1
The Bottlenecks of Digital Privacy at the
Workplace. An Employee’s Perspective
Name:
Mihai Dan Bucă
Student number:
10356916
Date:
29
thof June 2016
Track:
Business Administration
Institution:
Universiteit van Amsterdam
2 Statement of Originality
This document is written by Mihai Dan Bucă (10356916) who declares to take full responsibility for the contents of this document.
I declare that the text and the work presented in this document is original and that no sources other than those mentioned in the text and its references have been used in creating it.
The Faculty of Economics and Business is responsible solely for the supervision of completion of the work, not for the contents.
3 Abstract
Privacy at the workplace is becoming a more significant issue with the development certain surveillance technologies. It can be seen there is a tradeoff between employers who need to protect certain information and their employees’ privacy. This paper starts on the basis of several other researches, which realized that this tradeoff is often in the favor of employers. Since there are both negative and positive aspects in monitoring an employee, in this paper we will explore, from an employee’s perspective, three main triggers of the need of surveillance: privacy policies, relationship between employees and employers and the rapid development of technology that can outpace humans ability to understand this process and regulate it. Key words: privacy at work, surveillance, employee, employer, social media, technology, policy, workspace, autonomy, regulations
4
Table of Contents
1. Introduction ... 5
2. Literature review ... 8
2.1. Privacy and its mechanism ... 8
2.2. Conflict between employees and employers ... 10
2.3. Blurred line between Private and Professional lives ... 11
2.4. The way surveillance takes place ... 12
2.4.1. Privacy Policy and Law ... 12
2.4.2. Means of Digital Surveillance ... 13
2.4.3. Reasonable expectations of privacy ... 15
2.4.4. Criteria for intrusion ... 16
2.4.5. Relevant Cases of Privacy Intrusion ... 17
3. Methodology ... 18
4. Results ... 20
5. Discussion ... 25
Bibliography ... 29
5
1. Introduction
The potential loss of privacy has been a concern for scholars for more than a century. Friedman and Reed (2007) mentioned in their article that the first research paper on this topic is a law review article by Warren and Brandeis (1890). This paper tackles the issue of the diminishing levels of privacy that arise from the fast paced changes from the world, such as the development of the newspaper industry and “numerous mechanical devices that are compromising the individual’s right to be alone (Friedman and Reed, 2007, p. 75). As Clark (2010) explained in his paper, people seem to want contradictory things. The technological evolution until the point when people can access any account, document, medical record or bill electronically, comes also with a higher level of data collection, which increases data monitoring. However, people seem to want more privacy in this digital tsunami.
As argued by Palm (2009) in her paper, privacy is a notion conditioned by preference adaptation, since people’s choices and their perspective of privacy are in direct correlation with the context of surveillance. Additionally, Palm (2009) assimilated this process with the fable “The Fox and the Grapes”, where the fox adjusts it’s preferences of grapes according to it’s chances to reach the lower grapes which are not the fox’s top priority initially.
In a professional context, surveillance is executed in a continuous manner that is not possible in the public environment and it offers the observer access to numerous individual specific data (Palm, 2009). One of the main problems of privacy is the ability to combine new technologies of surveillance gadgets with their complementary software and means of communication such as the Internet and social media (Miller and Weckert, 2000).
Undoubtedly, the Internet is an important technological development and it has the power to reshape the main pillars of our society, such as the socio-economical order, the way the youths are being educated or the means through which people exchange information (Clark, 2010). As explained in the same paper, the genesis of the Internet took place long before it was made available to the mainstream public. Nowadays, the development of the Internet took another huge leap to today’s constant connection through smartphones, tablets and other intelligent gadgets (Ashley and Tuten, 2015).
Moreover, these devices can provide real-time information about a person’s health, breathing rhythm, pulse or any physiological metric that can be theoretically linked to one’s productivity. For example, Ball and Stride (2012) explained that Microsoft has already filed a patent for software that can monitor permanently workers’ biometric statistics. Thus, employee surveillance is increasing, while their privacy liberty is being subjugated against the interests of the employer (Friedman and Reed, 2007).
6
Furthermore, there are numerous cases of privacy intrusions in the literature (Del Riego et Al, 2012; Eivazi, 2011; van Dissel 2014) that show how the monitoring of employees is done with Internet surveillance and also social media supervision.
Dutta (2010) argued in his paper that social media are changing and they are taking part in various workplace manifestations. For example, these modern “boundary crossing technologies” are redefining the unclear line between home and the workplace (Del Riego et Al, 2012). It is unclear for employees what is being restricted to be posted online, since less then half of the firms have a specific social media policy (Del Riego et Al, 2012). As van Dissel (2014) argued, Facebook could improve the relations between employees through bonding in the private time, however they can also generate disagreement and tension at the workplace, while raising numerous legal gray zones.
The above-mentioned situations are usually the result of poorly written privacy policies as work, which include vague explanations and do not clearly define the boundaries between private/professional information or between legal/illegal and ethical/unethical surveillance (Miller & Weckert, 2012). For example, as Weckert and Miller (2012) stated in their article, the extent to which an employer can justify his/her infringement of an employee’s privacy often is quite vague and courts usually defend the employer’s perspective, with or without a relevant privacy policy.
However, employers are entitled to some degree of surveillance over their employees (Hansson and Persson, 2003). For example, employers resort to surveillance in order to protect their interests and information and to minimize the risks of misusing online services by employees. Besides, electronic monitoring can be used as means of improving productivity and benchmarking employees’ work rate. Therefore, as Eivazi (2011) further stated, providing online content at work without any monitoring or restrictions may be considered an invitation to policy infringement.
Since most of the literature on this topic has been focused on email surveillance (Friedman and Reed, 2007; Eivazi, 2011 among others) and on general privacy issues (Miller and Weckert, 2000), this paper will tackle the issue of digital surveillance at the workplace in regard to social media and internet use. Also, the majority of papers on this topic focus on a general (Miller and Weckert, 2000) or on a legal perspective (Palm, 2009), therefore I will try to observe this issue from an employee’s point of view. While employers are typically entitled to control their properties and to improve employee productivity through surveillance, employees don’t always have the protection entitled by the law (Hansson and Persson 2003).
Nonetheless, even if many scholars have tried to come up with solutions in regard to privacy at work, the issues have not been solved yet and they have not changed fundamentally; the only thing that changed is the means through which surveillance is taking place (Schulman, 1998). Thus, the
7
constant creation and development of new software and hardware equipment in regard to work surveillance brings the need of periodical analysis of privacy at work (Hansson and Persson, 2003). Therefore, the topic of this research is to inspect surveillance and data monitoring in regard to the online presence of employees.
This paper will analyze this issue on various levels and will try to identify the most relevant views existent on this matter, such as the cases in which social media surveillance is beneficial for the employee but also the situations when it can be detrimental. Also, privacy should be researched by the means of applied ethics (Weckert and Miller, 2000). Since applied ethics is interdisciplinary, questions on this topic should be examined on various dimensions. After realizing the existence of a gap in literature about the boundaries of privacy and surveillance between employees and employers and the lack of solution in this issue, the central question of this paper arises: What are the bottlenecks of digital privacy at work that lead to the conflict between employees and employers, from an employee’s point of view?
In regard to the research question, there are three sub questions that could lead to an answer of where are the sensible spots in this matter.
1st sub question: How could a privacy policy influence the positive and negative aspects of digital surveillance?
2nd sub question: How does the difference in the perspective of employees and employers in regard to privacy at work relate to the bottleneck of surveillance issues?
3rd sub question: Could the rapid technological advancement outpace
the human ability to regulate this technology and therefore lead to the bottlenecks of privacy issues?
In order to answer the question, I will structure the paper as follows. Initially, the literature in this topic will be reviewed, while structuring the information and analysis on several aspects. Firstly, the general definition of privacy and its mechanism will be reviewed. Secondly, the ongoing conflict between employees and employers will be presented and reviewed. Thirdly, blurred line between the private and professional life will be analyzed. Fourthly, the way surveillance takes place at the workplace will be researched and split into five sections: Privacy policy, Reasonable expectations of privacy, Criteria for Intrusion, Means of Digital Surveillance and Relevant cases. Furthermore, the methodology will provide the means through which the research was conducted and the data obtained. Besides, the results section will provide the analyzed data obtained through the interviews and case studies and they will be presented based on the sub questions’ topics: Privacy Policy, Conflict between employees and employers and Views of technology in regard to surveillance. Lastly, the discussion will provide the
8
answer of the research question along with the limitations of this paper and questions for future researchers in this topic.
2. Literature review
2.1. Privacy and its mechanism
Privacy is a completely relative notion, connected to what people in a society at a particular time are prepared to disclose about themselves (Miller & Weckert, 2000). As Finn et Al. (2010) explained, there are seven types of privacy: privacy of the person, privacy of behavior and action, privacy of communication, privacy of data and image, privacy of thoughts and feelings, privacy of location and space and privacy association. Since the main scope will be digital privacy at work, the focus is being placed on privacy of communication and privacy of data and image; however, there can be cases that include other or multiple types of privacy. For the sake of simplifying matters, in this research paper privacy will be split into informational privacy and territorial/local privacy when analyzing the cases, similar to how Hansson and Persson (2003) tackled it.
There are are several other important views and structures of privacy worth mentioning. Firstly, Hansson and Persson (2003) affirmed there are two fundamental views in regard to privacy at work. One is the non-paternalistic view, under which each individual has the right to determine what can be considered as an intrusion into his/her privacy. The other one is the paternalistic view, according to which an individual’s preference and desire has no effect to what should be considered as an intrusion into his/her privacy. However, they are each an end of the same continuum and therefore, a middle ground should be reached in order to define the boundaries of privacy.
Additionally, Del Riego et Al. (2012) explained in their research that privacy at work could be split into three levels. Firstly there is the subjective privacy, which refers to one’s expectation of privacy, which is influenced by that individual’s culture, education and past experiences in regard to this issue. Secondly, there is an objective expectation of privacy on a company level, under which all employees act and which is regulated through that firm’s privacy policy. Thirdly, there is the objective expectation of privacy on a societal level, regulated with the help laws and legitimated through courts decisions. However, as explained previously, there are different expectations of privacy on societal level and those vary significantly between geographical
9
regions and they are not limited to privacy at work. To exemplify, people from Sweden can access financial information about any citizen of that country, such as income, taxes, wealth and credits at banks. This would be unacceptable in Latin countries or in the United States, where one’s income is not a matter of public disclosure. Although individuals’ views on privacy vary significantly, there are some similarities based on a certain characteristic, such as age, among people from opposite parts of the world. For example, Del Riego et Al. (2012) explained that millennial employees value a relaxed atmosphere at work and they usually are more willing to share private information about themselves than people from other generation are willing disclose.
Moreover, Palm (2009) argued in her paper that privacy is in direct connection with three notions that are fundamental to the mental well being of an individual: intimacy, dignity and autonomy. Firstly, Julie C Inness advocated that the nucleus of the privacy is consisted by the area of intimacy (in Palm, 2009). Therefore, information that is perceived as sensitive in regard to privacy is usually stimulated by an intimate concern, love or care. For example, an employee would perceive a more significant privacy intrusion if his/her love letters are read in front of everybody at work than if his/her work matters would be disclosed to everybody in the office, due to the more intimate concern that personal relations have.
Although dignity is a supreme goal for an individual, it is quite a vague concept that is somehow inappropriate to explain privacy (Palm, 2009). This is due to the fact that an employee can maintain his/her own dignity even in situations of severe surveillance, or he/she can adjust dignity on the base of his inner self. However, in the same situation one’s autonomy is significantly diminished. This is so, considering a common reaction to surveillance is an adapting behavior, in which people conform to rules in anticipatory way. Therefore, employees self-regulate their behavior in accordance with the views of the employers so much that they can reach a state under which they are no longer governing themselves (Palm, 2009). In this sense, a decent level of privacy at work is a precondition for autonomy and self-governing behavior.
However, total autonomy at work is not possible, since the whole purpose of the professional environment is to have people working together towards a well-established goal and to follow several well-established rules. Although employees do not have full decisional power in regard to their work, they should have the possibility to influence goals, methods, schedules and also the instruments and ways through which they can reach their professional objectives (Brey 1999, in Palm 2009). After analyzing the positive aspects of granted privacy, it should be mentioned that privacy has certain negative aspects as well. MacKinnon and Posner argued that both informational and territorial privacy could allow (verbal) abuse and various types of anti social behavior (in Palm, 2009). This can happen when selective
10
disclosure becomes an instrument for manipulation or for misleading other employees. Nonetheless, the risks linked to the lack of privacy outweigh the negative effects of privacy and therefore its’ value should not be undermined since supporting privacy at work is not the same as allowing employees to do as they want at the workplace (Hansson and Persson, 2003).
2.2. Conflict between employees and employers
Employment regulations have developed in time from master-servant (status relation) to a contract between employer and employee (Van Dissel, 2014). However, there is still an asymmetry in this relation, which has a significant impact on the ability of the employee to freely choose an employment agreement. For instance, it is obvious that there are more prospective employees than prospective jobs, therefore only the employers can be selective in this process.
Moreover, Palm (2009) explained that any relation between an employer and his or her employees requires a certain degree of consent, which is set on two levels. Firstly, there is the informed consent, which strictly refers to the legal obligations that both sides have to follow in regard to their behavior with the other side. Secondly, the context under which the consent has been established must be overviewed. Consequently, an act of consent can be considered morally acceptable if both sides have consented to it “in a free and informed manner” (Palm, 2009, p. 237).
Nevertheless, employers have certain reasons to resort to digital surveillance, such as protecting their business interests, improving employee’s productivity and preventing the potential risk of legal and material liability that can arise from the defective use of online instruments by employees (Eivazi, 2011). Additionally, electronic monitoring can help employers to overview how the firm performs and to set realistic and attainable goals for their workers. Also, as Del Riego et Al. (2012) explained, if surveillance is done only for a short period of time, the data extracted can be used to further train the employee to be more effective.
On the other hand, it has been argued that employees who were exposed to surveillance suffer from “ill health, stress and lowering of morale to a higher degree than other employees” (Miller & Weckert, 2000, p. 259). Further, these employees can have problems in trying to adapt at the next workplace. Besides, even if employers can have particular rights in regard to their employees, there is no fundamental right for employers to monitor them through various online platforms.
Moreover, from a philosophical point of view, employees who are being targeted by surveillance “may no longer govern themselves fully” since they
11
have to “justify their actions by giving reasons that everyone could accept as their own” (Palm, 2009, p. 208). Furthermore, Palm (2009) stated that numerous scholars have criticized informational privacy for allowing anti-social behavior and abusive actions at work. Nonetheless, the prescription of a right to privacy at work is not a synonym for allowing employees to do what they want and several regulations should be made in this regard.
Similarly, employees’ perception of reasons behind monitoring is radically different than the perception of employer. As Friedman and Reed stated, 34% of employees believed that surveillance exemplifies “employers lack of trust in employees while only 2% of the managers listed lack of trust in employees as a motivating reason for monitoring employees (2007, p.80). Likewise, while 76% of Human Resource Managers agreed that firms have the right to monitor employees’ phone conversation, while only 38% of employees agreed with this action. In addition, employee’s view on privacy intrusion can evolve due to employer’s increasing expenditure of monitoring activities (Friedman and Reed, 2007). However, there are certain managers who refuse to use monitoring at work (Schulman, 1998). For example, Scott Paddock, manager of PC Brokers explained he trusts his employees and believes surveillance at work is a waste of time that would make him as guilty as the employees who breach the agreement with the employer in this matter
2.3. Blurred line between Private and Professional lives
It is obvious that employees are granted the right to a private life, separated from their work. Moreover, as Van Dissel (2014) stated, employers do not have an unrestricted right so overview their employees’ out of work conduct. Therefore, the situations under which an employee can be held responsible for his/ her out of work actions are limited. However, a displeased employee can easily reveal information meant to be classified inside the company, or sell intellectual property and even harm the company’s reputation by commenting of it in a denigrating way (Del Riego, 2012). Thus, there should be a clear connection between one’s employment and his/her out-of-work conduct, since an employee can improve or harm the public’s perspective on a firm both offline and online (Van Dissel, 2014).
Furthermore, the issue of the services and devices provided by employers, such as laptops, phones, or even access to a firm’s intranet, should be clearly to and by both sides. Del Riego et Al (2012) offer an interesting analogy in this matter, where the intranet is compared to a piece of paper, on which various individuals exchange information. Henceforth, as with a piece of paper, the owner of the intranet is entitled to read the content of it, even if that content was uploaded on the network by an employee from his
12
personal computer at home. However, in regard to social media, the situation varies radically. Van Dissel (2014) compared the matter of an employer who intrudes into an employee’s Facebook account to an employee leaving his home key unsupervised at work. He argued that there are no circumstances under which that employer is entitled to enter one’s house, due to the fact that “carelessness does not equal to consent” (2014, p. 227); the same applies to an intruder on any private Internet account.
In addition, Van Dissel (2014) proposed a three-stepped model to determine whether an intrusion into an employee’s out-of-hours life is legitimate, legal and morally acceptable.
• Firstly, the intrusion is considered legitimate when the conduct for which the intrusion is done could cause significant harm to the association between the employee and the employer.
• Secondly, a valid reason behind a privacy intrusion could be that a conduct damages an employer’s interests and therefore, has a negative impact on the company’s interest as well.
• Thirdly, the intrusion can be justified when the conduct is not compatible with an employee’s duty and job requirements as specified in his/her work contract.
2.4. The way surveillance takes place
2.4.1. Privacy Policy and Law
Privacy Policies refer to the contractual bonds between the parties at a workplace, where all sides have to act in regard to certain rights and obligations stipulated in the contract. Although these stipulations refer to the professional environment, employees must take care of how they manifest in other environments as well. For example, there are numerous cases (Keefe vs Williams Muir’s Pty Ltd or Stutsel vs Linfox Australia Pty Ltd) when employees post comments regarding their pay on their private page, due to which they get dismissed from their job (Van Dissel, 2014). Therefore, a firm’s privacy policy should clearly state what are the rights and obligations of all parties involved and in which situations these apply. Also, as Friedman and Reed explained, employee implication in the creation and implementation of surveillance systems and privacy policies may increase the acceptance of these (2007). However, there is a grey are about privacy policies in regard to prospective employees. Numerous times, employers and headhunters monitor these individuals and can reveal information about them, previously thought as private. However, since they are not employed yet, they are not
13
working under the firm’s privacy policy and therefore they cannot do anything about this situation.
Nevertheless, the employees’ expectations of privacy are in direct connection with a company’s culture through the policy of the firm (Del Riego et Al, 2012). Therefore, it would be understandable that the companies which offer unfavorable privacy policies that support controversial surveillance would not be able to attract employees of good quality. However, as Miller and Weckert stated, employees are not always in the position of choosing employers, especially in times and industries of significant unemployment (2000). Moreover, Clark argued that although most of the employees have guidelines on how they should act online, privacy settings are a separate challenge that can become a key to this issue. Also, even if people pursue a training to reduce the digital footprint they leave as trace, many don’t understand the easiness through which a comment can be universally discovered even if it seems to be hidden well (Myers, 2014). Although these comments initially seemed private, the simplicity through which information can be forwarded between individuals nowadays can be seen as a threat to the privacy and the well being of employees and therefore, a threat to the company as a whole.
Besides, Clark (2010) argued in his paper that employees and employers should be conscious about the potential damages a disclosure can do to individuals, for example damaging one’s chances to a future job after some sensible information about him was exposed. In this case, there are two different approaches to remove information about an individual from the online realm (Myers, 2014). Firstly, there is the American approach that favors freedom of speech and therefore favors keeping the content online. Secondly, there is the European approach, which offers to all of its citizens the right of oblivion. This means one has the right to remove himself/herself completely from the social media and online sphere if he/she desires to do so. Therefore, it is understandable that multinational firms should adapt their policies in regard to culture, without losing the their organizational identity through this policy
2.4.2. Means of Digital Surveillance
Lawmakers around the world are finding it difficult to conceptualize privacy and adapt laws for it in regard to new technologies (Del Riego, 2012). Digital surveillance at work is gathering more information than ever and people can be harmed if these data gets in the hand of the wrong people. For example, advertising agencies or government officials could make use of this information in ways that would not be beneficial for the individual (Miller and Weckert, 2000). Digital monitoring at work is a widespread and growing
14
practice (Schulman, 1998). Software manufacturers reported a growth in their sales of surveillance and tracking software to businesses from $139 million in 2001 to $622 million in 2006 (Friedman and Reed, 2007).
There are several typical means of digital surveillance at the workplace or by using the hardware provided at the workplace. One of the oldest and most researched is the monitoring of email. Schulman argued in her paper the fact that “36% of responding companies searched employee messages regularly and 70% said employers should reserve the right to do so (1998, p.65). Besides, there are several situations in which employers were reading into employees’ email, while obtaining access into their mailbox due to the fact that the employee was using work-provided laptop or the network of the company. Furthermore, Friedman and Reed stated that in general, an employer’s interest in monitoring employee’s email usually outweighs an employee’s expectation of privacy, especially if the privacy policy of the firm grants this access to the employer (2007). However, this doesn’t make it morally correct (Palm, 2009).
Another mean of digital surveillance is through social media profiles. As explained by Del Riego et Al. research into this topic has not been done as in-depth as for email since it is a newer platform (2012). However, there are numerous cases in which an employee was detained due to inappropriate content posted on social media. Employees are becoming more conscious about this matter and only a slim amount of them consider Facebook as part of their private life exclusively, while most of them do not have their previous or present bosses as friends on social media platforms and mainly on Facebook (Van Dissel, 2014). However, there are certain issues from using content posted on social media as evidence. For example, social medias only show the date and time when the photo was posted and not when the photo/ video has been taken, therefore it is ambiguous if it can be used as evidence or not. Conversely, companies should consider implementing social media policies, since less than half of employers had this type of policy active at their workplace (Van Dissel, 2014).
Nevertheless, there is a common ground in this matter, where employees and employers could benefit together. As mentioned earlier, including employees actively in the writing of these policies could improve their understanding and acceptance of these. Henceforth, from a privacy perspective it is not considered problematic to restrict access to certain sites or apps by using certain software; however monitoring sites visited, reading emails and/or constantly monitoring employee’s activity with the help of the Internet of things can be problematic and is not morally legit, while a majority of the employees would advise the use of the less intrusive mean of surveillance (Miller and Weckert, 2000).
15
2.4.3. Reasonable expectations of privacy
As several scholars explained, employees at a firm are usually treated like a homogenous group with homogenous privacy needs. Certainly, each company has several unique characteristics based on which their employees form their privacy expectancies. Moreover, each individual has a subjective perspective of surveillance and employers should understand employee’s expectations and claims that are very likely to differ, not only because of the work culture, but also with the employee’s sex, educational background and position in the firm (Palm, 2009).
In general, employee’s expectations in this regard are complicated in the sense that employers have to require information from employees and to keep a reasonable degree of control over their activity (Palm, 2009). Even if certain employees do not care if that information is being read by the boss or not, that doesn’t make that piece of information generally available for everyone (Hansson and Persson, 2003). For example, an employee may not care who reads their private texts, however this doesn’t mean those texts are outside of their sphere of privacy.
Regardless of the fact that companies in general have legal rights to access and monitor employees’ online activity and that employees generally accept these practices, employees still hold on several expectations of privacy at the workplace (Del Riego et Al., 2012). In the same paper it was mentioned that employees view it as unethical for employers to observe certain aspects of their life. Whether is constantly monitoring their typing on their keyboards through keystrokes, or observing their position through RFID chips, employees should be entitled to a certain (digital) sphere at work where they can act as their wish, at least for a limited period of time.
Nevertheless, employees are becoming conscious about their digital footprint. As Van Dissel (2014) argued around 65% of employees expect their employees to try and reach their content posted online. A huge majority of them, 89%, did not believe that their privacy settings protected them from employees discovering this information, due to the easiness of forwarding messages and content in general on social media. In the same paper it was explained that around 80% of employees believed that they could be fired or suspended for behavior online, whereas only 20% thought that their employer could be held responsible in similar ways for their behavior online, in and out of work.
Also, Van Dissel (2014) argued in his paper that employees in general see their employer as a reflection of their company and try to comply with their rules. Additionally, many employees are willing to impose on themselves certain limitations in regard to their online activity, sometimes more strict than legally required. However, employers should not try and benefit from this action and they should try to arrive to a common opinion, where the needs of the company balance the rights of employees in regard to privacy.
16
2.4.4. Criteria for intrusion
As explained formerly in this paper, privacy intrusion is a very complex matter, in which there is not only a black-white duality, but many grey areas and legal loopholes which make it difficult to realize on which side of the problem should the solution be based on. Even if employees are most of the times in the disadvantaged position, there various cases in which privacy intrusion and surveillance is not only accepted, but also advised. Therefore, even if the employee has a reasonable expectation of surveillance at work, it must be in equilibrium with the reasonableness of the privacy invasion (Eivazi, 2011).
There are several authors who discussed this issue and most of them arrived to a four steps model, which can determine if an intrusion is justified or not (Persson & Hanson, 2003 and Schulman, 1998). The model is based on the following process explained thoroughly by Persson and Hanson (2003) in their paper; an intrusion has to satisfy all four conditions in order to be justified:
Firstly, the main purpose of the intrusion must be obtained. If it falls in the following three categories, proceed to the next condition:
• To monitor the employee and establish that he/she is performing his/her tasks and satisfies the requirements owed to the employer
• To protect the employee’s interest in regard to circumstances for which the employee is morally and legally responsible; this should be done in means that are in the employee’s interest as well
• To secure a third party’s relevant interests in circumstances for which the moral responsibility is held by the employer
Secondly, the encroachment in one’s privacy should be done in a way that is an efficient procedure to achieve this objective. This is particularly important due to the high costs that arise in the process of digital surveillance. Therefore, an inefficient intrusion would bring with itself significant costs for the employer and firm in general.
Thirdly, the privacy intrusion should be performed in the least invasive way that is legal and can reach its objective. For example, an employer is legally and morally entitled to check whether an employee’s daily performance at work is reasonable by checking the results at the conclusion of the working day. However, monitoring an employee second by second is too intrusive for this purpose.
Fourthly, the procedure of intruding into an employee’s privacy has to be not so drastic as to be more significant than the utility of reaching its goals. For example, an employer can restrict the access on certain unproductive websites and apps in order to reduce the amount of procrastination at work.
17
However, it is morally ambiguous if an employee can monitor every website that an employee accessed for the same purpose, since this intrusion outweighs the final objective of it.
2.4.5. Relevant Cases of Privacy Intrusion
Del Riego et Al. discuss the case of O’Connor vs. Ortega, “the leading Fourth Amendment employee privacy case” (2012, p.74); the US Supreme Court came to the conclusion that a public hospital did not violate an employee’s right to privacy when it searched into his work-provided laptop and office in regard to sexual harassment allegations against him. More precisely, the Supreme Court established that the employee did not have a reasonable expectancy of privacy in regard to the operations that were taking place in his office. Moreover, the court considered that the scope of the employer’s search was at least reasonable, due to the sexual harassment lawsuit that was held against the employee.
It is well known that US courts favor the employer’s perspective in this kind of matters, whereas the European courts do the opposite; however, Canadian courts tend walk in the middle ground between the US and the EU. For example, in R. vs Cole, a high school teacher was prosecuted for storing compromising images of underage students, on a laptop provided by the high school (Del Riego, 2012). The Canadian court concluded that the employee’s expectation of privacy was reasonable, due the absence of a clear privacy policy. However, since a technician found the compromising photos when doing a routine check, these expectations of privacy did not apply to the technician. Therefore, the high school teacher was prosecuted for his actions.
Nevertheless, there are situations under which employees are prosecuted for apparently innocent comments. Van Dissel explained the case of Fitzgerald vs Smith, where Ms Fitzgerald, Ms Smith’s employee, posted on her Facebook Wall the following status: “Xmas “bonus” alongside a job warning, followed by no holiday pay!!!” (2014, p. 228). Although her contract was terminated, the US court concluded that the post was foolish but accurate and therefore it was not harmful to the company, due to the limited time it was left online and the limited public it reached. Therefore, the termination of her contract was considered unjustified.
Finally, the case of City of Ontario vs Quon challenges the topic of employer provided hardware. The aim of the case was to determine whether an employee had a rational expectation of privacy about the text messages from his pager provided from work, due to a request of his employer, the City of Ontario Police Department, to review his messages in order to change his messaging plan. The court held that the employer did not breach the employee’s right to privacy, mainly due to the fact that the review of the
18
messages only took into account the ones sent and receive during working hours.
3. Methodology
In order to answer the research question of this paper I have conducted an exploratory study. Initially, I sent 45 emails and private messages to employees working for 22 companies, ranging from multinational firms in medical research, telecommunications, consulting firms to startups with a flat structure. The purpose of this first round of interviews was to test whether it is interest from the employee’s perspective to take part in this research. Moreover, 20 of these employees from 13 companies agreed to take part in this research, while 5 others responded that they would rather not. The next step for me was to ask them to do a second round of semi-structured interviews, using audio or video call in order to get more relevant information and to be able to ask meaningful question. These interviews asked information about the history of the company and it’s global presence, the employees’ status in the firm and the employees’ experience and opinion in regard to privacy at work; however, due to the nature of the interviews, the discussions were not limited to the standard questions and most of the employees offered relevant examples and opinions outside of the scope of the questionnaire; a model of this interview can be found in the appendix, along with the agreement of anonymity and confidentiality.
After analyzing the results, I observed that there were similar patterns in several companies; however, there were not enough arguments provided in order to answer the research question. Thus, there have been chosen three of the companies in questions, which were treated as case studies in order to get a deeper view of what happens in a company, instead of analyzing in a superficial manner the information from multiple firms. These firms were chosen due to their diversity in industries and in number of employees, but also due to the significant differences they had in privacy policies and perspectives on surveillance. Furthermore, in order to increase the validity and reliability of the study, a third stage of interviews was conducted through online video calls with employees and employers on various positions at the companies in question, in pursuance of a higher degree of validity and reliability.
The first company analyzed is a multinational medical and pharmaceutical consulting firm. The firm is responsible for conducting clinical trials for pharmaceutical clients to test their new drugs before they can be regulated and put on the market. The company has more than 18.000 employees and is presented in more than 50 countries. Access to the company was granted through a line manager from Romania, a member of
19
my family, and there were also two line subordinates interviewed. The line manager is a 56 years old woman (coded Aemplr), working for the firm for two years, whereas the subordinates were a 30 year old female (coded Aemplee1) and a 35 years old male (coded Aemplee2), both working for the company for one year.
The second company treated as a case study is an online games company founded in Germany in 2009. The company has around 1200 employees, mostly young people enthusiastic about technology and the gaming industry in general. The firm expanded in the last few years in the Asian market, with offices in Seoul and Tokyo. Access in the company was granted through a junior customer support representative, a 24 year old (male) former high school colleague of mine, currently working at the company’s main office in Hamburg for 8 months (Bemplee). In addition, there was also interviewed Bemplee’s team leader (female, 26 years old, Bemplr) working also in customer support at the same office for almost three years.
The third company presented as a case study is radically different from the former two cases. It is a web design and computer-programming firm, established in Romania in 2010 and it currently has 10 employees. The firm works on projects from various contractors, ranging from front-end developing and back-end developing to graphical design and logo creation. Access in the company was granted through the owner of the company, a former instructor of mine from a graphical design course. He is a 38-year-old male, owner and also worker at this company (Cemplr). Furthermore, there were also interviewed two other employees, a 30 year old computer programmer working for the company for almost three years (Cemplee1) and a 22 year old intern (Cemplee2), who was just employed at the firm at the beginning of 2016.
Although the previous knowledge on this topic has been gathered mostly through quantitative analysis, I have focused my research and congregated the data in a qualitative way, while using both the deductive and inductive approach. After the gathering of the data, the next logical step was to code it. The three main ways of coding were open coding, axial coding and selective coding (Saunders et al., 2009). Open coding refers to the procedure of recognizing, naming and splitting into categories of the data. Axial coding is the next rational step and it concerns with the linking categories obtained through open coding. Finally, selective coding is the process to distinguish the main categories of the data and to correlate them with the existing literature in the matter of digital surveillance.
Nevertheless, the matters of internal validity and reliability of this study were of great concern in the process of obtaining the data. Firstly, the chosen firms to take part in the case study had a relevant background and all of them treated privacy in a specific but meaningful way. As previously mentioned, all interviewees were granted confidentiality and anonymity in order to receive meaningful opinions and accurate examples; henceforth the level of bias was
20
reduced as much as possible. Therefore, the collection and measurement of the data was of proficient quality. Consequently, the study can be categorized as valid. Secondly, in terms of reliability, I am confident that if a study conducted in a similar way and if it would be based on different case studies, it would provide similar conclusion.
4. Results
Privacy policy
The three interviewees from Company A explained that the firm’s privacy policy is general for all employees and is part of the standard operating procedure of the firm. Therefore, the privacy policy is the same in all countries where the company is present. This policy is negotiated with trade unions and is brought into attention to an employee when he or she is hired. Nevertheless, in case of a privacy intrusion both the firm’s approach to this and the country’s law are taken into account; thus, the more severe of the two is applied. Moreover in this company there are certain surveys provided to employees, in order to benchmark their satisfaction about the job and to regulate the standard operating procedure of the firm. Aemplr considered these useful since employees can come with suggestions about various issues including privacy.
On the other side, Aemplee1 argued: “I have completed the survey only once with extended feedback, however none of my suggestions was put into actions and things remained in a status quo”. Furthermore, Aemplee2 mentioned that he is not interested about the surveys and doesn’t consider them to be progressive for the company. It can be seen that regulations are an issue in this case and as long as they cannot easily be changed with the help of employees, as recommended by Miller and Weckert (2000), employees might have certain concerns in accepting these policies and they can seem careless about these.
The two interviewees from the second company described their privacy policy as very adaptive, due to the fact that the company is still in its growth period since it doubled its number of employees in the past 5 years. Confronted with this rapid expansion in personnel, Company B had to acquire numerous desktops, which require massive data collection and therefore this process had to be regulated quickly. Moreover, after the company expanded into the Far East, the board decided that the privacy policy should be adapted for the culture of that region in the same way that is developed at the headquarters in Germany, with the help of employees.
21
Bemplr explained that the policy changed twice since she was employed, each of these times done with the help and suggestion of all employees who are part of this issue. For example, she mentioned that there are certain surveillance-free rooms in the office used as recreational rooms, where employees can rest for one hour each day and play various (computer) games and socialize; these rooms were established due to an employee’s suggestion. Both interviewees explained that they see this room as being beneficial, both for privacy related issues but also as a great mean of team building. However Bemplr argued that, “ these fast paced changes in privacy policy could also be detrimental to employees. For example, last year after the policy changed I didn’t know that I am not allowed to link my personal mail account to my YouTube account on the computer from work. My supervisor mentioned this time and even if there were no penalties held against me, it was a confusing process and I wished the company would have done a better job explaining the changes in the policy”
Nonetheless, all three interviewees from Company C described the company as being highly horizontal, since all employees work an open large office, so they can easily collaborate on projects when needed. When asked about the privacy policy, Cemplr explained, “There is not a real privacy policy in regard to my relation to the employees because we simply don’t need one. I trust all my employees and if I would hold them under constant surveillance it would be a breach in our mutual trust. You could say that we all monitor each other, since everybody can have an opinion and report something about all employees, including the owner. However, the only specified thing in the employment contract is to not harm the company by any means, both online and offline and also, during work and out of hours”. Similarly, Cemplee1 and Cemplee2 mentioned that the lack of a privacy policy is one of the main reasons that they choose to work for this company.
Conflict between employees and employers
When asked about employees’ privacy intrusion, Aemplr gave the following answer about this phenomenon: “My personal opinion is that employees who are afraid of this are usually the ones that have something to hide, since a large corporation doesn’t risk its reputation for a matter not quite significant. I haven’t done an intrusion at this job and I would only do it if the situation is severe enough to make the intrusion legitimate”. However, when Aemplee1 was asked about this, her answer was as follows: “I have knowledge about this issue and I believe that all employers do it, at least to a certain degree. Therefore, I tend to restrict my usage of the employer provided laptop and mailbox even if that laptop is more powerful than my personal one”. It can be seen that the two perspectives vary significantly,
22
which triggers different preventive actions. Moreover, Aemplee’s affirmation proves Palm’s (2009) point that employees tend to lose a certain degree of autonomy, while their actions are guided through an autopilot, which is a reactionary effect to perceiving he/she is being held under surveillance.
Besides, when asked how the company monitors employees’ performance and how it copes with procrastination, Aemplr argued: “There are certain objectives each employee has and as long as these are reached nothing is done to check what the employee is doing on his laptop. The only things that we monitor is when the employee login and logout from the system since some of the employees are entitled to work from home and they only have to reach a certain number of working hours a week, no matter the schedule. Furthermore, we only have surveillance cameras on hallways, in order to protect our office from intruders”. However, when asked about the same issue employees reported that they don’t agree with the surveillance cameras in combination with the login monitoring since “if these tools are combined, the employer can know everything about us, such as how many times we take a break to go to the toilette, for a smoke or a coffee break and it can feel like we are watched by a Big Brother”. As Schulman (1998) showed, the combination of several surveillance tools could lead to certain issues, as long as they are not regulated efficiently. Moreover, it seems from this example that employees in lower positions are more suspicious about privacy infringement incidents since they have no decision power and they can be more reluctant about authority. Nevertheless, this fear can also come from abusive past experiences in regard to privacy at work.
All three interviewees from Company A reported to have employer provided laptops with access to an intranet through a VPN connection. Additionally, the access to their professional email is exclusively done through that specific VPN program. Aemplr, Aemplee1 and Aemplee2 argued that there is no clear guideline in the company’s policy in what is not intended to be sent in that email and what can be categorized as personal emails and therefore none of the interviewees use it in that scope.
Nevertheless, Company A’s main role is to provide consultancy services to other companies. Therefore, it can be employed at the same time by several firms, which compete in the same industry. This has lead to several privacy incidents, where several files were mixed and a firm received sensitive information about its competitors. Thus, the employing firms are now offering several laptops where the classified information can be stored and processed. Similarly, some of these employing firms request to have printers only in specific rooms that can be used only by some employees in order to not mix documents with those of competitors; in addition, there are unique email inboxes for each firm in order to send the information to the correct recipient. Aemplr explained that, “It is very easy for us to cope with this measure. We usually send our more experienced employees to work on these projects and they comply with these steps, since it’s a preventive measure and our
23
employing firms don’t invade our digital privacy in any way”. This example is relevant and proves Del Riego’s (2012) theory that employees don’t perceive surveillance as threatening as long as there is only a restriction and not an intrusion.
Bemplr and Bemplee mentioned that the company doesn’t provide laptops or phones to employees at their level to use in their private and they do all the work on the computers at the office. On these computers, they are restricted to certain websites and they are not allowed to install third party applications from productivity reasons. Nonetheless, both interviewees described the work environment as being relaxed, since employees are not required to wear a uniform and there is not “a feeling of a corporate pressure”, as the Bemplee argued.
However, both explained that this is applied mostly to the lower-tier teams, and they are a bit reluctant about employee surveillance from their employers at higher levels. For example, Bemplr argued: “If I have something personal to talk about with one of my peers I avoid to use the computers and the network from work due to the fact that the privacy policy doesn’t specify precisely what is considered as justifiable for privacy intrusions. Thus, I prefer face to face discussion”. However, the same employee is entitled to similar monitoring for the team that she leads. When asked if she uses this, she mentioned that she has not done it so far and she would only do it if there were a situation as serious to require this procedure.
Furthermore, as explained by Bemplr, most of the employees from that department are of similar age and have similar interests; therefore they can easily identify one with the others. As such, they are reluctant to do privacy intrusions against them. However, Bemplr takes also the role of the monitored in relation to her superior and proves an essential point for this paper. When she is prone to being monitored by her superiors, she is conscious about this issue and thus, takes some preventive measures in order to make sure no incidents takes place. Nonetheless, it can be seen that the perspective of employees about privacy varies radically in regard to their position, either as supervisors or as workers, similar to how Miller and Weckert (2009) argued.
Moreover, Bemplr presented two different views that she had in regard to privacy. This is because the two sides of privacy intrusion vary significantly, while it puts the observer into an advantaged and relaxed position compared to the observed one; however it can also be the case that people are not sure what they can do at work due to the ever-changing privacy policy from a growing company. Thus, this can be an argument against the following statement of Del Riego et Al. (2012, p.63): “individuals create and tailor their social identities for particular audiences”. It can be seen from this example that Bemplr doesn’t create a new approach to social identities for her employers, but the environment creates this identity for her, while she is just a spectator while her behavior is on the above-explained autopilot.
24
Since firm C works on projects with various firms, it has to secure the information provided by its contractor. Therefore, there is a privacy policy included when signing an agreement. For example, the Cemplr argued the following, “Our employers (the contractor) are entitled to require us to protect their data in various ways. There were some who required only the most experienced programmers for their project, while others make us agree that we don’t work with any of his competitors during the period of that project. So far we have agreed with their entire requirements since it didn’t interfere with any of our actions.”
Views on technology
When asked what they think about the technological development privacy issues, Aemplr, Aemplee1 and Aemplee2 agreed that it’s a good thing at least for the firm and more work should be done to regulate digital tools correctly instead of banning its use. However, Aemplr argued that: “I am close to 60 years old and the technology has changed radically since I was a young employee. I have certain issues with smartphones and laptops, since I only use the basic feature that I particularly need for my work. I don’t know what these devices can do and it’s a bit worrying that a person could theoretically use any feature of these devices without my knowledge and therefore I take some protective measures. For example, I apply duct tape on the webcam of both my laptops (private on company-provided) when I am not using them since I read in an article that webcams can be accessed without my consent. However, even if risks exist in regard to new technologies’ privacy, I believe that their benefits outmatch these risks and thus, people should do a better job protecting and regulating privacy instead of banning the use of these devices”. Aemplr affirmation is in concordance with the theories of Bell et Al. (2012) which mention that women have are more concerned about privacy. Moreover, the theory could be extend to the fact that employees who don’t understand how technology works could not take preemptive measures if they are not told and therefore, they are more at risk.
When asked about the impact that technology has on privacy incidents, Bemplee stated: “We are an online gaming company, therefore it would be a bit hypocritical to argue that technology is harmful for our work environment since our company would not exist without the development of technology and the internet. However, I am particularly careful to how I act online and especially on social media, since there is publicly available information on Facebook about my workplace and anyone could instantly forward an inappropriate picture, post or comment to my employer”. As seen from this example, young employees at a smaller sized company have a modern understanding of privacy at work, similar to the millennial employees from Del
25
Riego’s (2012) paper. They accept a certain amount of surveillance and the fact that is has certain benefits.
Nevertheless, Cemplr, Cemplee1 and Cemplee2 described themselves as being passionate about technology and they are connected to the Internet permanently. Since their domain of work is computer science, Company C’s future is entirely based on the proposition that the online environment will continue to grow. Instead of banning technology, Cemplee1 argued that: “Technology should and is going to be part of our lives even more in the future. We already augment our reality through intelligent glasses and microchips, therefore we should rather teach the young generation how to accept these facts and use technology more effectively instead of being afraid of it. I believe that privacy is going to be less of an issue in the future and people will be willing to accept even sensible information to be disclosed about them, as long as it is relevant and based on truth”. It can be seen that even if Company C is European, their employee’s view is closer to the American law in regard to surveillance; globalization and the rapid exchange of ideas online could be a reason for this.
5. Discussion
Privacy Policy
After analyzing the cases in question it can be proved that privacy policies are unique for each company and they can also be different between offices of a company located in different areas of the world. From the first case it has been observed that a too rigid privacy policy can have a negative influence on employees since they can perceive as they have no say in how this privacy is being regulated and put to action. Nevertheless, from the second case it has been observed that a too flexible privacy policy can have a negative influence on the firm since the rapid pace of changes in this regulation can confuse the employees. This expands on Palm’s (2009) statement in which employees should be allowed to influence the policy and shows that a too flexible policy could be as harmful as a rigid one.
Conflict between employees and employers
As observed in the results, privacy is a relative term, which can differ from person to person, from company to company and from culture to culture. Therefore, an individual’s expectation of privacy at the workplace is in direct
26
correlation with one’s cultural background, age, gender and previous experience with privacy. This can be seen from the first case, where the three interviewees had radically different opinions about whether and how surveillance is done at the workplace. Moreover, in the second company there is a more meaningful and relevant example to prove this point, more precisely the employee who takes preventive measures in case there is an intrusion against her; however, she is not interested in intensive monitoring against her employees even if she is entitled to do so. This result expands on Friedman and Reed’s (2007) research by arguing that a person can have different perspectives on the same matter, when he/she is on opposite sides of the potential intrusion and therefore this theory is not limited to different people in surveillance. The last case showed that a smooth and clear understanding of privacy for all employees reduces to zero the issues in relation to privacy.
View on technology
Secondly, it has been described in the literature (Ball et Al. 2012 and Ghenniva et Al. 2015) the fast level of technological development and its interconnectedness with the world around us. Therefore, more data is stored and analyzed and consequently, there should be more effective means to legally protect this data. Moreover, all interviewed employees were defending technology regardless of age, thus extending on Del Riego’s et Al. research, which proposed this theory for the millennial generation. Nevertheless, it would be paradoxical for companies intensively using technology to blame privacy related issues on the rapid technological development. Therefore, technology should be used as a beneficial instrument; a company is required be in a symbiotic relationship with technology, evolving together with the ability to regulate it.
Answer and recommendation
To answer the research question, the main bottleneck in privacy related incidents between employers and employees arises from the radically different perspectives that employers and employees have on this matter and also from the lack of appropriate privacy policies that are present even in large multinational corporation. These policies should effectively regulate what an employee is allowed to do at work and at home and should also clearly define the boundaries of using social media and employer provided devices..
After observing the easiness through which smaller companies act in regard to privacy policies I would recommend larger companies to have a similar approach. For example, instead of a hierarchical monitoring structure,
27
a firm could rather have an interactive monitoring policy and rather choose to be more open about the information disclosed (except classified data) in order to make the monitoring more effective and faster-paced flow of information. Another option would be to use third party surveillance firms that could work for the best interest of the company in question. Nevertheless, employees should be allowed to take part in the writing of the privacy policies by having the possibility of suggesting segments of this regulation that could be applied and not through rigid questionnaires that are not taken into account. However, the board of a company should also be careful not to change the privacy policy too often and too abruptly since it could confuse the employees.
Limitations
As in every research paper, there are certain limitations and means through which it can be improved. Firstly, I believe that the limited number of cases could contribute to a certain level of bias, since all three companies were using intensively computers and therefore they had to cope in a similar way with digital surveillance. Secondly, all interviewees were based in Europe and therefore this could contribute to a certain level of cultural bias, considering the perspectives on privacy and work in general are very different in various places of our world. Thirdly, an improvement would come from treating this research as a time-lapse and not how it was done, as a snapshot, since privacy and surveillance evolve over time and it would be interesting to see how these processes take place.
Furthermore, Privacy related incidents have been researched for a relatively long time and thus, there are numerous papers published on this topic. Therefore, an important strength is the fact that this research is based on deep and meaningful literature. This way, I strengthen the validity and reliability of this research, while also providing in-depth information to fill the existing gap in this matter. Surely, this research could have also been done quantitatively and there would have been provided numerical data in regard to privacy at work. However, since privacy is not based on a human to computer relation but on a human to human interaction by using computers as tools, I believe that the ideas of employees and employers are the most relevant data to be used in this research in order to fill the gap in the literature with the help of people’s opinions based on their experiences.
Question for future research
Certainly, privacy is not an overly saturated research topic and there will be many papers published after this one. An interesting topic would to check how the conflicting perspectives of employees and employers relate
28
with the evolution of the privacy policies. I believe it is similar to the chicken and egg paradox and the solving of one of these matters may lead to a more clear view on the solution to solve not only digital surveillance issues at work, but also privacy related incidents applied to all environments. Moreover, another interesting insight would be to treat this research as a time-lapse and not how it was done, as a snapshot, since privacy and surveillance evolve over time.
