Financial Conduct Authority) guidelines, and that the measures were necessary to tackle the specific threat of insider trading.
In a statement, PwC wrote that the facial recognition software was “designed to support those adhering to the regulations while remote working, in the least intrusive, pragmatic way.”
And although it’s understandable that the organisation would need to implement measures to ensure it is complying with FCA rules, many would take umbrage at the claim that it was the “least intrusive” way.
Under PwC’s plan, employees would have to provide a written explanation for prolonged screen absences – something they presumably wouldn’t have to do if they left their desks while in the office.
Another issue is whether surveillance would actually capture insider trading taking place or provide a chain of evidence that would support an allegation.
The organisation would need evidence that the individual had inside information and that they had carried out a trade because of it – which would require extensive surveillance beyond simply monitoring when an employee was at their desk.
Indeed, organisations already use tools that detect suspicious trades; meanwhile, many cases are flagged up by whistle-blowers and self-regulatory organisations.
When it comes to the privacy implications of their monitoring activities, employers should consider six things:
If you are going to surveil employees, what is the chance that the surveillance is going to capture the moment the risk event crystallises, in a way that you can use as evidence?
Is there another way you can get the same results without relying on a privacy-intrusive option?
Rather than monitoring all your employees, can you track only those where there is a specific reason to believe that they might be doing something wrong?
Rather than surveilling your suspect pool all the time, can you monitor them only when the target activity is likely to take place?
Can you have an authorisation process that only permits surveillance for certain types of serious misdeeds?
Rather than reviewing all surveillance materials, can you review only those that were made at the exact time the target activity occurred, and erase everything else?
Can you restrict the pool of individuals who can access the surveillance? Can you ensure it is encrypted and otherwise protected to avoid unauthorised access?
Most employees do not expect to be under permanent surveillance and would consider it intrusive and unwelcome.
However, it is also likely that employees would understand that an employer would need to take reasonable steps to detect and prevent serious risk events.
How will you consult with and inform employees so they understand when they might be under surveillance and agree that that is proportionate in the circumstances?
Data protection and privacy are more important than ever, with people increasingly aware of the dangers of lax practices.
This is thanks in part to laws such as the GDPR (General Data Protection Regulation), which places the onus on organisations to inform individuals how their data is being used and why it’s necessary.
PwC hasn’t yet implemented its monitoring practices, but you can see how quickly people are to point out the legal issues that it presents. However, smaller organisations won’t necessarily get the same warnings when developing processes that may breach the GDPR.
That’s why organisations that are unsure whether their practices could land them in trouble should consider our Data Protection Support Services.
Our consultants provide practical solutions for organisations that don’t have the specialist expertise. We can help you fulfil ongoing compliance requirements, such as those of a DPO (data protection officer), or give extra support on a provisional or project-based basis.
Our services include incident management and response, policy design and creation, DPO (data protection officer) as a service, DPO absence cover and DPIA (data protection impact assessment) support.
If you are interested in any of our services then please either use the contact form or contact us via of the methods below: