Cyber- monitoring of employees working from home has become increasingly common as employers seek out new ways of ensuring that employees are doing a fair day’s work.  During and post the 2020 lockdowns the purchase of employer surveillance equipment has skyrocketed with many new and innovative tools enabling employers to check up on employees.

There are competing views as to whether this does in fact lead to greater productivity with some, including PSA national secretary Erin Poluczuk, arguing that employees have a fundamental right to privacy and “shouldn’t have to spend [their] days at work under humiliating, frustrating scrutiny”.   She also points out that research shows that “an atmosphere of distrust leads to lower productivity” and a suspicious environment can cause pressure and stress.  She advocates for a trust-based approach where people are inspired to do their best and professional autonomy is rewarded with respect and support.

Putting to one side the moral issue of whether employers should or should not monitor their employees’ cyber activity, it is important that they understand the legal boundaries of this.  The tools available to employers now allow them to track employees’ keystrokes, including when this occurs, monitor how long the employee is on line, and even seize control of an employee’s computer.  Some employers have also insisted that employees leave their web camera on at all times so they can be observed whilst at work.

Not surprisingly, this type of activity has been resisted by many employees and has led to questions as to how far an employer can reasonably go in monitoring employees in their own homes.

The New Zealand Privacy Commission has sent a clear message to employers that “just because you can, does not mean you should”.  It has issued a warning to employers that they must be able to justify why they need to collect the information to enable their agency to function.

The Commission has previously issued a ruling in a case involving the collection of information including emails sent to and from a work computer, as well as key stroke logs.  The employer used information obtained from keystroke logging to access the employee’s personal web-based email account and copy several emails in the context of an employment investigation.

It considered that information collected directly from the work computer fell into a different category from information collected from the employee’s personal email account.  In making its findings, the Commission had regard to the Privacy Principles set out in the Privacy Act; including that agencies must not collect information unless it is for a lawful purpose connected with the functions or activities of the agency (Principle 1); agencies must take reasonable steps to ensure individuals are aware that information is being collected (Principle 3); and personal information must not be collected by unlawful means or in a way that is unfair or unreasonably intrusive (Principle 4).

Applying these principles, the Commission ruled that the collection of work-related information from the employee’s work computer was compliant because the applicable employment agreement and policies clearly set out that computers would be subject to monitoring. However, the policies were not explicit enough to make staff aware that key stroke information would be monitored or that such detailed information would be collected. 

Further, the access to the employee’s personal email account was found to go “well beyond any information that may have been relevant to the employment investigation” and therefore was not for a lawful purpose.  It also found that an individual’s email account attracts a high expectation of privacy and it would require exceptional circumstances to justify an employer directly accessing it, so this method of collection was unreasonably intrusive.

In a recent Australian case, the Fair Work Commission upheld a dismissal in circumstances where the employer (Insurance Australia Group Services Limited) monitored an employee’s keyboard activity and established that she was not performing her rostered hours.  The key stroke analysis showed that there were significant periods of minimal or no activity and this was on a scale sufficient to constitute misconduct.

The increasingly sophisticated technology now available to employers makes a high level of surveillance possible, including creeping into the private homes of employees.  However reasonable boundaries need to be maintained and access limited to that which is reasonable and necessary.  Employees also need to be made aware of any monitoring that is occurring unless there are exceptional circumstances justifying covert surveillance.

Some employers may consider that the quid pro quo for allowing employees to work from home is close monitoring of their activity, but there is a point at which this becomes Orwellian and morally repugnant.

This article was first published in The Post