In September 2017, the European Court of Human Rights (ECHR) overturned a Romanian court decision from 2016 that had previously ruled an employer had been within its rights to fire an employee for sending private messages while at work. The ECHR determined that the employee’s right to privacy had not been adequately protected, and that the expectation of privacy in the workplace cannot be zero. While the ruling underscores the need for better communication with employees regarding expectations of technology use and transparency regarding monitoring practices, it has little impact on the actual technological means of the monitoring itself, such as email archiving or compliance software.
Transparency and communication with employees is critical
The ruling does not mean that the enterprise cannot monitor employee communications at work. Nor does it mean that employers can never fire employees for personal use of technology while at work. What it does mean, however, is that expectations must clearly be set, and that monitoring of communications needs, itself, to be communicated to employees. While this doesn’t alter the way that underlying communications-monitoring technology works, it does change how the enterprise needs to interact with the people involved and implement processes to support effective monitoring.
Communications monitoring within enterprise organizations is pervasive, and in many cases, legally necessary to fulfill regulatory requirements. Email archiving, in which enterprise email (and often other messaging) is captured on a continual basis so that it can be securely retained for legal purposes, typically is invisible to the end user. Likewise, compliance software, which monitors and analyzes messages for potentially noncompliant content so that it can be reviewed by compliance officers, runs in the background, unseen by users. When these systems are working as they should, they are typically nonintrusive and invisible to end users; the surveillance is silent and hidden. This is where the friction with the ECHR ruling comes into play. Employees need to be made aware of communications monitoring. An IT-driven “set it and forget it” attitude toward email archiving, compliance software, and other communications-monitoring technology is no longer sufficient, because employees still have the expectation of some privacy within the workplace, and need to know how and why their communications are being monitored. Clarity and communication are key.
People, process, and technology are the three pillars of any successful enterprise initiative, and the ECHR ruling simply underscores the need to focus more on the people and process aspects of communications monitoring; the technological underpinnings remain unchanged by the ruling, and the enterprise will not need to make any alterations to existing software. However, people need to be made aware of monitoring programs, and a process needs to be in place to effectively train them on appropriate use of personal communications and devices within the workplace. As personal lives and devices increasingly become intertwined with work roles, the focus on people and process becomes ever more important, as technology alone cannot dictate human behavior.
Privacy as a Business Advantage, IT0014-003214 (January 2017)
“Personal email use in government cannot be curbed by technology alone,” IT0014-003242 (March 2017)
“For successful privacy training, follow the budget,” IT0014-003312 (July 2017)
Paige Bartley, Senior Analyst, Information Management