On May 17, 2023, Israel’s Privacy Protection Agency (PPA) issued a document regarding privacy aspects of tracking employees working remotely. The document analyzes the law that applies to tracking remote employees working fully remotely or under a hybrid schedule. It further provides guidelines to employers on compliance with legal requirements for protecting employees’ privacy while tracking their work.
In the PPA’s opinion, as a general rule, privacy protection laws allow employers to use technologies for tracking employees working remotely, subject to necessary restrictions. The use of such technologies must be made in a legitimate, reasonable, and proportionate way, and relate to the legitimate interests of the workplace. Employers using surveillance measures to track employees must inform them in advance of using these surveillance measures and obtain their consent. They must restrict the use of tracking measures to the intended objective and ensure that the tracking complies with data protection rules.
The following are specific requirements of the guidelines regarding the use of tracking devices.
Means of Tracking with Potential for High Degree of Privacy Infringement
The use of certain means of tracking is considered by the PPA as likely to exceed what is needed and permitted by law. Such means are considered to potentially pose a particularly high degree of privacy infringement, and their use must be proportionate and limited to exceptional cases involving a specific justifiable professional objective for the use. These requirements clearly apply to means of photographing and listening to employees in their homes. Specific means of potential high degree of privacy infringement also include:
1. Scanning and monitoring the websites visited by the employee and the content of the employee’s personal email.
2. Controlling the webcam and microphone on the employee’s digital devices in order to monitor the employee and their surroundings.
3. Monitoring mouse movement and the employee’s use of the computer keyboard by a keylogger.
4. Taking a screenshot of the employee’s computer.
5. Using eye tracking devices to examine what the employee views while they are in front of the computer.
6. Collecting location data of an employee using trackers installed on the employee’s digital devices or vehicle.
Exclusivity and Proportionality
A tracking means chosen by an employer must be consistent with the purpose of the surveillance. Information collected for one purpose may generally not be used for another. In addition, an employer must choose a means whose implementation will cause the least infringement of an employee’s privacy.
Restricting the Collection of Private and Incidental Information
An employer considering using technological means to track employees at home should take into account the extent this would violate the privacy of the employees and their family members. The employer must ensure that information collected incidentally about members of an employee’s household and any other irrelevant persons will not be stored in the employer’s databases.
Limiting Use of Surveillance to Work Hours
Out of concern that surveillance could leak into the employee’s private time, the employer must refrain from using it outside of work hours.
Duty to Inform
Employers must inform their employees of the purpose of using technological means to monitor their conduct while working remotely. When means of a particularly high degree of privacy infringement are employed, employers must provide employees, in writing and with full transparency, information on the method of monitoring and the use the information.
Employee’s Consent
An employer must refrain from collecting personal information about an employee without the employee’s consent. However, in circumstances where the means used for remote monitoring are carried out according to the requirements of proportionality and legitimacy, an employer may require an employee to give consent to the collection of information about the employee. Regarding an employee’s refusal to provide consent, the guidance states that it “focuses on the issue of infringement of privacy, and does not deal with the question of the reasonableness of an employee’s refusal of an employer’s request for the use of proportionate and legitimate remote surveillance measures, or the meaning of the refusal of the request at the level of labor relations.”
An employee’s consent cannot legitimize the disproportionate use of surveillance, or surveillance executed for an undefined, illegitimate purpose or one not connected to the legitimate interests of the workplace.
Limiting Retention of Unnecessary Information
Employers must refrain, to the extent possible, from collecting and storing information about employees that is not necessary for the purpose of the tracking or the database in which the information is preserved. Employers are obligated to examine, at least once a year, whether there is a need for the continued retention of the information.
Employers may retain personal information about their employees that was collected in the course of tracking only for a period consistent with the purpose of the collection of the information and the purpose of maintaining the database in which it is stored.
Ruth Levush, Law Library of Congress
June 21, 2023
Read more Global Legal Monitor articles.