The Israeli Privacy Protection Authority’s (PPA) recently published position on the monitoring of employees working remotely presents new guidelines and recommendations for employers that are building a system to perform such surveillance.
Since remote work (or at least the new format of remote work prevalent since the COVID-19 pandemic) occurs in employees’ homes, employers must ensure they do not materially infringe on their employees’ privacy or the privacy of others residing in the home, especially minors.
The new recommendations do not prohibit the use of technological surveillance measures to supervise and monitor employees’ remote work and they recognize employers’ right to manage their businesses. However, the PPA’s guidelines outline rules to ensure that surveillance of employees is carried out proportionately, solely for legitimate purposes pertaining to the employer’s business interests, and while informing the employees and obtaining their consent (except in exceptional instances).
The guidelines differentiate between two types of surveillance: standard surveillance measures and surveillance measures that are highly invasive. In relation to the second type, employers must implement a more stringent policy, as specified below.
To comply with the guidelines and recommendations, employers should take the following considerations into account before using surveillance measures:
Standard Surveillance Measures
– Reasonableness and proportionality – Monitoring may only take place during work hours. The collection and retaining of information/photographs of family members must be avoided.
– Surveillance is permitted solely for defined business purposes (without straying off target).
– Information must be deleted as soon as it is no longer needed.
– Employees must be informed of the surveillance and their consent to this must be obtained. Regarding consent, the following three points are important to keep in mind:
- Consent must be given in advance, but may be implicitly deduced and does not necessarily have to be explicit.
- If remote surveillance is being used in conformity with the requirements of proportionality and legitimacy, the employer may obligate employees to consent to the collection of information. An employee’s refusal to issue consent could have repercussions in terms of the employment relations between the parties.
- Employees’ consent does not allow employers to deviate from the rules of reasonableness and proportionality.
The PPA instructs employers to inform employees of their surveillance policies, even within the framework of a declaration of a general corporate privacy protection policy. However, the PPA recommends that employers formulate and communicate a detailed policy that specifies the rules about what is prohibited and permissible when using computers and applications while working remotely, and that employers should consider explicitly anchoring the policy and rules in the employment contract and in the workplace’s regulations and standard work procedures.
Highly Invasive Surveillance Measures
With regard to highly invasive surveillance measures, the default varies. Primarily, it is preferable not to use them, except in extenuating circumstances and for a specific purpose. The list of highly invasive surveillance measures (not closed) includes the following:
- Tools that scan and monitor websites the employee views and his email account (if it is not an email account restricted to professional use).
- Tools that control webcams and microphones for the purpose of photographing the employee and eavesdropping on him and his surroundings.
- Tools that monitor mouse movement and how the employee uses the computer keyboard (keyloggers).
- Tools that take screenshots of the employee’s computer screen.
- Tools that track an employee’s eye movements when using the computer, to examine the content being viewed on the computer.
- Tools that collect data on the location of the employee’s vehicle.
In relation to these measures, the PPA has issued a series of additional recommendations (in addition to the basic recommendations about standard surveillance measures):
- Any such use will require a “thorough examination” of the necessity of such information, on the one hand (including how personal information reviews are conducted), and the possible harm to employees and their privacy, on the other hand.
- Informing employees in a general manner is insufficient. As stated, the employer must inform employees in writing and with full transparency, including as to how the surveillance measures will be carried out, the frequency and timing of the monitoring, the type of information that will be collected, what use will be made of the information collected, where it will be stored, and for how long.
- The guidelines do not obligate employers to ask for their employees’ explicit consent to these measures. However, the wording of the PPA’s position implies that, if the court is required to adjudicate a privacy violation claim based on past precedents, it will not look favorably on such use without explicit consent.
- Within the context of information retention and deletion, the PPA refers to the Data Security Regulations, which obligate organizations to perform an annual review to ascertain whether the information stored in the database exceeds its legitimate purposes. The PPA believes that, in relation to uses of data on employees working remotely, reviews of the pertinency of stored information should be carried out more frequently.
Considering the new recommendations, employers should refresh their corporate privacy policies and disseminate them in detail and transparently to their employees, preferably upon hiring. It is also important to formulate and implement a policy of performing reviews of the information collected and stored and its necessity, at least annually, as well as privacy protection reviews that examine the risks involved in the use of surveillance technologies.
Furthermore, employers should review all workplace contracts with suppliers and other third parties (surveillance technology-providers, database administrators, etc.), in order to ensure they are complying with all provisions pertaining to privacy protection and database security, and to limit their exposure to employees’ personal information.