Privacy Law and Policy Reporter
David Banisar and Sarah Andrews
This is the fourth and final article surveying worldwide developments in surveillance extracted from David Banisar, Privacy and Human Rights 2000, EPIC/PI 2000, the annual survey of privacy and surveillance practices. The full report is available online at <http://www.privacyinternational.org/survey/> and from the EPIC Bookstore at <http://www.epic.org/bookstore/>.
Workers around the world are frequently subjected to some kind of monitoring by their employers. Employers supervise work processes for quality control and performance purposes. They collect personal information from employees for a variety of reasons, such as health care, tax and background checks.
Traditionally, this monitoring and information gathering involved some form of human intervention and the consent, or at least the knowledge, of employees. The changing structure and nature of the workplace, however, has led to more invasive, often covert, monitoring practices which call into question employees’ most basic right to privacy and dignity within the workplace. The progress in technology has facilitated an increasing level of automated surveillance. Now the supervision of employees’ performance, behaviour and commun-ications can be carried out by technological means with increased ease and efficiency. The technology currently being developed is extremely powerful and can extend to every aspect of a worker’s life. Software programs can record keystrokes on computers and monitor exact screen images, telephone management systems (TMS) can analyse the pattern of telephone use and the destination of calls, and miniature cameras and ‘smart’ ID badges can monitor an employee’s behaviour and movements.
Advances in science have also pushed the boundaries of what personal details and information an employer can acquire from an employee. Psychological tests, general intelligence tests, performance tests, personality tests, honesty and background checks, drug tests and medical tests are routinely used in workplace recruitment and evaluation methods. A recent report by the American Management Association found that 43 per cent of companies carry out basic skills testing, 69 per cent test for specific skills and 46 per cent used some kind psychological evaluation. Since the discovery of DNA there has also been an increased use of genetic testing, allowing employers to access the most intimate details of a person’s body in order to predict susceptibility to diseases, medical or even behavioural conditions. The success of the Human Genome Project will probably make this kind of testing more prevalent.
Employers’ collection of personal information and use of surveillance technology is often justified on the grounds of health and safety, customer relations or legal obligation. However, in many cases workplace monitoring can seriously compromise the privacy and dignity of employees. Surveillance techniques can be used to harass and discriminate, and to create unhealthy dynamics in the workplace.
Privacy advocates have long maintained that providing notice of a monitoring or surveillance policy should, as a bare minimum, be required before employers can engage in such invasive activities. They support strong privacy principles in the workplace such as the International Labor Office’s Code of Practice on the Protection of Workers’ Personal Data which protects employees’ personal data and fundamental right to privacy in the technological era. These guidelines were issued by the ILO in 1997, following three comprehensive studies on international workers’ privacy laws. The general principles of the Code are:
not be the only factors in evaluating performance;
The Code does not form part of international law and has no binding effect. It was intended to be used ‘in the development of legislation, regulations, collective agreements, work rules, policies and practical measures’. Unfortunately, however, the laws differ greatly from country to country and in some there are few legal constraints on workplace surveillance. In the US, for example, the courts have typically been slow to recognise employees’ rights to privacy. There have not yet been any satisfactory and uniform determinations of what level of privacy employees are entitled to and how that privacy should be protected. Many believe that since employers have ownership or ‘control’ over the working premises, its contents and facilities, employees give up all rights and expectations to privacy and freedom from invasion. Others simply avoid the question by making employees consent to surveillance, monitoring and testing as a condition of employment. Legislation has recently been introduced, however, which would prevent employers from secretly monitoring the communications and computer use of their employees.
In European countries, the collection and processing of personal information is uniformly protected by the Data Protection Directive. However, the 997 Telecommunication Directive which provides for the confidentiality of communications is aimed at ‘public’ systems and so would not cover privately owned systems in the workplace. Nonetheless, many European countries, such as Austria, Germany, Norway and Sweden, have strong labor codes and privacy laws which directly or indirectly prohibit or restrict this kind of surveillance. In July 2000, the UK Data Protection Commissioner issued a new draft Code of guidance for employer/employee relationships. The Code states the obligations of employers under the Data Protection Act, and also takes into account the requirements of the Human Rights Act 1998 (which came into force on 2 October 2000). It lays down strong principles of data protection, prohibits the making of decisions solely on basis of automated data, requires employers to notify employees of surveillance policies and places limits on the extent of monitoring which can take place. It requires the explicit consent of employees before sensitive data such as medical or information can be collected and places strict limitations on drug, alcohol, genetic, aptitude and psychometric testing within the workplace.
Automated workplace monitoring has become increasingly common in recent years. Even in workplaces staffed by highly skilled information technology specialists, bosses demand the right to spy on every detail of a worker’s performance. Modern networked systems can interrogate computers to determine which software is being run, how often, and in what manner. A comprehensive audit trail gives managers a profile of each user, and a panorama of how the workers are interacting with their machines. Software programs can also gives managers total central control of individual PCs. A manager can now remotely modify or suspend programs on any machine, while at the same time reading and analysing email traffic and internet activity.
An employer can monitor the level of use of a computer through monitoring the number of keystrokes a word processing employee enters in a specified period of time or the amount of time a computer is idle during the workday. Numerous technologies are available which monitor and analyse the performance of IT workers. Some allow network administrators to observe an employee’s screen in real time, scan data files and email, analyse keystroke performance, and even overwrite passwords. Once this information is collected, it can be analysed by standard processing programs to determine a worker’s performance profile. These monitoring products are sold at very low prices and have infiltrated the market. A recent study by the American Management Association report found that 45 per cent of major US firms record and review employee communications and activities on the job, and that one in four companies said they had fired employees for misuse of telecommunication equipment. These snooping programs have also become popular, not just among employers, but also with law enforcement agencies, private attorneys, investigators and suspicious lovers.
In the workplace, the use of closed circuit television (CCTV) is usually limited to environments where the workers are confined to an office. Where staff are more mobile, companies are now using a range of technologies to track geographic movements. Advances in this area now allow carrier companies to place an electronic mechanism (described as a geostationary satellite-based mobile communications system) on trucks which then sends back to a main terminal the exact position of the vehicle at all times. In this way, carrier companies can ensure that no side trips or other deviations are taken from the prescribed route. Wide area systems such as Trackback are in use throughout the UK.
Telephone surveillance has become endemic throughout the private and public sector. In the US, employers have broad discretion to monitor employees’ calls for ‘business purposes’. Companies are extensively using telephone analysis technology. Call center workers for British Telecom are regularly presented with a comprehensive analysis sheet, showing their performance relative to other workers. Airline reservations clerks in the US and elsewhere wear telephonic headsets that monitor the length and content of all telephone calls, as well as the duration of their bathroom and lunch breaks. In one instance, telephone calls received by airline reservation agents were electronically monitored on a second by second basis: agents were allowed only 11 seconds between each call and 12 minutes of break time each day. Other airline reservationists have complained that they are evaluated based on how many times they use a customer’s name during a call or how often they try to overcome a customer’s initial objections to buying a ticket.
The level of sophistication of telephone surveillance systems can be astonishing. Some systems can record all transactional activity on a phone, together with destination numbers and times. Other technology can then process and analyse this data. A British program called ‘Watcall’, produced by the Harlequin company, can analyse telephone calls and group them into ‘friendship networks’ to determine patterns of use. Voice mail systems are also subject to systematic or random monitoring by managers. Most new systems have default pass codes for administrators, and these can open all message boxes.
Computers and networks are particularly conducive to surveillance. Employers can monitor email by randomly reviewing email transmissions, by specifically reviewing transmissions of certain employees, or by selecting key terms to flag in emails. In the latter case, software analyses a company’s entire email traffic phrase by phrase, and draws conclusions about whether a message is legitimate company business. It can be instructed to search for specific keywords and ‘damaging’ phrases. Some programs can even use algorithms to analyse communications patterns and turn them into images. Monitors can then look at these images to follow traffic patterns and detect whether sensitive data is at risk. Many employers rely on software for remote monitoring of email messages. With a few clicks they can see every email message that employees send or receive and determine whether they are ‘legitimate’ or not. Managers give a variety of reasons for installing such software. Some say it is to protect trade secrets or prevent sexual harassment incidents. Others want to prevent oversized emails clogging networks and using too much bandwidth. Others simply don’t want employees ‘wasting’ company time by using the systems for personal activities. In an ideal world, this monitoring should follow the conventional format; that is, one identical to the quality check that has applied to correspondence sent out on company letterhead. However, the speed and efficiency of email means that digital communication involves a vast intersection with personal corresp-ondence. It also has features more in common with an internal memo, for which there has always been less monitoring and management.
In July of this year, Dow Chemical Company in the US fired 50 employees and threatened 200 others with suspension after they found ‘offensive’ material in their email. The company opened the personal email of more than 7000 employees. Similarly, the New York Times fired 23 employees last year for sending ‘obscene’ messages. These cases raise complex legal and ethical questions concerning an employee’s fundamental right to privacy and due process. What if employees are sent ‘offensive’ emails by accident or maliciously? The email cannot simply be deleted. It remains logged on the company server, threatening the relationship of trust between employee and management. Or what if an employee is dismissed on the grounds of sensitive personal information (for example, relating to sexual preference or a medical condition) gathered through a system? This problem also arises when companies monitor all internet activity looking for visits to ‘inappropriate’ sites. At first sight, such surveillance has elements in common with traditional surveillance for hard copy pornography, but there are significant dangers to workers in the realm of electronic surveillance. The use of spam email to advertise X-rated sites results in workers entering sites that appear to be quite benign, or websites may be accidentally visited when displayed as a ‘hit’ in response to a perfectly innocent search query. The surveillance technology does not, however, distinguish between an innocent mistake and an intentional visit.
The monitoring of chat room visits has also created some distress in the workplace. There is an increasing trend among companies to dismiss and/or sue employees for divulging company ‘trade secrets’ or defaming the company in chat rooms. These have become known as ‘John Doe’ cases. As most people log on to chat rooms anonymously or using an alias, once a company observes a certain party in a chat room engaging in ‘illegitimate’ speech, they must subpoena the message board service, such as Yahoo or America Online, to obtain the identify the specific author. The service providers often turn over identifying information when presented with a subpoena without any notice to the individual. The number of these cases is rapidly increasing and threatens not only the privacy of employees but also their rights to anonymity and free speech.
There is also an increasing amount of drug testing in many countries. The number of companies using these tests has risen proportionately with the decreasing costs of the tests. For many employees, drug testing is now a standard part of working life. Companies routinely administer tests in the recruitment stage or at intermittent periods during employment even where there is no evidence of misconduct, poor performance or any other reason to suspect drug use. There are thousands of easy to use kits available on the market today which can detect traces of drugs within minutes and without the need for a laboratory. Most of these tests analyse hair or urine samples to detect traces of drugs such as amphetamines, marijuana, cocaine, opiates and methamphetamines.
The issue of widescale ‘preventative’ drug testing raises a whole host of questions concerning privacy, bodily integrity, freedom and the presumption of innocence. The process of testing itself can be hugely invasive. Observers are often present to prevent employees tampering with samples. In the case of urine testing, this can be particularly offensive. Consider the case of one employee who wrote:
I waited for the attendant to turn her back before pulling down my pants, but she told me she had to watch everything I did. I am a 40 year old mother of three: nothing I have ever done in my life equals or deserves the humiliation, degradation and mortification I felt.
This type of test can quickly turn from a necessary evil needed to protect lives and reputations to intimidation and harassment. It raises questions about whether the benefits to employers really outweigh the rights and dignity of workers. Manufacturing companies wishing to sell their products obviously claim they do. They extol the advantages of drug tests, claiming they can save employers thousands of dollars by reducing incidences of absenteeism, low productivity, accidents, injuries, compensation and health care claims. Governments generally have also encouraged testing as part of a larger war on drugs. What employers are not told, however, is that there are also numerous ethical and economic disadvantages to drug testing.
Drug testing fosters a climate of negativity based on suspicion and secrecy rather than trust, openness and respect. Low morale or resentment among workers may consequently lead to low productivity or profits. In addition, even though individual tests may no longer be expensive, because they are sweepingly administered among employees they may be costing employers far more than they are saving them. Catching one or two light drug users for every few thousand people tested is hardly an economical justification for the initial outlay. Even if tests do reveal traces of drugs there is no clear evidence to suggest that mild drug use has a greater effect on productivity than, for example, alcohol. Dismissing workers on grounds of policy and suspicion rather than performance and proof may result in the loss of valuable employees to the employer. Testing does not involve good management policy. Evidence has not shown that drug testing can deter future use, and it is in no way a substitute for proper guidance, support and counselling. In fact, in an ironic twist, routine testing may even encourage more serious drug usage among employees. As one commentator says:
If one wants to get inebriated on a Friday night and still pass a urine test Monday, smoking a joint would be foolish. Cocaine and alcohol would represent the ‘safer’ choices of intoxicants because alcohol is ‘legal’ and cocaine cannot be detected in the body as long.
Finally, drug testing is inaccurate and can often lead to false and misleading results. A report by the Ontario Information and Privacy Commissioners’ Office says up to 40 per cent of tests are inaccurate. Highly sensitive tests can be positive even when the drug sought is not present. Some say positive reactions may result from a carry-over following a strongly positive result earlier or from human error, such as contamination due to failure to cleanse equipment. Others note that certain legal substances can also result in positive tests for illegal drugs — for example, there have been reports of Vicks inhalers resulting in positive tests for amphetamines and metamphetamines, standard anti-inflammatory drugs like Ibuprofen showing up positive on marijuana tests, and even traces of morphine being detected from poppy seeds.
As DNA and genetic databases have become more common worldwide, there has been a concurrent rise in the use of testing by employers. Although there are legitimate uses of genetic testing, such as the prevention of occupational diseases, there is also a serious danger that employers will use these tests to discriminate against current or potential employees. Without legal intervention, information indicating, for example, whether someone is prone to a debilitating illness or even an ‘undesirable’ condition (such as laziness or depression) may be used by employers to discriminate against employees.
Genetic testing is a particularly intrusive invasion of privacy, involving as it does the very ‘core’ or ‘make up’ of an individual. Moreover, this testing may have implications not only for the individual but also their family, gender, community or race. The American Civil Liberties Union (ACLU) notes that:
some genetic conditions are associated (sometimes inappropriately) with certain racial or ethnic groups. For example, sickle cell anemia is associated with African-Americans, and predisposition for breast cancer ... with Ashkenazi Jews.
Although genetic testing is still not as common as, for example, drug testing within the workplace, there are strong indications that it becoming an increasingly common practice for employers. In 1982, a US Federal Government survey found that 1.6 per cent of companies were using genetic testing for employment purposes. A follow up survey in 1989 found that number had increased to 5 per cent. A recent American Management Association study found that 15 per cent of major US firms are conducting some kind of genetic testing or ‘testing for susceptibility to workplace hazards’.
Recognising this danger, a number of international bodies have recommended that the use of genetic testing within the workplace should be carefully circumscribed by law. In 1989, the European Parliament issued a resolution recommending legislation to prohibit genetic testing for the purposes of selecting workers or examining employees without their consent. It advised that employees must be informed of any analysis and implications of genetic data before tests are carried out and allowed withdraw from testing at any time. The Council of Europe has also recommended that ‘the admission to, or the continued exercise of ... employment, should not be made dependent on the undergoing of tests or screening’. Similarly, the World Medical Association (WMA) has issued statements to this effect. In 1992, issuing a Declaration on the Human Genome Project, it recommended the adoption of laws similar to those which prohibit ‘the use of race discrimination in employment or insurance’. In May 2000, it announced that it will draw up guidelines on the development of centralised health storage databases which will address ‘the issues of privacy, consent, individual access and accountability’.
Perhaps because it is still a relatively new phenomenon, few countries around the world have yet adopted specific laws on genetic testing, although in many cases this kind of testing may be indirectly prohibited by existing labor codes. It is also possible that the use of genetic data by employers to discriminate against workers may violate equal opportunity or anti-discrimination laws. In the US, for example, it has been suggested that genetic testing could violate the Civil Rights Act 1964 which prohibits discrimination in employment on the basis of ‘race, sex, national origin, and religion’ or the Americans with Disabilities Act 1990, which prohibits discrimination in employment against a ‘qualified individual with a disability’. However, these protections are no substitute for clear and meaningful guidelines and there is ample evidence to suggest that discrimination in the workplace is already occurring.
David Banisar and Sarah Andrews, Privacy International.