Ethics, POPI and monitoring
When the Covid-19 pandemic forced the world to go online, organisations that had resisted remote working for years began living out their worst fears… will the work get done?
Some companies trust their employees to achieve their deliverables without constant monitoring and assessments, but others have installed tracking and surveillance tools onto devices to ensure their people complete their work.
While this approach may be entirely legal, it does not necessarily win employee favour or trust. Additionally, how do embedded surveillance mechanisms impact the employee’s rights when it comes to the POPI Act.
CRS Technologies hosted a webinar on the ethics of employee tracking where insightful discussion took place.
Working from home
“Why pay for office space when you can work from home? That is a question on many peoples’ mind, but there are pros and cons. A lot of companies never thought of the work from home environment and then boom, Covid-19 happened, and we all had to take it home. Security officers scrambled… risk, risk, risk! Not a lot of people were prepared… all of the current information security did not cater for remote workers at this scale, and security professionals had to replan in the shortest possible time on how to secure this environment, which includes, for example, VPN setups at a large scale. Companies were concerned about their data and how they could or should protect their data,” said Jorina van Rensburg.
“People love working from home, but there is risk. Cybercriminals are targeting employees and we have to monitor our networks to see what is going on. Fraud and risk are the biggest factors. It is time consuming and tough for cybercriminals to get through perimeter security, so instead, they are targeting individuals using tactics such as phishing and malware. There are many solutions that can be used to protect the company from these attacks, but what about the insider threat? You cannot protect what you cannot see, and it for this reason that we believe that a solution with artificial intelligence can protect companies, by monitoring the anomalies that happen on their infrastructure, and even more so, for remote workers,” added van Rensburg.
Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
Employee tracking
Companies often monitor employee productivity; HR, criminal, viral and system risks etc. There are, however, ethical issues to this.
It is fine to monitor networks but when we stop monitoring networks, and start monitoring individual activity, it becomes a big ethical issue and it is invasive. When you recruit an individual, you recruit based on trust. If you did not trust the individual in the first place, you would not have recruited that person. Instead of monitoring an individual, monitor day to day metrics in terms of performance and that the individual achieved the outcome or goals set for the day, whether they worked from 9am to 12pm, or from 8am to 5pm, as long as the job gets done” said Nicol MyBurgh, Head of the HCM Business Unit at CRS Technologies.
“On the ethical side, monitoring remotely is a big concern if employees do not know they are being monitored. The Protection of Personal Information (POPI) Act tells us that employers cannot process personal information without consent. If an employee has not given you consent to monitor them in terms of photo, video, personal information, etc, that is going against the POPI Act,” added MyBurgh.
According to van Rensburg, you cannot read the POPI Act in isolation from other legislation, there are a lot of factors at play. “Companies are allowed to monitor information on their infrastructure (in other words if the device belongs to the company), the company has a right to monitor and protect it's environment and employees’, providing that the employee has signed the information security policy of the company and that the policy has a clause that informs the employee that they will be monitoring the infrastructure.”
“Just like the POPI Act, the ECT Act (or Electronic Communications and Transactions Act 25 of 2002), allows employers to monitor employee communications but the monitoring of communications must be done lawfully. All employees who use the system must be informed of the fact that monitoring may take place. Don’t monitor employees to abuse from a marketing perspective, or out of vindictiveness, but monitor employees from a risk and productivity point of view. Monitor to ensure outcomes are achieved for both the employee and employer, whether they work from 8am to 5pm, or from 9am to 12pm.” added van Rensburg.
“Employees also have the perception that their employers are watching them for all the wrong reasons. They need to understand that monitoring is done to protect the employer’s data, systems etc., and it is for their own good too. As much as the employer may find anomalies regarding an employee, the same is true when an employee is innocent in using the same solution to prove their innocence. So, it goes both ways,” concluded van Rensburg.
Track metrics, instead of individuals
“An engaged employee is an invested employee, so they are less risky. There are many alternatives to monitoring on a daily basis. With or without using technological intervention, make sure employees know their daily tasks and goals, and what is expected of them,” said MyBurgh.
“Shift to output-based performance management and be clear on expectations, for example the hours of work and focus areas or deliverables. Identify where the roadblocks are to fix inefficiencies. If you put this in employees’ hands, we should trust that they will report back,” concluded MyBurgh.
Writer’s Thoughts:
MyBurgh concluded by saying that organisations should focus on recruiting well, engaging and involving their employees. “Track metrics, instead of tracking individuals and maintain that trust.” Do you agree with this? Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts myra@fanews.co.za
Comments