Over the last few years, stories of intrusive workplace surveillance practices have been making headlines.
For instance, in 2017, the British multinational bank, Barclays, received bad press after it was found to have been using OccupEye sensors under employees’ desks. The sensors used heat and motion technology to record how long staff members were spending at their stations.
Or perhaps most infamously, the e-commerce giant Amazon has prompted consistent concern over the past few years for its use of video monitoring and artificial intelligence software as a way to pressure warehouse staff to meet difficult metrics.
Whilst these stories sound like the something out of a dystopian novel, workplace monitoring is not prohibited under the current legal framework, provided that employers can justify it and have a lawful basis.
In fact, not only is the practice permitted, but over the course of the pandemic workplace monitoring saw an unprecedented rise as many workers began remote/hybrid working.
Some company executives claim to utilise technology to “feel closer to their staff” and to use the technologies for good, for instance to give bonuses and promotions for excellent work performance.
Though there are benefits to workplace monitoring, for instance to keep track of productivity and to ensure that staff are using company resources appropriately, employers should not rush to carelessly install these technologies known as bossware without understanding their limitations.
Because in doing so, they may cause unprecedented harm to their employees, in many ways.
What is Bossware?
It comprises of digital tools that enable managers to keep tabs on what workers are up to.
These programmes, whose names include Clever Control, Time Doctor and Staffcop, can monitor a wide range of information after they are installed on an employee’s device.
Depending on the app a business employs, monitoring might take many different shapes and forms. It may include email opening, online behaviour monitoring, including time spent on work-related apps, screenshotting keystrokes entered on certain pages, physical location tracking, and even webcam surveillance and employee photographing.
Many of the apps that were modified during lockdown to increase surveillance have analytics and reporting features already built in as well, including productivity scores, which raises the question as to whether managers can trust the information presented on these tools to evaluate their staff’s work performance.
Where technology is limited
The reality is, creating bossware which can accurately measure and represent a worker’s productivity is not an easy feat. For one, it necessitates breaking down complex work into many manageable, comparable and quantifiable components.
But even when these components are identified, the software cannot account for aspects of work which do not leave a digital print including managing others, brainstorming, reading printouts, etc.
This means that where businesses make consequential decisions for workers – for instance about bonuses, promotions or firing, they risk making these decisions based on inaccurate information.
This was the case for Carol Kraemer, a long-time finance executive, who after taking a new job, began receiving unusually low pay checks because a monitoring software had failed to register all the work she had done offline. 
Therefore, employers should avoid relying fully on these applications and maintain an effective level of human oversight over the performance evaluation of their staff at all times.
Further, they should be careful about tracking the wrong kinds of deliverables in order to assess employee performance, such as number of clicks, as this can easily be faked if an employee is motivated enough and does not necessary provide.
According to Ryan Fuller, former vice president for workplace intelligence at Microsoft “we’re in this era of measurement but we don’t know what we should be measuring,”.
Data collection and privacy threats
As well as concerns of inaccuracy, the more information the bossware application collects, the greater the risk of harm to the employees in the event of a breach.
This is an especially frighting thought considering that some applications can capture and privately store passwords and unsent emails, or even go as far as tracking employees’ GPS locations and activating webcams and microphones on worker devices. All of which is transmitted through a network.
Unfortunately, no method can completely ensure that the information gathered is secure from cybersecurity incidents or malware. But one of, if not the best, way to mitigate that risk is by limiting the collection of information to what is truly, directly relevant and necessary to accomplish the employer’s specified goal.
In fact, it is a legal requirement under the General Data Protection Regulation for an employer to demonstrate that the monitoring is really necessary.
This, however, requires employers to dedicate considerable time to understanding how these applications work and what data they collect, in order to avoid using tools which are designed to collect the maximum employee data and where intrusiveness is a principal feature.
In addition to restricting data collection, it’s important that employers securely delete or dispose of the information from the bossware when they no longer need it. The less time they hold on to any information, the easier it is to protect it from a security threats.
How far is too far?
Finally, looking beyond the technology’s accuracy and security, there are concerns of what the monitoring means to an individual’s right to privacy.
The right to private life under Article 8 of the European Convention on Human Rights extends to an individual’s life at work, as well as their life at home. This means that even where there are legitimate and beneficial outcomes that can be harvested from the use of monitoring, employers do not have a free pass to monitor staff as they want.
Instead, where companies implement workplace monitoring, they need to ensure they strike a fair balance between the right to private life and their own interests.
Previously this was easier to do as there was a clearer distinction between people’s work and home lives. However, since the pandemic, boundaries have been muddled as people’s homes became their office, making it harder for bossware to distinguish between work and non-work-related employee data.
This is especially true where remote monitoring products include webcam and other invasive features, because they might pick up on clues that could reveal manifestly private information. For instance, where a crib can be seen in the background, an employer might come to find that their member of staff is pregnant. 
Although it may be difficult for companies to achieve that fine balance between the requirement for privacy at home and their business’s interests, cases previously brought before the European Court of Human Rights involving monitoring of employees might just hold the answer as to how this can be done.
Cases such as Bărbulescu v. Romania, demonstrate the availability of less intrusive measures as one of the principal factors of whether Article 8 of the ECHR is engaged. Where the court found that employers could have relied on less intrusive means, it generally ruled against the monitoring, regardless of whether the employer justified the interference as taking measures to protect a range of their interests .This is consistent with the data protection principle of proportionality.
So, in a legal sense, increased surveillance and data collection is not always solution to what could very well be a valid business need.
As we have seen, whatever the intentions, monitoring employees is not always the answer to an employer’s problems.
Having said that, employers do need to have a legitimate reason – that is, there must be a lawful basis to monitor staff, whether that is to carry out a legal obligation or to ensure worker safety.
But, even where employers can rely on a lawful basis to justify their actions, they must demonstrate that the information which they intend to collect is in fact necessary for their goal. This is known as the necessity principle and is regarded as a fundamental aspect of both data protection and human rights legislation.
Sitting aside necessity is the proportionality principle, which requires employers to consider less intrusive means of attaining their goals. This could be through implementing policies and procedures on how staff are excepted to work or even limiting monitoring to particular areas of business. As we have seen in previous ECHT cases, this could be one of the deciding factors as to whether Article 8 was indeed engaged.
Finally, a review of workplace monitoring cannot be concluded without mention of GDPR’s transparency principle, which requires employers to provide their staff with sufficient information about the monitoring activity. This can help employees manage their expectations as to how their data is being used and also provides them with the opportunity to challenge what may very well be an unlawful practice.