Employee Computer Monitoring: What Employers Can & Can’t Do

TL;DR

Employers can monitor internet traffic on company-owned devices, but it’s much more complicated with personal computers. Generally, they need your consent to track activity on a personal device, even if used for work. There are legal limits and privacy considerations – transparency is key.

Understanding the Rules

1. Company-Owned Devices: Employers have more rights here. They usually can monitor internet usage, emails, files, and applications. This is often outlined in their IT policies.
   Example Policy Snippet: “The company reserves the right to monitor all activity on company-issued laptops, tablets, and phones for security and compliance purposes.”
2. Personal Devices (BYOD – Bring Your Own Device): This is where it gets tricky. Employers generally cannot secretly monitor personal devices without your explicit consent.
   • Consent: They need to clearly explain what they’re monitoring and why, and you must agree to it – often in writing (e.g., a BYOD agreement).
   • Limited Monitoring: Even with consent, the monitoring should be limited to work-related activity. They shouldn’t be snooping on your personal emails or browsing history unrelated to your job.
3. Legal Considerations:
   • Data Protection Act 2018 (UK GDPR): Employers must comply with data protection laws when collecting and processing any personal data, including internet usage information.
   • Employment Law: Monitoring shouldn’t be intrusive or create a hostile work environment.

How Employers Might Monitor (and How to Check)

1. Network Level Monitoring: They can see websites visited and data usage on their network, regardless of the device.
   Checking: Ask your IT department if they use a web filter or content monitoring system.
2. MDM (Mobile Device Management) Software: If you’ve installed MDM software on your personal phone for work access, it could allow remote control, app management and data tracking.
   Checking: Look in your phone’s settings under ‘Security’, ‘Privacy’, or ‘Device Admin’.
3. Endpoint Detection and Response (EDR) Software: Some EDR tools can monitor activity on devices. These are more common on company machines but could be installed on personal devices with consent.
   Checking: Check your list of installed programs for software like CrowdStrike, SentinelOne or similar.
4. Email Monitoring: They can monitor work emails sent and received through their email servers.
   Checking: Read your company’s email policy.

What to Do If You’re Concerned

1. Read Your Company Policies: This is the first step! Understand what they say about device usage and monitoring.
2. Ask Questions: Talk to your IT department or HR representative if you’re unsure about their monitoring practices. Get it in writing.
3. Review Consent Agreements: If you’ve signed a BYOD agreement, carefully review the terms before agreeing.
4. Use Separate Accounts: Keep personal and work activities separate on your devices.
5. Consider Legal Advice: If you believe your privacy has been violated, consult with an employment lawyer.

Important Note

This information is for general guidance only and isn’t legal advice. Laws can change, so it’s always best to seek professional advice if you have specific concerns about cyber security or employee monitoring.