Have expectations of privacy at work caught up with hybrid ways of working?

Article Experience

Clouding the issue

Cloud-based computing is now a key feature of hybrid working. In one case, an employee who had been using his personal phone for personal text messages had been inadvertently logged into his work cloud platform, and consequently all of those text messages (some of which related to his dissatisfaction with his employer) were uploaded to a platform visible to his employer and colleagues. In another case, an employee of a start-up using Google Docs inadvertently uploaded personal documents containing private information for the whole company to see. Such cases represent a pertinent warning as to the privacy dangers of cloud-based systems and the risk of private information coming into the employer’s domain.

Employees are also often unaware that their employers have access to their internal chat platforms, such as Microsoft Teams, and that their conversations are not in fact private. Some employers use trigger-based software to monitor red flags on such platforms, or will perform random spot-checks for compliance purposes. Some less trusting employers may resort to ‘spyware’ to monitor employee productivity and to track employee location.

Employees are also often unaware that their employers have access to their internal chat platforms, such as Microsoft Teams, and that their conversations are not in fact private.

As we highlighted in our article last year, employers can rely on software to track how employees are spending their time – how many emails are being sent per hour, how often the mouse is used, what location they are working from and to monitor teams and other messaging channels traffic. Employees should not overlook this and be aware that their use of work devices and platforms is fettered.

But there are also tricky issues for employers, who cannot simply assume that the inadvertent appearance of private information on work-based systems means that all rights to privacy in that information have been waived. Employers should question whether their information security policies are adequate, and whether they have warned staff of the consequences of mingling work and private communications and the monitoring of such communications, as well as ensuring that the consequences that follow for employees are fair and reasonable.

Regulatory alert

Employers must also be aware of the risk of regulatory intervention if they allow the use of unofficial communications channels to run riot. In December last year, the Securities and Exchange Commission in the US announced charges against J.P. Morgan Securities LLC (JPMS), after JPMS admitted that, over a three-year period, its employees often communicated about securities business matters on their personal devices, using text messages, WhatsApp, and personal email accounts. None of these records were preserved by the firm as required by the federal securities laws. JPMS further admitted that these failures were firm-wide and that practices were not hidden within the firm. It received a fine of $200million.

So what’s the message?

New ways of working bring new risks. From an employee perspective, the potential technological complexity of hybrid working creates a very real risk of confidential, personal information being disseminated more widely than originally intended. Employees need to be savvy, to ensure that their expectations of privacy in the workplace have caught up with the realities of the hybrid working world.

On the other hand, privacy breaches and monitoring systems raise a range of regulatory and practical issues for employers and should not be used indiscriminately or without warning. In general, employment tribunals (and the Information Commissioner) take the view that employees ought to be warned of the consequences of the personal use of workplace systems and regulators are taking an increased interest in practices that might militate against proper record keeping, with potentially expensive consequences for employers who have failed to keep up.