Cybercrime can happen to any organisation—it’s almost inevitable. Hackers intent on accessing your data may target you or your employees and prevent you from accessing vital IT systems. While preventative measures like installing advanced security systems and raising awareness are crucial, cybercrime can still occur.

Monitoring is another key defence against hackers and malware. Security monitoring involves automated processes that detect and analyse suspicious activities or unauthorised changes in your network, allowing you to respond promptly. For example, antivirus services actively monitor devices for threats. The specific type of security monitoring required varies depending on an organisation’s systems, networks, and level of control needed.

Can I lawfully monitor my employees?

You can also monitor your employees’ activities. This may include:

  • internet usage (such as websites, email, and social media);
  • their geolocation, and
  • app usage.

You can extend this to monitoring when employees are working vs when they are not. This can increase work productivity (arguably, only if they know they are being monitored).

Internet monitoring

Most organisations focus on this type of monitoring. You can monitor how employees use the internet to ensure that they are visiting only those websites they’re allowed to access from their work devices. If employees are visiting prohibited websites or untrustworthy sites, you can then do something about it to ensure they stop.

Geolocation

Geolocation is the identification of the geographic location of an object (like a computer) or a person (like an employee). This tool can be used to track company cars, work devices, and employees during working hours.

There aren’t usually privacy concerns when you identify the location of an object, but you need to consider the following when monitoring an employees’ location:

  • whether it is lawful to geolocate your employees, and
  • whether your employees are exposed to risks if some people can track their movements.

To answer the first question – yes, it is lawful to monitor your employees’ location. However, privacy considerations cannot be excluded. Both POPIA and the GDPR include location information in the definition of personal data. They set the requirements for processing data lawfully so that data subjects can be safe from harm. Processing includes the collection, use, and storage of geolocation data. The requirements for lawful processing include ensuring that the personal information is:

  • complete and accurate;
  • that the data subject knows why it is being processed; and
  • that there’s a good reason for the processing (for example the data subject consented, it is the responsible party’s duty to process, or it is to the benefit of the data subject).

Data protection laws also require you to ensure that the security of the information is adequate for the level of risk it is exposed to. POPIA requires you to ensure that the security is reasonable and not just appropriate.

So, do I have free reign to monitor my employees?

No, you don’t. Monitoring in the workplace must be done lawfully. In South Africa, the law dealing with the monitoring and interception of communications is governed by the Regulation of Interception of Communications and Provision of Communication Related Information Act, 70 of 2002 (RICA).

RICA generally prohibits all forms of monitoring. However, there are exceptions. In some instances, communications may be monitored or intercepted:

  • by a person, if that person is a party to the communication;
  • with the prior written consent of a party to the communication; or
  • when the interception occurs in connection with carrying on of business.

An employer must decide whether to base employee monitoring on prior written consent, the business exception where written consent is not required, or a combination of both.

Employers can obtain prior written consent using employment contracts. Employment contracts may also include references to the processing of personal information and interception of communication. Meanwhile, the last exception almost acts as a catch-all exception for monitoring employees that occurs in connection with the carrying on of a business. It is sufficient to justify the monitoring and interception of communication in connection with business operations, but you must be able to make a genuine case for the connection.

Privacy considerations

From a data protection perspective, it is best practice that you:

  • implement a monitoring policy for employees to inform them of the types of monitoring they’ll be subjected to and the circumstances which will make monitoring necessary;
  • use appropriately worded consent forms which detail the reasons for the processing;
  • implement measures to ensure the integrity and confidentiality of the data; and
  • ensure that processing complies with POPIA;

What about my right to privacy?

The right to privacy is not an absolute right and it can be limited. RICA is an example of a law that limits this right. The effect of this is that employers are entitled to monitor and intercept electronic communications in certain circumstances, even though such actions will amount to an infringement of the employees’ right to privacy. However, POPIA ensures the protection of employee’s information and maintains their right to privacy. The employer, as the data processor, still has the duty to process an employee’s information in compliance with POPIA.

What if I work remotely for an international organisation?

Even if you work remotely for an international organisation, you are bound by South African laws. RICA will apply to them as much as it would to a South African-based employer.

How do I monitor employees who work from home?

It is now an accepted norm that numerous organisations have embraced a hybrid work-from-home model. This arrangement, while accommodating, poses challenges for monitoring employees, heightening the risk of cybercrime due to limited oversight. Deploying software that assesses the time spent on websites or programs becomes imperative for employers to ensure both productivity and protection. Various lawful monitoring tools and apps cater to remote employee oversight, enabling employers to monitor home-based employees effectively. This approach proves advantageous for employers, fostering enhanced staff productivity and safeguarding data against potential cyber threats.

Actions to take next