Monitoring in the Workplace

This article touches on the possible ways of monitoring employees, privacy aspects of employee monitoring, privacy and Singapore law and the future for privacy legislation in Singapore.

An employer’s need to know is insatiable. It starts with the interview process where a prospective employee is probed and questions asked of him. Once on the payroll, the employer needs to equip the employee adequately so that the employee might be productive, thereby generating profits for the company. In days not too long ago, such equipment may be limited to machinery on the shop floor or pen and paper if the employee is desk bound.

In today’s context, employees need to be equipped differently. Employers these days have to provide their staff with access to advanced computer technology, sophisticated telephone applications, e-mails and internet connectivity simply to ensure that their company has a fighting chance to survive the competition. As a result, employees now have at their fingertips access to extremely versatile communication and information networks. They can now easily communicate with co-workers or customers, conduct research or store information with a click of a button. In short, workers these days are more knowledgeable than their predecessors and are expected to be so by their employers.

However, the downside to providing such technology and access to employees is the potential for abuse. Surfing the Web during office hours may be a welcome distraction, but from an employer’s perspective, it is an inexcusable waste of time.

E-mails may speed up communication but employees may use these resources to access offensive e-mail or send personal communication. Careless use of information technology resources may even jeopardise the security of the company’s proprietary information, as unsecured external connections may prove to be easy entry points for hackers.

In order to allay their concerns about productivity and security, companies have taken to monitoring their employees by using a combination of tried and tested methods and new means made possible by the very technology which brought forth such issues in the first place.

Previously, workplace monitoring was limited to tapping employees’ phones and physical inspection of employees’ offices. However, as noted above, technological changes have led to the development and use of more sophisticated equipment. Equally, this technology makes employee monitoring less easily detectable and to a certain extent, capable of being more invasive than before.

Privacy is an individual’s right to keep his or her personal matters secret. In some other context, privacy has been described as the right to be left alone. The obvious consequence of employee monitoring, regardless of whether the manner of surveillance is covert or overt, is the employee’s loss of privacy in his personal working space.

On the other hand, it could be said that all employees must necessarily agree to a certain amount of monitoring. For example, the time at which an employee reports for duty and when he leaves the office for the day is recorded. Similarly, the company may need to know where each of its employees is located at any moment of time so that customers may be better served. Further, it may be argued that the office and office resources are meant for work related purposes only. The telephones, e-mail and internet access are available to the employee to make it easier for them to carry out their jobs and not for personal use. Similarly, private offices and cubicles are working spaces provided by the company, and they are provided with the intention of creating a conducive and personal environment for productive work.

The paragraph above illustrates two concepts of privacy relevant to the workplace: (a) ‘locational’ privacy, ie the employee’s location within or without the office at any given point of time; and (b) what writers would term as ‘activity’ or ‘situational’ privacy. The latter type of privacy concerns itself mainly with the way an employee uses company provided resources. For example, an employee might use the company telephone to conduct his private business or use the company computer system to surf the internet for leisure. Certain kinds of monitoring, eg video surveillance, touches on both ‘locational’ and ‘activity’/’situational’ privacy.

It is clear that monitoring would impinge on an employee’s privacy at the workplace in one way or other. And if the information generated from the monitoring (eg keystroke logs) are kept, then a further issue of privacy in relation to those records arises.

Assuming that a Singaporean employer wishes to press ahead with monitoring his employees, is there anything that the employees can do to either prevent or force the employer to modify his plans?

In Singapore, an employee alleging breach of privacy will be hard-pressed to find legislative support for his position. The right to privacy is not guaranteed by our Constitution and to date, there is no over-arching law that concerns itself with privacy. Existing laws that are committed to protecting privacy and confidentiality are limited to clearly defined situations and in specific industrial sectors. Examples include the Statistics Act (Cap 317), Central Provident Fund Act (Cap 36), Banking Act (Cap 19) and Telecommunications Act (Cap 323). Even so, these statutes protect data or information and not whether an employee may be monitored by his employer.

However, some existing laws may be used or be interpreted in such a manner as to forbid employee monitoring in certain circumstances. For example, s 509 of the Penal Code (Cap 224) states that:

Given this provision, it is unlikely that any employer would implement video surveillance in ladies’ restrooms.

Although the common law does not protect the right to privacy, the employee may claim that intrusive monitoring constitutes an act of trespass especially if the employer routinely conducts physical inspection or searches of the employee’s workspace. However, to succeed on this ground is difficult. The traditional tort of trespass to land consists in ‘any unjustifiable intrusion by one person upon land in the possession of another’,¹ and is only actionable by the person who is in possession of land, or who can claim damages or injunction, or both. The problem lies in the fact that the employee merely has a licence from his employer to occupy the office or cubicle and, therefore, does not have any standing to sue his employer for trespass; he is not in possession of the office or cubicle. It would also be a stretch to argue that by monitoring the employee’s e-mail box, the employer has trespassed into the employee’s mailbox (which has been given to the employee in the first by the employer and is residing on the employer’s computer system).

The law of confidence may also be used to protect and prevent the employer from disclosing the employee’s personal information. In X Pte Ltd & Anor v CDE [1992] 2 SLR 996, the High Court held that in order for a claim to succeed under the law of confidence, it must satisfy three confidence elements: (a) the information to be protected had the necessary quality of confidence about it; (b) the information had been imparted in circumstances importing an obligation of confidence; and (c) there was an unauthorised use of the information by the defendant to the detriment of the party who originally communicated them. In this case, the High Court held that information pertaining to sexual conduct is confidential, although the necessary element of confidentiality is not always easy to satisfy.

It cannot be denied that there will come a day when formal privacy legislation is enacted in Singapore. The recent international trend is for individual countries to enact laws to protect privacy and data confidentiality; targeting the collection, storage and use of such information. It is likely that Singapore will follow suit, not only because such countries would want reciprocal protection for their citizens’ privacy and data, but also because the information age carries with it the potential of an unprecedented level of mischief that must be pre-empted by such laws.

In Singapore, the potential need for privacy legislation was recognised in as early as 1990, when Mr Lee Kuan Yew tacitly admitted that:

It is unclear if Mr Lee had in fact referred to the enactment of laws relating to personal data residing on computer databases or to laws concerning the protection of data in computer systems, whether or not such data is personal data. In any event, it should be noted that in 1993, Parliament passed the Computer Misuse Act (Cap 50A) and until today, there has been no legislation passed concerning protection of personal data.

The 1995 EU Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (the ‘EU Directive’) has also hastened the need for formal privacy legislation. Article 25 of the EU Directive prohibits EU nations from transferring personal data to third countries which do not guarantee adequate protection of such data, and arguably restricts the onward transfer of information to fourth or fifth countries which do not guarantee the same protection.³

The first step to establishing guidelines for data protection came in 1999, when the National Internet Advisory Committee (‘NIAC’) proposed an ‘E-Commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce’. This voluntary, self-regulatory code aimed to encouraging e-commerce providers to ensure the confidentiality of business records and personal information of their users including the details of usage or transactions.

In 2001, the NIAC published a voluntary ‘Model Data Protection Code for the Private Sector’. The objective of this Model Code is to establish a benchmark for private sector organisations in the collection and use of personal data. It aims to consolidate the presently fragmented approach to data protection to create a uniform and comprehensive data protection regime. The National Trust Council adopted this Model Code and sought comments from the public. Recently, the Council announced that all Trust-SG accredited businesses must adopt the Model Code.⁴

However, the Code is voluntary and lacks effective enforcement mechanisms. The need for legislation in this area still remains. The current trend in most countries⁵ is the adoption of a single code for the protection of personal data. In some countries, such as Australia,⁶ the single code arose from an amendment of an earlier piece of legislation covering only federal public sector agencies and private sector credit providers.

Considering that there are few legal impediments to employee monitoring, and that employees really have almost no right to privacy in the workplace, why is it that employers should reconsider before implementing such processes?

Management philosophies have swung from the pursuit of high productivity in the past to the present pursuit of intelligent or ‘knowledge’ workers. To be sure, the ‘knowledge’ culture is premised on individuals willingly and freely sharing their knowledge with their colleagues. However, intrusive scrutiny by the management of the individuals’ activities may achieve the direct opposite effect of dampening the ‘knowledge’ culture, as such monitoring may be construed as a signal of distrust by the management. In an environment of distrust, workers tend to keep their most valuable knowledge close to their chests and are unwilling to share. It is thus not surprising that one of the foremost authorities on knowledge management, Professor Ikujiro Nonaka, emphasised that the managers must show ‘high care’ to the employees if the managers are to create a ‘knowledge’ culture.⁷

It cannot be disputed that people work better in an environment that they can consider ‘theirs’, such as in a private office or cubicle, or if they are given a personal locked drawer. A practice of springing a surprise inspection on the employee takes away the comfort and conduciveness of a private working space, and replaces it with unhappiness and paranoia. Moreover, should the inspection be carried out while the employee is away, the company may find itself open to allegations of theft should any of the employee’s belongings be lost or misplaced.

A blanket policy prohibiting personal telephone calls, e-mails and internet surfing may be put in place to curb non-work related behavior during working hours. In reality, such blanket prohibitions are often more respected in its breach than observance as enforcement of such a policy will be fraught with difficulty. Frequently, the responsibility of ensuring compliance with the company’s policies falls on the human resource managers, who may themselves be unhappy with the policies. Further, they may be unable to ensure compliance among all the staff, especially more senior officers of the company. It is also impractical to devote resources to strictly police the prohibition since a lot of manpower will be needed to watch video surveillance tapes, listen to telephone conversations and read e-mail, keep track of employees’ surfing patterns, as well as conduct unannounced inspection of office premises.

Too stringent a policy may also result in employees resorting to various ways and means of getting around the system.

A common reaction by employees to intrusive monitoring measures may be to avoid or minimise the use of the company’s computer network, preferring to work offline, use personal removable storage to store confidential company material, use the mobile phone instead of the company office line, and even to bring working files home so that they can work in a more ‘conducive’ environment. Such a situation would not only render the working environment counter-productive, it would put the company at risk of compromising control and security over its proprietary information.

In any event, it is unrealistic to expect employees to spend all their time in the office doing nothing but work. A short conversation, a glance at personal e-mail or a quick browse through an e-shopping site can help an employee relax and help him or her be prepared to deal with more stressful work ahead. The problem arises when employees spend too much time on personal matters and not enough on work, which is when the company should bring the employee to task.

An acceptable ‘half-way house’ solution might be for the company to adopt and promulgate an Acceptable Use Policy. The policy should define how company resources are to be used, and may include a list of prohibited activities (such as downloading pornography, online gambling or using the office telephone to conduct private business) and specify the penalties that will be levied against the employee found in breach. More importantly, the company has to decide on the extent to which it wants to enforce the Acceptable Use Policy and to have a system for enforcement, eg routine but unannounced security sweeps.

Most employers do not monitor their employees simply for the sake of monitoring them. Legislation and policies in this area ought to be formulated quickly, but until such time, both employers and employees must accept each others’ position. It is crucial for employers to accept that there are limits even when it comes to protecting their own interests and for employees to realise that their privacy in the workplace rests in part on them not abusing company provided facilities.

It is not disputed that an employer has clear economic interests to protect by knowing what his employees are up to. Yet, employees are right to expect that any such monitoring would not, without cause, intrude on their privacy and ability to operate autonomously.

1	RA Buckley, ‘Trespass to land and dispossession’ in Clerk & Lindsell on Torts (17th Ed, 1995) Sweet & Maxwell, London, p 837.
2	Speech by Prime Minister Lee Kuan Yew at the opening of the Singapore Academy of Law, 31 August 1990 (www.sal.org.sg/media_speeches_salPM.htm).
3	In addition, many EU Member States are in the process of either drafting additional legislation or proposing codes of practice to address data protection issues in the employment context. For example, in October 2000, the UK issued a draft Code of Practice on the use of personal data in employer-employee relationships. The UK Draft Code covers a wide range of topics including recruitment, employment records, access and disclosure and employee monitoring. Other EU countries have also either legislated the protection of employee information (Finland) or are in the process of considering such legislation (Sweden, Denmark and Germany). Within Asia, Hong Kong has published a ‘Draft Code of Practice on Monitoring and Personal Data Privacy at Work’. Public consultation on this paper closed on 7 June 2002 and it is expected that Hong Kong would promulgate the code pursuant to its Personal Data (Privacy) Ordinance in the near future. Additionally, Hong Kong also has a separate code, ‘Code of Practice on Human Resource Management’, dealing with the use and handling of personal data at each phase of the employment process.
4	See the National Trust Council’s press release, 17 December 2002, at www.trustsg.org.sg/pdf/mc_pr.pdf.
5	Malaysia does not have any privacy legislation as yet, but the Ministry of Energy, Communications and Multimedia (‘MECM’) has prepared a draft Personal Data Protection Act as part of the National Electronic Commerce Master Plan. The proposed legislation sets out nine data protection principles and has been circulated for comments. Hong Kong also has an ordinance on the subject, see endnote 4, above.
6	Privacy Amendment (Private Sector) Act 2000, building on the Privacy Act 1988.
7	Ikujiro Nonaka & Toshihiro Nishiguchi, Knowledge Emergence: Social, Technical and Evolutionary Dimensions of Knowledge Creation (2002) Oxford University Press.