Hemu Nigam
Mar 26, 2020

Are Your Workplace Policies Up-to-Date?

Covid-19 is forcing many business employees to work from home for the foreseeable future, but allowing employees to use personal devices for business purposes can expose employers to many risks.

The coronavirus and the measures undertaken to combat it are forcing businesses to reconsider the way they operate. With medical professionals ordering us to engage in “social distancing,” and many states implementing “shelter in place” orders and similar restrictions, the immediate substitute for the workplace has become people’s own homes. One way employees can help enforce social distancing measures from home is to use the Syndesy app check in feature. 

Thankfully, we live in a digitally-powered world where the majority of white-collar professionals can continue to earn a living online from the comfort of their living room. However, this national shift to remote working does not come without its challenges for employers. In addition to dealing with security, access, productivity, and work culture concerns, employers have to ensure that their policies regarding employee privacy are satisfactory.

If prior to the outbreak of Covid-19, your company had employees working from home, then we are going to assume that you already had the requisite workplace policies in place that detailed your remote working guidelines. If this is the case, then nothing major changes to your business practices, as you are no stranger to this business model.

However, for companies that did not previously have remote workers, and are now hurriedly making the switch in response to the virus, the issue is whether their existing workplace, remote working, or electronic use policies are adequate in light of this ongoing pandemic.

The bottom line is this. If you are an employer that has been forced into letting your employees work from home, then you must provide all employees a remote working addendum to the company’s existing workplace policy or employment agreement. This policy addendum must be read and signed before anyone begins working from home.

Some employers expect their employees to remotely access company systems and networks on personal machines and devices, while other employers have issued company laptops and other devices to their employees.

Whichever model you implement, consider it your duty as an employer to articulate all of the guidelines and expectations in a remote work policy. Doing this will establish ground rules to keep the program efficient and manageable, and will also guard against any potential employee misunderstandings and legal problems.

Now, if you are interested in monitoring your employees, you have a well-established legal right to do so. Courts have continually held that employers have a legitimate interest in how their employees spend their work time and that people mostly do not have a reasonable expectation of privacy when they are at work.

Unsurprisingly, this makes many employees uncomfortable. If working from home on a personal machine, they may believe that this gives their employer unlimited access to look at and gather their photos, messages, calendars, and other personal information from their devices. If working on company-owned equipment, they might think that they are free from employer monitoring on that device after-hours.

Therefore, your remote work policy should serve to allay any fears employees have by explicitly detailing what should be expected as appropriate access by the company. Specifically, it should cover the types and regularity of monitoring being used, who collects the information, the types of information collected, what is done with this information, and how long it is stored.

Additionally, it must be written in plain English, not legal jargon. The more complicated it is to read and understand, the more skeptical your employees become of you, which is never good for morale. It may also be beneficial to include a section on what employees should do if they believe the policy is being violated, or if they have any suggestions to improve it.

In short, your policy must warn the employees that the company has the right to monitor any activity that occurs while they are using company-owned devices or are accessing a company-controlled network or system (such as a VPN). Once an employee acknowledges this, they then no longer have a reasonable expectation of privacy as to any personal device usage or personal information stored on the device or network. However, this does not give employers full access to any and all areas of a private device. Seek counsel from experienced workplace privacy counsel before you start monitoring remote workers.

Being transparent in your policy and managing your employee’s expectations will go a long way in fostering trust with your employees, as well as ensuring the integrity of the remote working business model.

– Hemu Nigam with Rick Worsfold

Hemu is an adjunct professor at Pepperdine Caruso School of Law where he teaches Business Perspectives in Workplace Privacy and Data Privacy and Security. He is also the head of Cyber Security Affairs specializing in cyber security, privacy and intelligence related legal and consulting services.

Ricky is currently a 2L at Pepperdine Caruso School of Law and a legal intern at Cyber Security Affairs.