Special Feature
Part of a ZDNet Special Feature: Navigating data privacy

Separating employee work time from personal time is the next privacy quagmire

If a staff member is on office wi-fi, a business could potentially access what they watched on TikTok or tweeted during their lunch break. But should it be done?

Interest in employee surveillance software rises exponentially during lockdown

The debate around smartphones and smart devices 'listening' is nothing new, but as these devices and personal phones make their way into the enterprise and find themselves connected to office wi-fi, the debate around privacy is one that needs to be had.

Online activity reveals more to social media companies than previously realised; online activity could also reveal more to employers than realised, too.

Special Feature

Special Report: Navigating data privacy (free PDF)

This ebook, based on the latest ZDNet / TechRepublic special feature, provides the information CIOs need to better meet the growing demand for data privacy, without stifling innovation.

Read More

"I think that people underestimate just how easily inferences can be drawn from multiple pieces of data that companies are gathering," said David Paris from the Australian Digital Rights Watch.

It's very easy for people to miss key points of data that can be linked, such as the individual being in close proximity to their parents' home, determined from location data on their phone matching with their parents' profiles. This can then lead to ads being served up are for potential gift shopping ideas.

"And that's from four little pieces of information," Paris told ZDNet. "Where the two locations -- it's somebody's birthday and somebody's been browsing for some gifts online. And that's all the advertising platforms need to target an ad with reasonable accuracy."

Obviously, the more pieces of information that are added to that, the more accurate targeting can be.

"I can definitely understand people's huge discomfort at the seeming precision of the ads that have been sent their way. I think it's pretty easy to miss just how straightforward it is for that inference to be drawn," Paris said.

But consent is, more than ever, something that the enterprise should be cognisant of as these consumer products are finding themselves more and more in the enterprise.

"When you sign up for any one of these services you click through these long and complex user agreements without understanding what you're signing up for. And the platforms have free rein to do whatever they like with that information," Paris continued.

"From a privacy management standpoint, that information should be belonging to the person it's about, not the platform that's using it."

But just as important as providing end users of products and services with privacy protections is ensuring that employee privacy is paramount. Especially as staff use their personal phones at work or make small talk about their private lives around office smart devices.

See also: Amazon tells employees to remove TikTok from their phones due to security risk

"There's a fundamental breakdown in the barrier between work and home life over the past couple of decades," Paris explained. "Increasingly, we're seeing people's employment status threatened by behaviour they've undertaken outside of the workplace because it's viewable to employers. And similarly, if you're bringing your own device to work you are subjecting yourself to all manner of intrusive scrutiny from your employer with very little say in how that's managed or what information is made available to them."

Work wi-fi, for example, could be managed in such a way that every single URL that a staff member enters is viewable to a system administrator.

"The imbalance in power between bosses and workers has been really damaged by that kind of advance," he continued.

Whose side is the law on?

In Australia, businesses covered by the Privacy Act 1988 must take reasonable steps to protect the personal information they are entrusted with from misuse, interference, and loss.

Speaking with ZDNet, a spokesperson from the Office of the Australian Information Commissioner (OAIC) said that means being alert to the introduction of new technologies and processes that may pose a risk to privacy, such as the Internet of Things (IoT).

"We recommend any business initiative that involves personal information undergo a privacy impact assessment to determine the potential risk to consumer privacy and how it can be reduced," the OAIC said. "Businesses who take a privacy-protective approach that meets community expectations can often realise a commercial advantage by earning consumers' trust."

Generally, the Australian Privacy Principles (APPs) apply to most Australian government agencies, all organisations with an annual turnover of more than AU$3 million, and some other organisations which handle personal information.   

The APPs are technologically neutral and apply equally to physical and virtual environments. This means the APPs are relevant and applicable to changing and emerging practices and technologies.

"It is important that employers understand their obligations under the APPs," the OAIC spokesperson said.

This includes the obligation to provide notice regarding their collection, use, and disclosure of personal information.

"In general, employers should not collect personal information unless it is reasonably necessary [for] their functions or activities," they said, putting it simply.

"Notably, the handling of employee records by a private sector employer is exempt from the Privacy Act if it is directly related to a current or former employment relationship. The application of the exemption will depend on the specific facts and circumstances."

The Privacy Act doesn't specifically cover surveillance in the workplace, however.

An employer who conducts surveillance or monitors their staff must follow any relevant Australian, state, or territory laws, which includes laws applying to the monitoring and recording of telephone conversations.

"It may be reasonable for an employer to monitor some activities to ensure staff are doing their work and using resources appropriately. If your employer monitors staff use of email, internet and other computer resources, and they've told you about the monitoring, this would generally be allowed," the OAIC wrote in guidance on the matter.

Paris would argue such protections aren't exactly sufficient in 2020.

"We're seeing the move to update privacy laws around the world and Australia is lagging miles behind," he said. "If we were in the EU or Canada or some states in the US, it would be a really different conversation because the protections have been updated to swing the balance back in favour of an individual person's right to privacy and to control the information about them."

"That's just not the case here."

Also See

Working from home? Switch off Amazon's Alexa (say lawyers)
One of the byproducts of doing all your work from home is that you might be discussing confidential matters. And who might overhear them? Well, there's your smart speakers....

Australian privacy law amendments to cover data collection and use by digital platforms
The fine print offered by the likes of Facebook will no longer be good enough to collect and use the data of Australians.

How Europe's GDPR affects Australian organisations
Failure to comply with the data protection regulations could result in a €20 million fine, and Australian organisations with links to Europe will not be exempt.