Things may not always run smoothly in the workplace and bosses and workers may not always see eye to eye on many things. But there may be another “threat” in town: remote employee monitoring. In some cases, employee surveillance software, also called “bossware” and “tattleware”, threatens to drive a wedge between employers and employees.
Done well, bossware can help to insulate an organization from theft and legal risk, and even drive important improvements in productivity. But it’s also a privacy minefield that could end up demotivating your employees and exposing your organization to lawsuits.
Yet in a new work-from-anywhere era, it’s increasingly tempting for managers to monitor their distributed workforce. Given what’s at stake, careful planning should be the watchword for any organization considering employee monitoring.
What is bossware?
Bossware is an umbrella term for a variety of employee tracking tools. While the functionality of such software varies, at a high level it will track what programs a worker is using during the day and for how long. More intrusive surveillance might record the worker’s screen and log their keystrokes. Bossware ideally would be installed on an employee’s PC or device with their explicit knowledge and consent, although that’s not always the case.
Employee monitoring is more popular than you might think, driven by the surge in remote working precipitated by the pandemic. One study finds that 60% of companies with remote workers now use some form of bossware, and 88% of them have fired workers after deploying the software. That might be because over half (53%) of workers whose activity was monitored were found to be spending three or more hours each day on non-work activities.
Monitoring could cover:
- Emails (content and senders/recipients)
- Browser history
- App usage
- Computer screen and keystrokes
- Webcams
- Telephone use and call content
- CCTV footage (in the office)
- GPS vehicle tracking
- Access badge location tracking
- Fitness tracking of vital signs and moods
Pros and cons
Bossware advocates say that the judicious use of monitoring software can help their organization in several ways, including:
- Tracking stress levels among the workforce
- Helping to boost productivity – by showing which workers lack focus and which ones are spending too much time on manual, repetitive tasks that could be optimized
- Building a fairer workplace by ensuring everyone pulls their weight
- Mitigating the risk of deliberate/accidental data leakage and poor security hygiene
On the other side, there are potential downsides, such as:
- Employees may find workarounds, thus negating any potential benefit
- Limited computer/device-based tracking may fail to record time spent thinking, problem solving and other non-digital tasks – giving managers a myopic view of worker productivity
- It cranks up stress levels, and may demotivate staff and sap morale
- Privacy and legal implications for the employer
Legal and privacy implications
Modern privacy and data protection laws add an extra layer of risk for organizations wanting to deploy bossware. It’s important that any schemes are implemented in line with local laws and regulations.
- The EU-wide GDPR does allow workplace monitoring, but within a specific set of guidelines. Organizations must create clear policies informing their staff about any employee monitoring schemes, and work hard to make deployments as unobtrusive as possible. Covert, exhaustive monitoring of things like internet usage and communications content is not allowed. Organizations wanting to monitor private communications like emails must also outline a clear legal basis for doing so. And there are strict rules around protecting any employee data, ensuring it’s only used for the purposes it was collected for, and that only relevant info is collected, for the minimum time necessary.
- In the US, federal privacy law the Electronic Communications Privacy Act (ECPA) allows monitoring of electronic communications like email as long as it’s for legitimate business purposes and done on a work-issued device/computer. It also sanctions monitoring of social media and internet activity, and even keylogging and screen recordings. However, while federal laws do not require prior notification of such activity, some state laws may demand employers gain consent before implementing employee monitoring. Organizations are also responsible for the security of any data they collect, and all must have a clearly defined policy on employee monitoring.
Implementing fair staff monitoring practices
It should be clear from the above that employee monitoring is not a workplace initiative to be taken lightly. No two organizations or legal frameworks are alike, but some high-level best practices may include:
- Consider and outline the lawful basis for implementing the scheme.
- Ensure monitoring is necessary and proportionate and does not overly intrude on the lives of your employees.
- Consider the extent of your monitoring. Will it include emails, app and internet usage and calls? To avoid legal trouble, it may be useful to remind staff to use only their personal devices for personal matters, and only work devices for corporate matters.
- Be as transparent as possible with staff on what you’re planning to do and why – documented in full in a clear and standardized policy.
- Ensure any collected data is protected from loss, damage or theft and that it is only visible to authorized users.
- Follow data minimization practices by deleting any collected data as soon as it is no longer needed.
- Consider alternatives to staff monitoring such as training sessions and/or regular performance reviews.
- Consider whether monitoring is necessary across the organization or if it could be confined to a smaller part of the business.
The best policies will strike a difficult but necessary balance between the business demands of the organization and the privacy rights of its employees. Transparency and dialog are key to keeping staff on board in a new hybrid working era.
For 30 years,
has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit or follow us on , and .