Most people are only concerned about their privacy as a consumer if they are concerned about privacy at all, but people rarely discuss their privacy as an employee. The restrictions for organisations are different based on the location of the office. I’m going to focus on how things have been formalized here in the Netherlands, but I’m writing this article in English because of the relevancy for people in other countries as well.
Lots of straightforward things have been formalized here in the Netherlands, but technology is advancing like never before and you probably won’t be surprised if I claim that legislation in this field needs to catch up. A lot of relevant information can be found here, the website of the Dutch Data Protection Authority. Let me start with sharing the requirements that have to be met by organisations. Feel free to skip to the discussion & recommendations at the end of the article if you’re not interested in the legislation here in the Netherlands.
- They need to provide arguments on why access to specific information is important
- They need to use other means if possible to respect the privacy of employees
- They need to tell the Dutch Data Protection Authority about any type of monitoring
- They need to tell employees about monitoring and how they prevent abuse
- They need to take into account the privacy of employees w.r.t. communication tools
- They need to inform and ask approval from the work council (OR in Dutch)
- They should have a reasonable suspicion with regard to the actions of the employee
- They need approval from the Dutch Data Protection Authority before investigation
- They need to inform the employee afterwards regardless of the outcome
Now let’s talk about access to and use of email and the Internet. Companies are allowed to perform random checks to see if the use of email and Internet is appropriate. They are allowed to check if employees are sharing any company secrets, but also to check if too much time is being spent on non-work related things.
Companies are allowed to check your publicly available Social Media posts. They are not allowed to force you to connect with them on Facebook or Twitter for access to your private posts. They do have to inform you in advance if they’re checking your Social Media posts. Social Media use is something they can prevent by having you sign an agreement, but you are allowed to use it occasionally if no policy exists.
You are also allowed to use your company phone on occasion for personal calls if no policy exists. The company can create reports on the most expensive calls and ask for a clarification from their employees. They can record calls, but they need to mention this in advance and they need a good reason to do this such as with monitoring of the quality of customer support calls. In only very specific cases are they allowed to record or listen to calls without giving a notice first, such as bomb threats, possible criminal offence etc.
Companies are also allowed to use a tracking system to capture the location of employees, but they need to motivate this. One of the reasons could be to figure out which car is located near a specific customer. There are additional requirements for them if they want to track the location outside of working hours and a lot of these systems can be turned off temporarily because of this. They do need approval from the work council (OR) if they want to introduce a tracking system and as an employee, you are allowed to gain access to any type of report the company has on you and you can request them to make changes to it or delete specific information.
The Dutch Data Protection Authority’s website discusses things like smartphone use, but they focus on calls and not the use of apps. They also mention the use of Internet, but nothing about the use of the Intranet or internal applications. The website has a strong focus on email communication, but I’m a firm believer in the potential of Enterprise Social technology (hence my website www.enterprise-social.com) and one of my services is to help organisations transition from internal emails to an Enterprise Social network. It’s clear that the legislation has been written many years ago and I’m not expecting a complete overhaul as this topic rarely results in court cases.
I’ve been an IT consultant my entire career and have implemented technology within some of the largest organizations here in the Netherlands. I have also helped customers with creating reports, such as dashboards to measure the adoption of Enterprise Social technology. There is a lot a company can do, but they are not allowed to show the names of employees in all the reports they create.
The problem is that organisations do have access to a lot of information and it’s quite easy to create a dashboard which disregards the privacy of employees. You have to keep in mind that the applications developed for companies don’t have to respect the employee’s privacy and a lot is possible by writing code and accessing the data directly.
Let’s discuss your location. Company smartphones often have work-related apps installed on them and these apps could have access to your location. The Dutch Data Protection Authority’s website mentions tracking systems, but they focus on tracking cars while most of the development has been taking place in apps on smartphones and these apps often try to give you a better user experience by incorporating your location.
Enterprise Social networks is another topic we need to discuss. You can send private messages to your colleagues, but you can also create private groups with restricted access. You sometimes get the option to hide the group from your colleagues, but in most cases, your organisation can find this group and they can see the private conversations. They probably can also dive into your private messages and they can create detailed reports of your activity on the Enterprise Social network.
You are allowed to request access to reports if they include your name and your employer also has to share this with you, but how many people are even aware that these dashboards exist? This is why I always advice sharing dashboards without names with the employees and having an open discussion with them on positive or negative trends.
Conclusion & recommendations
The privacy of employees is something I find very important, which is why I’m writing this article. The projects I worked on that were related to statistics always incorporated the approval from legal and I would never help a customer create something that would disregard the privacy of their employees, but I’m also aware of how easy it has become to get detailed information and create dashboards that you probably wouldn’t like to exist. Chances are that companies in most cases do get any dashboard they want. Here are my recommendations on things you can do to protect your privacy as an employee:
Try not to install any work-related apps on your personal smartphone
It’s quite tempting, especially when you prefer to use your personal smartphone for your work, but installing these apps also shares more information and that might not be necessary. Take into account that some applications capture your location and this could also mean that they have access to this information outside of working hours.
Don’t use your work smartphone for personal calls
Companies can record calls in specific cases and this could mean that they also record your personal calls. Keep your personal calls private by always using your personal smartphone for this. Sure, you might be allowed to do this and it could save some costs, but you should also value your privacy.
Don’t consider the use of Enterprise Social networks as something private
This is a difficult one as I’m kind of the Enterprise Social guy, but I would still advise you to keep in mind that access to your private conversations or the private group could be just a simple feature. Check the admin features of the Enterprise Social network your company uses and also take into account that a lot is possible by writing a few lines of code. You also have to keep in mind that the use of apps such as Whatsapp to communicate about work is probably not allowed. Schedule a meeting and talk face-to-face if it’s something very sensitive.
Make sure you are active in portals and on the Intranet
Keep in mind that companies can create dashboards to see how often you access specific information. Here in the Netherlands this also means that they have to inform you that they create such reports, but take into account that such reports could exist. Try to make use of the Intranet more often and if you’re not using it at all because you really tried and couldn’t find any value, then maybe visit it to just open a few documents and make that dashboard turn green. I’m OK with dashboards as long as they don’t have names in them and advise my customers to follow this principle. They can still have a conversation with you about the dashboard and improve things.
Reach out to legal or a privacy officer if you have concerns
I’m a big fan of having open discussions and I think it can really help to have a conversation about this topic on the company’s Enterprise Social network, but I’m also aware that it probably won’t happen. Speaking up about this won’t help your career, which is why I would recommend to reach out to the person responsible for this. Don’t reach out to a junior person or a random person in a department, reach out to the lead and share your concerns in a meeting. Don’t write an email as this only enables them to have a discussion via email and not meet with you or give you a call.
Let me end on a positive note. I’m not discouraging you from adopting Enterprise Social technology or advising you not to install and use any work-related apps because technology has a huge potential and you can use your company smartphone for all of this. Just keep in mind that it’s important to draw a line between work and your private life. You probably don’t have to bring your company smartphone with you on a holiday, so leave it at home next time and try to discuss sensitive topics face-to-face.
Don’t assume that certain dashboards don’t exist and try to keep that in mind as your company probably has invested a lot of money in technology and they would like that technology to also be used. I’m seeing more and more discussions about the privacy of consumers and that’s great, but we shouldn’t completely ignore the privacy of employees and I hope this article has helped to give this topic some more attention.
Feel free to reach out to me if you’re looking into analytics solutions. Analytics is an important tool to increase the adoption of technology, but it’s also important to respect the privacy of employees. I understand that most people like to keep dashboards to themselves, but I would really like to encourage you to be more transparent and if possible share the dashboards internally and have an open discussion. These dashboards are measuring the activities of employees and it’s the employees that can help you understand why the dashboard isn’t showing the numbers you would like to see.[/vc_column_text][/vc_column][/vc_row]