Media Centre

Privacy-Related Aspects of Monitoring Remote-Working Employees

15 June 2023

Dear clients and colleagues,

We would like to inform you that the Protection of Privacy Authority at the Ministry of Justice (the “PPA“) has recently published an official guideline regarding privacy-related aspects of monitoring remote-working employees (the “Guideline“). The topic of remote employment and the ability of an employer to monitor its employees’ performance while working remotely accelerated since the outbreak of the COVID-19 pandemic, and the significant rise in the “working from home” employment format. In the Guideline, the PPA states that the rise in recent years of the remote employment format resulted in a parallel rise in the technological measures employers implement to monitor their employees working in such format (the “Monitoring Measures“). Many employers are required to deal with the question of what Monitoring Measures they can use, to protect their legitimate interests.

Since normally the format of remote employment takes place in the most private and intimate space of the employees – their home – the use of Monitoring Measures poses significant challenges in relation to protecting the privacy of the employees and their families (including minors). While the PPA does not intent to narrow down the format of remote employment, it wishes to ensure that when implemented, appropriate privacy-related aspects are addressed.

On that basis, the PPA details in the Guideline the main risks to privacy in connection with the use of such Monitoring Measures, presents its legal and professional position on the topic, and provides employers that enable remote employment with its guidelines and recommendations regarding the Monitoring Measures used or contemplated to be used by such employers.

Following are the key principles of the PPA –

  • Privacy Risks: The privacy risks posed by using Monitoring Measures include, among others, collecting personal data without consent (explicit or implied), “policing” and harming the employees’ sense of control of their own privacy, collecting sensitive data and its exposure, collecting and storing excess data, data leakage and misuse of personal data.

 

  • Proportionality, Legitimacy and Principle of Purpose Proximity: The data protection laws generally permit the employer (subject to the provisions of the law) to use monitoring measures in the workplace – both at the office and remotely – but only if such use is reasonable and proportionate, made for a legitimate purpose and interests of the employer and the workplace, while adhering to data security rules and the principle of purpose proximity. For example, the employer shall refrain from using Monitoring Measures beyond the working hours during which the employee make himself available to the employer, and if the employer wishes to prevent access to certain websites, it shall use measures to block access to those websites as opposed to monitoring all websites accessed by the employee.

 

  • Categorizing Monitoring Measures by Intensity of their Privacy Violation: The PPA differentiates between various Monitoring Measures, and divides them into three groups, according to the potential level of they may violate the employees’ privacy –

 

  • Non-harmful measures – Measures that do not involve collecting personal data pertaining to the employee (such as measures to block access to certain websites or measures that prevent the ability of the employee to download apps).

 

  • Low-impact measures – Measures that involve collecting non-personal data about the employee’s performance, which may result in collecting to some extent personal data (e.g. measures to monitoring the use of the organization’s operational systems).

 

  • Highly-invasive measures – Measures that involve collecting personal and sensitive data about the employees, e.g. tools to track websites accessed by the employee and the content of his email box, measures that control the use of webcams and microphones for photographing or eavesdropping the employee and his surroundings, tools to monitor and capture mouse movement, keyboard usage (keyloggers), screenshots and eye movement, measurers to collect geolocation data through devices or software installed on a digital device or vehicle assigned to the employee, tracking tools based on biometric data, etc.

 

The use of highly invasive measures raises real legal concerns, and the PPA’s position is that such use shall take place only in exceptional cases, where there is a professional and specific justifiable purpose, and provided that such use is proportionate (the burden of proving the foregoing and the lack of less invasive alternatives will be borne on the employer). Moreover, according to the PPA, the use of such measures (and all the more so if such use is continuous), without justification and in circumstances where the monitoring purpose can be achieved by less invasive measures, will seemingly be deemed unproportionate (and it may even amount to an infringement of privacy).

 

  • Notifying the Employees: Employers are subject to increased notification obligations (due to the inherent margin of powers between employers and employees). With respect to high invasive Monitoring Measures, employers cannot rely on a general notification, and they need to describe, in writing and in full transparency, the policy prevailing in the workplace regarding how the monitoring will take place and how the data will be used. Such description shall include, among others, the manner of how such Monitoring Measures is used; collected types of data; the frequency and timeframes of the monitoring; where and for how long the data will be retained; and all permitted and prohibited usages of the computer and its applications during the remote employment (similarly to the ruling of the National Labor Court in the Isakov Case regarding monitoring an employee’s email box).

 

  • Employees’ Consent: It is critical to obtain the employee’s consent for collecting his personal data via Monitoring Measures for the purpose of tracking and monitoring his performance during remote employment, and such consent must be an informed consent and given of the employee’s free will and consent. Employer who did not obtain such consent from its employees shall refrain from collecting personal data pertaining to them. An employee’s consent cannot legitimize unproportionate use or use for an undefined and illegitimate purpose. Nevertheless, in circumstances where the use of Monitoring Measures is proportionate and legitimate, the employer is entitled to require the employee to provide his consent, whereas refusing to do so may bear implications with respect to the employment relations. Having said that, consent is also connected to the alternatives available to the employee – in case the employee has no real option in lieu of remote employment (as was during the COVID-19 lockdowns) – it would be difficult to view such consent to monitor the employee’s performance as a consent given of the employee’s own free will; however, in case the employer enables the employee to choose whether to work from home or from the office (and his decision will not bear any negative consequences with respect to his employment) – the tendency to view such consent as a consent given of the employee’s own free will would be higher.

 

  • Photographing and Eavesdropping Monitoring Measures: Using measures to photograph and eavesdrop may inherently result in collecting highly sensitive data about the employee and his household members (including minors), which is not relevant for the employer’s needs. According to the PPA’s view, an employer shall refrain from using such Monitoring Measures, except in extreme scenarios which involve a vital necessity to do so, when other measures used were inefficient, after the employee gave his informed consent of his free will, and after the employer ensured that such use will take place during the employment hours. In addition, the employer must refrain in such scenarios, as much as possible, from collecting data about others, and to act in order for data collected incidentally about the employee’s household members (and other irrelevant persons) will not be retained in the employer’s databases.

 

  • Minimization of Excess Data: During the use of the Monitoring Measures, data which is unnecessary or non-relevant for the monitoring purpose may be collected. Such data is regarded “excess data”. The employer shall refrain, as much as possible, from collecting and maintaining excess data. Collecting and maintaining excess data might constitute, in certain circumstances, a violation of the employer’s data security obligations, and it might even amount to an infringement of privacy. While in order to comply with the employer’s data security obligations under the Protection of Privacy Regulations (Data Security), 5777-2017, the employer shall review, once a year, whether the data it stores in its databases does not exceed what is required for the databases’ purposes, the PPA clarifies that there may be instances where it would be preferable to perform such review several times during the year. The PPA recommends employers to perform these reviews several times a year and to ensure that they store data collected about the employees within the framework of the monitoring only for a period which correspondences to the collection purposes.

 

The Guideline of the PPA is available (in Hebrew) – Here.

The PPA’s Guideline provides employers with the framework in relation to how they should act and the PPA’s guidelines and directives are adopted in many cases in the jurisprudence of the labor courts. Employers that wish to review if the measures they operate in order to track and monitor their employees’ performance while working remotely are in line with the Guideline of the PPA are invited to contact us for advice.

 

The Commercial Department                                           Labour Law Department

 

Herzog Fox Neeman

Search by +