Privacy violation? Perhaps not…
15 January 2016 | 0
The recent ruling by the European Court of Human Rights (ECRH) that upheld lower court rulings allowing a Romanian company to dismiss an individual for personal communications has caused quite a stir.
The company had dismissed the sales engineer after it presented him with printed versions of instant messenger (IM) conversations he had conducted with his fiancé and brother. The company said it violated policy, while the engineer claimed the company had no right to go into his private communications.
On the face of it, this seems to be a violation of rights that sets a worrying precedent.
Increasingly, we are using the same device for work and personal purposes, irrespective of whether such devices are company owned, issued or supported.
Last year, in a survey of Irish IT pros, our TechBeat series found that more than three quarters (76%) said that they use one device for both work and personal use. However, more than half (57%) reported there were no mobile device management (MDM) systems in place, with more than two thirds (71%) saying there were no content restrictions implemented.
“Corporate data tagging and segregation have allowed companies to ensure that proper security measures can be implemented to protect data, allowing remote wipe or decommission without the user’s personal data being threatened”
The Bring Your Own Device (BYOD) trend has matured and now there are variants such as choose your own device from a company provided range, company owned personally enabled devices and more. All of this has meant that there is an expectation that there will devices in user for personal and professional purposes, that will not necessarily be under the complete control of the company.
Corporate data tagging and segregation have allowed companies to ensure that proper security measures can be implemented to protect data, allowing remote wipe or decommission without the user’s personal data being threatened. This kind of give and take, cooperative model has eased many fears over data protection and privacy from both sides.
The ECRH ruling appeared to have thrown much of this progress into question, as it appeared to uphold the employer’s right to look into personal communications and use them against the employee.
However, on looking into the facts of the case, a slightly different picture emerges.
Firstly, the incident took place in 2007 when policies around personal and business communications were not quite as well defined as they are currently. Despite that, the company in question did have a specific regulation pertaining to the use of company devices for personal use. The ECHR ruling quotes:
“It is strictly forbidden to disturb order and discipline within the company’s premises and especially … to use computers, photocopiers, telephones, telex and fax machines for personal purposes.”
Secondly, the device on which the communications took place was a company owned PC.
Another important point was that the transcript with which the employee was confronted was from a Yahoo IM account that the employee had set up at the behest of his employer for professional purposes.
Finally, the communications took place during working hours.
When all of this is taken together, an explicit policy, a work machine and work account and work time, it is pretty damning. One can see why the ECHR went the way it did, as there is no excuse for this kind of usage.
That said, in the spirit of mutual benefits, the company was a little harsh in how it dealt with the situation. With the increasing expectation of greater productivity by employers generally, as well as the pressures felt by employees to spend longer working hours, and indeed to work outside of office hours with mobile devices, there must be some give and take.
If an employee is performing their function to the satisfaction of the employer, does it really matter that they might occasionally deal with a personal issue during work time?
While I am not arguing that there is justification for misuse of company resources, there is a case to be made for a certain amount of leeway on both sides to facilitate a working arrangement. The company in question could have warned the individual, reminded him of the policy, and left it at that.
However, the wider lessons here are clear. Firstly, a policy governing usage, allowable, acceptable or otherwise, is always necessary. Secondly, where there is dual ownership or domain over a device, or communication channel, such as an IM account, LinkedIn profile or other professional tool that may belong to the employee but be of benefit to the employer, there must be a clear understanding of what can be reasonably expected from both sides.
But has highlighted, a good enterprise mobile management (EMM) or MDM system can circumvent many of these issues by being able to segregate data and protect privacy on both sides.
Finally, the employee in this case made a grave error in denying initially that he had used company resources for personal communications. Solid grounds were established for the employee being aware of monitoring of such channels and for him to deny what he was then confronted with was simply stupid.