Need a workplace monitoring policy? This article has the tips you need to get started with writing your electronic monitoring policy. We’ll also provide you with a FREE workplace monitoring policy template that you can download and customize to fit your needs.

Table of Contents

Monitor Your Employees With CurrentWare

CurrentWare’s powerful employee computer monitoring software solutions provide the insights you need to ensure that the devices in your network are used safely and productively.

• Improve Productivity
  Track unproductive web browsing, app use, and idle time to detect time-wasting 
• Intuitive User Activity Reports
  User-friendly reports make it easy to understand employee computer activity
• Enhance Visibility
  Get advanced insights into application, internet, and removable device usage

What is a Workplace Monitoring Policy?

A workplace monitoring policy—also known as an employee monitoring policy, electronic monitoring policy, or employee privacy policy—is a type of workplace privacy policy that is used to establish privacy expectations when monitoring employees in the workplace. 

These workplace surveillance policies and procedures are also used to…

• Communicate the company’s intent to monitor its employees
• Provide information about the categories of data collected
• Inform employees about how their data will be secured and used
• Ensure that the company is in compliance with workplace privacy laws such as the ECPA, GDPR, and CCPA.

What Are the Benefits of a Monitoring Policy?

Prevents Misuse of Company Resources

Employees that are aware that they are being monitored are more likely to adhere to company policies. A workplace monitoring policy works in tandem with acceptable use policies to ensure that employees understand what is expected of them when they use company-provided equipment. 

Set Workplace Privacy Expectations

Setting clear privacy expectations is essential when monitoring employees in the workplace. Having an employee privacy policy in place ensures that employees do not wrongfully assume that their computer usage is private when using company-provided IT assets.

The policy should also indicate to employees whether or not they are permitted to use workplace technology for personal reasons. If you will be monitoring their computer activity they must be informed that their personal use may be monitored so they can conduct themselves accordingly.

Without such a policy in place, your employees may use work computers for personal tasks without realizing that their traffic is being monitored. This could result in employees disclosing personal information that they may not want to be shared with those that have access to their user activity reports.

Get Informed Consent For Monitoring From Employees

Getting informed consent is paramount for introducing computer monitoring software to your employees. Covert electronic monitoring is not only a liability risk, it is a surefire way to have the monitoring perceived as invasive. 

Having employees acknowledge a workplace monitoring policy ensures that they are aware that their activity is being monitored, how their data will be used, and that their data is being kept secure from misuse. 

Should they have any privacy concerns they will have an opportunity to discuss their concerns with human resources, their manager, or a designated privacy officer.

Meet Data Privacy and Security Compliance Requirements

While not all jurisdictions require an overt disclosure, being transparent is still a best practice for monitoring employees in the workplace.

Besides, workplace privacy laws are constantly evolving. It is becoming increasingly common for employers to be required to notify their employees that monitoring is taking place. 

Having a workplace privacy policy in place ensures that your business can demonstrate that your employees are aware of their privacy rights and that they have consented to the monitoring that is taking place.

Without a privacy policy in place, there is also a risk that evidence of employee misconduct collected through workplace monitoring may not be admissible evidence.

In addition, workplace privacy policies often extend beyond the scope of employee monitoring to cover other forms of data collection, such as when personally identifiable information (PII) of employees is collected for benefits, payroll, etc.

Who Is Required to Have a Written Policy On The Electronic Monitoring Of Employees?

Workplace privacy and employee monitoring laws and regulations vary throughout each country, state/province, and jurisdiction. While not all companies will be required to have a written policy on the electronic monitoring of employees, having a monitoring policy in place is the best practice.

Employers that monitor their employees or networks in some capacity should have an employee electronic monitoring policy in place even if they are not legally required to do so—this will ensure that the organization is prepared for new regulations as they emerge. It will also ensure that their employees and users are aware of what is being monitored so they can fully understand the level of privacy they should expect on organization-owned systems.

For example, in Ontario employers that employ 25 or more employees on January 1 of any year are required to have a written policy on the electronic monitoring of employees in place. This requirement for a written policy on electronic monitoring of employees was introduced to the Employment Standards Act, 2000 (ESA) on April 11, 2022.

Furthermore, as of May 7, 2022, New York employers that monitor or intercept employee emails, internet usage, or telephone communications must provide written notice to those employees.

We’ve also seen similar transparency requirements in the California Privacy Rights Act and Europe’s General Data Protection Regulation (GDPR).

These examples serve as a reminder to employers that employee privacy rights are rapidly evolving, so they must follow the best practices for monitoring employees.

What To Include In Your Employee Monitoring Policy

Watch this video to learn the best practices for monitoring employees in the workplace. For more information, download our FREE employee monitoring white paper.

---

As workplace privacy laws vary from state to state and country to country, drafting a uniform policy for all jurisdictions is not practical. That said, these are the most important elements that employers should consider including in their employee monitoring policy.

Types Of Employee Monitoring Conducted and Their Purpose

The best employee monitoring policy will disclose what is being monitored (data collection) with an explanation of why it is being monitored (legitimate interests). Being transparent about the legitimate business reasons for data collection helps employees understand the benefits of workplace monitoring.

For example…

• Are you using video surveillance to deter theft, vandalism, and other crimes?
• Are you monitoring employee internet use to protect against high-risk and inappropriate web browsing? Will that same data be used to monitor for excessive non-work internet use?
• Are you monitoring phone calls from work-provided phones to ensure quality customer service?

Drafting this portion of the policy helps define the scope for employee monitoring so that your organization is clear about the benefits it seeks to gain. It also ensures that you (and your employees) have a clear understanding of how the data collection/processing fits into organizational goals.

Will Personal Devices Be Monitored? (BYOD)

Employees have a greater expectation of privacy on their personal devices. For that reason employers are typically limited in the amount of monitoring they can perform on personal electronic equipment, even if they are being used for work purposes. 

For that reason, organizations that want to monitor employees in a BYOD environment will often monitor the networks and/or remotely accessed workstations that the personal devices connect to instead.

A BYOD monitoring disclosure is an essential part of a workplace monitoring policy. If employees use their personal devices for work in this way they may not realize that the workstation or the virtual private network (VPN) that they connect to is being monitored. 

Is Personal Use of Work Computers Allowed?

Most companies realize that occasional personal use can help employees decompress in between work tasks. 

That said, if personal use is permitted employees must be made aware that employee monitoring software cannot reliably differentiate between personal computer use and work-related computer use. They must be informed that all personal use is being monitored and that authorized members of the organization may have access to it.

Note: In some jurisdictions allowing employees to use work devices for personal tasks may limit what can be monitored, particularly in the case of email monitoring.

Data Security and Privacy Measures

The data collected through employee monitoring software may be considered sensitive. For that reason, their activity data must be protected with the same standard of security that other forms of personal information would be protected.

Disclosing what administrative and technical safeguards that are in place also goes a long way to assuring employees that their activity data will be protected against misuse and unauthorized disclosure.

What Privacy Rights Do Employees Have?

Depending on the jurisdiction of your organization (and that of your employees) it will be subject to unique data security and privacy compliance requirements. Within your workplace monitoring policy, you can disclose what workplace privacy laws protect your employees so that they can be informed about their rights.

For example, European citizens may have privacy protections under GDPR or similar regulation, whereas an American employee may be protected by the CCPA or ECPA.

As a best practice, multinational companies should consider implementing similar privacy protections to all employees regardless of their geolocation. This ensures that the data collection feels fair and demonstrates to employees that their privacy is being protected out of genuine interest rather than simply being a compliance obligation.

Who Will Have Access to Their Data?

Limiting who has access to employee data is an important part of a data privacy and security plan. Employee activity data should only be made available to the individual employee and a select number of authorized representatives that have been trained on their privacy and security responsibilities.

This training will include…

• Based on the premise of the data collection, what are appropriate uses for the data?
• When should third parties or managers be permitted to view the data?
• Is there an administrative process for requesting access to the data, such as a manager requesting a log of web browsing activities to investigate an employee that is suspected of inappropriate or unlawful internet use?

When considering who will have access to employee information, you should consider access from authorized third parties too. Will employee data be shared when requested by law enforcement? What about for troubleshooting purposes with the monitoring software vendor? 

Note: As per our Terms of Service we will not have access to employee computer activity data unless it is directly provided by your company for troubleshooting purposes. 

Points of Contact for Employees

Employees should be provided with a designated point of contact that can field any questions or concerns that they may have. This person will typically be a human resources staff member, though it may be an internal privacy officer or external regulatory authority as well.

Workplace Monitoring Policy Template

Use this sample electronic monitoring policy as the foundation for your internal employee privacy policy. This electronic monitoring policy template contains the essential elements that you should cover when monitoring employees in the workplace.

BEGINNING OF TEMPLATE

Effective Date:	Version Number:	Last Revised:

Purpose of the Workplace Monitoring Policy

[COMPANY] (the “Company”) is committed to maintaining a transparent and fair workplace. Through this Workplace Monitoring Policy (“Workplace Privacy Policy”) [COMPANY] will communicate the company’s intent to monitor its employees, provide information about the categories of data collected, inform employees about how their data will be secured and used, and clarify workplace privacy expectations when using company IT assets.

This policy contains references to the policies, procedures, and practices that will be followed by [COMPANY], its representatives, and any of its present or future subsidiaries when collecting, using, or disclosing the personal information of an identifiable individual that is a present, future, or former employee of [COMPANY].

This Workplace Monitoring Policy constitutes a notification in accordance with [PRIVACY LEGISLATION]. By acknowledging this policy, employees of [COMPANY] consent to the workplace monitoring and surveillance practices outlined herein.

Definitions

Video Surveillance

“Video Surveillance” refers to surveillance by means of a camera that monitors or records visual images of activities on company-owned property. Video surveillance does not include the capture of audio.

Computer Monitoring

“Computer Monitoring” refers to the practice of collecting user activity data on company-owned computers, networks, and other IT infrastructure. This data includes, but is not limited to, web browsing history, files downloaded, data input, network traffic, logons to corporate systems, interactions with data, peripheral device usage, and information about the employee’s computer.

Employee

“Employee” collectively refers to any directors, officers, managers, employees, other representatives, and agents including consultants and independent contractors of [COMPANY].

Data Collection

“Data Collection” refers to the automated or manual processing of employee data. This includes the collection, use, and storage of employee data such as computer activity data and other forms of personal information. 

Personal Use

“Personal Use” refers to an employee using company-owned devices, networks, and other assets for personal tasks such as non-work web browsing and sending personal emails.

Personal Information

“Personal Information” refers to any data collected about an identifiable individual. This includes obfuscated data that, when combined with other information, could identify the individual.

Scope of This Workplace Monitoring Policy

This policy applies to any directors, officers, managers, employees, other representatives, and agents including consultants and independent contractors of [COMPANY], where applicable by law.

Policy Enforcement

Corrective actions with regards to violations of this policy are subject to [COMPANY]’s disciplinary policies. Depending on the severity of the violation, corrective actions may include placement on an employee Performance Improvement Plan (“PIP”), legal action, or employee termination. For more information, please refer to [OTHER POLICY]

Privacy Statement: Expectation of Privacy in the Workplace

This section will outline the privacy rights and expectations that employees of [COMPANY] will have during their employment.

Monitoring employee computer usage is an essential part of enforcing company policies, maintaining a respectful work environment, and ensuring that IT assets that are owned and managed by [COMPANY] are used safely and appropriately. 

For that reason, outside of the rights granted by [PRIVACY LEGISLATION], employees must not expect privacy when using [COMPANY] systems. While all personal information collected by [COMPANY] will be used fairly and appropriately as per this policy, all activities that take place via company IT assets should be considered monitored.

Personal Use of Company Assets

[COMPANY] recognizes that its employees may occasionally desire to use company systems for personal tasks during their normal course of business. This may include non-work web browsing, making personal phone calls, or sending emails from personal accounts.

Occasional personal use is permitted, however, to the fullest extent of the law [COMPANY] reserves the right to monitor personal use of company assets to the same extent that it monitors business use. Employees must operate under the assumption that all traffic over company networks is monitored and conduct themselves accordingly. 

All personal use of company equipment and systems must abide by [COMPANY]’s Acceptable Use Policies.

Personal Electronic Equipment

For employees who are permitted to use personal electronic equipment for work purposes (“Bring Your Own Device” or “BYOD”), [COMPANY] will make every reasonable effort to not monitor the activities that take place on that device. 

Employees participating in the BYOD program will be monitored when accessing the company’s IT infrastructure, cloud-based applications, and other resources. For example, data collection will occur when personal electronic equipment is used on company-owned wireless networks, virtual private networks (“VPN”), and any other interaction from personal electronic equipment with company-owned IT systems.

[COMPANY] reserves the right to inspect personal devices that are used by employees for work purposes if doing so is deemed necessary to maintain the security, confidentiality, and integrity of the company, its systems, and the data that is in our custody.

[COMPANY] reserves the right to remotely wipe all company-owned data from personal electronic equipment. This will most commonly occur when a BYOD-eligible employee is no longer employed by [COMPANY] or personal electronic equipment is lost or stolen. 

For more information, please refer to [BYOD POLICY OR OTHER RELATED POLICY].

Types Of Employee Monitoring Conducted and Their Purpose

Video Surveillance

Video surveillance equipment is used on company premises to ensure that employees, patrons, and company-owned assets are kept secure from theft, vandalism, and other forms of misconduct. Should unlawful activity be discovered, the recordings captured by video surveillance equipment will be used to the fullest extent of the law—including the possibility of disclosure to authorized third parties.

Video surveillance equipment will not be used in areas where employees have a reasonable expectation of privacy, such as bathrooms, changing rooms, and other private areas. Where video surveillance equipment is used the equipment will be made clearly visible and there will be notices indicating the presence of the equipment.

Computer Monitoring

[COMPANY] monitors the network and computer activity of employees to ensure that company-owned IT resources are used in accordance with our acceptable use policy (AUP), information security policy, and other company policies where relevant.

Computer activity data may also be used to evaluate employee performance, detect malicious or high-risk activities, monitor network performance, and prevent security incidents from occurring.

CurrentWare Employee Computer Monitoring Software

[COMPANY] computer systems are monitored and managed with security and computer monitoring software provided by CurrentWare Inc. As per CurrentWare’s Terms of Service they will not have access to employee computer activity data unless it is explicitly provided by [COMPANY] for the purpose of troubleshooting the software. 

Telephone Monitoring

All company-owned mobile and landline phones may be monitored to ensure appropriate usage and compliance with [COMPANY]’s policies surrounding the use of telephony in the workplace. If a personal mobile device is used for work purposes, phone calls will not be monitored unless they are made through company-provided mobile applications that are provided for the purpose of making work-related calls.

Email Monitoring

All email communications that are sent through company-owned networks, equipment, or user accounts are subject to monitoring. This may include personal email accounts when those accounts are accessed through company-owned IT assets. 

When sending personal emails on company systems employees must tag personal messages accordingly to indicate to authorized personnel that they must not be reviewed under the normal course of business.

Prohibited Forms of Surveillance

To provide [COMPANY] employees with a reasonable degree of privacy on company-owned assets, the following forms of surveillance are strictly prohibited unless there are exceptional circumstances and a legitimate business reason to do so. 

• Keylogging (recording individual keystrokes)
• Video monitoring in private spaces such as bathrooms
• Covert surveillance, such as monitoring computer activity without due notice
• Covert recording or streaming of webcam feeds

Should dire circumstances require that any of the aforementioned prohibited forms of surveillance be conducted, the surveillance will be done in accordance with the privacy requirements of [PRIVACY LEGISLATION].

Employee Data Collection & Processing Practices

The following measures have been put in place by [COMPANY] to ensure that workplace monitoring data, personal information, and other forms of sensitive data are adequately protected and explicitly used for their intended purpose.

Applicable Data Privacy Laws

1. Describe your legal basis for processing the data
2. Describe your statutory obligations as per relevant data protection and privacy laws (GDPR, CCPA, PIPEDA, etc)

Data Retention

To ensure that all personal information is only kept for as long as it is necessary to do so, all data that is captured as a result of workplace monitoring will be stored digitally on [DATA STORAGE LOCATIONS] up to a period of no greater than [RETENTION PERIOD]. Personal information will only be stored for a greater period of time under exceptional circumstances or as required by law.

Categories of Data Collected

The employee monitoring measures put in place capture the following data:

• Timestamps of computer power states: Startup, shutdown, and sleep events
• Logons on company computers, virtual machines, and other desktops
• Logs of peripheral devices used on a given endpoint, such as storage devices (USB, DVD/CD, Tape, SD Card, etc), wireless devices, communication ports, imaging devices, and mobile phones.
• File operations to portable storage devices (files copied, created, renamed, and/or deleted to/from these devices)
• Internet usage data including URLs/domains, pre-defined website content category, web page headers, search engine queries, timestamps, bandwidth consumption, and browsing time
• Application usage, including software downloads and time spent using each software
• Screenshots of activities on company-owned workstations
• IP addresses and system information of client computers 

Purpose Limitation

The personal information that is collected through workplace monitoring shall only be used for the purpose for which it was collected. The purpose of data collection is outlined in this policy as well as [OTHER RELEVANT POLICIES].

[COMPANY] will only use personal data for a new purpose if the new purpose is either compatible with the original purpose, an employee provides informed consent, or the company has a clear obligation or function set out in law.

Employee Data Security & Privacy Measures

Data Security Practices

[COMPANY] recognizes that employee computer activity data and other data collected through workplace monitoring may be sensitive in nature. For this reason, any personal information that is collected through workplace monitoring will be treated as personally identifiable information (PII) and secured according to the standards set out in [INFORMATION SECURITY POLICY] and [PRIVACY/SECURITY LEGISLATION].

Data Breach Notifications

In the event that personal information is disclosed or made available to an unauthorized third party [COMPANY] will follow the incident response plan dictated by [INFORMATION SECURITY POLICY] and [PRIVACY/SECURITY LEGISLATION].

Who Has Access to Employee Data

Employee data is made available to a limited number of authorized representatives or third parties associated with [COMPANY]. All persons with access to employee information are required to comply with the confidentiality and security requirements dictated by [INFORMATION SECURITY POLICY] and [PRIVACY/SECURITY LEGISLATION].

In addition, all access to workplace monitoring data is restricted to an as-needed basis. Employee data will not be made available to managers unless the employee is their direct report and the data is required for a legitimate business reason.

Disclosure of Workplace Monitoring Data to Third Parties

Workplace monitoring data is only disclosed to third parties as is required by law or as needed to troubleshoot the workplace monitoring systems used by [COMPANY] to monitor employees in the workplace. All third parties that are provided with access to workplace monitoring data are subject to equivalent confidentiality and security requirements to ensure that employee data is not misused or disclosed without authorization.

Comments, Questions, or Concerns?

To ensure that workplace monitoring is done fairly and transparently, the company has appointed internal representatives for our employees. If an employee does not feel comfortable disclosing their concerns internally they may also contact an external privacy officer or another third party representative.

If you have any questions about this Workplace Monitoring Policy or concerns about how your personal information is managed, please contact one of the below entities.

Internal Contacts

• [INTERNAL CONTACTS]

External Contacts

• [EXTERNAL CONTACTS]

Policy Acknowledgement

Please read the workplace monitoring policy carefully to ensure that you understand the policy and your responsibilities before signing this document.

By signing this workplace monitoring policy I indicate that I have read and been informed about the content, requirements, and expectations of the policy. I acknowledge that I have received a copy of the workplace monitoring policy for my records and I agree to abide by the policy guidelines as a condition of my employment and my continuing employment at [COMPANY].

I understand that if I have questions, at any time, regarding the workplace monitoring policy, I will consult the contacts that I have been provided.                     

_______________	_______________	_______________
Employee Signature	Employee Printed Name	Date
_______________	_______________	_______________
Witness Signature	Witness Printed Name	Date

END OF TEMPLATE

About CurrentWare

At CurrentWare, our mission is to help businesses stay productive and secure. We achieve this through our commitment to providing user-friendly computer monitoring software solutions with high-quality customer service.

Our Commitment to Data Privacy

When you use CurrentWare products the data you collect remains solely in your control. CurrentWare’s solutions are installed and managed by your company. Your employee’s data cannot be accessed by CurrentWare. For more information please refer to our Terms of Service.

What CurrentWare’s Software Can Track

This section outlines the categories of data that CurrentWare’s computer monitoring software is capable of collecting when monitoring employees in the workplace. The data that is specifically captured by each solution depends on what tracking methods are enabled during deployment.

The CurrentWare Suite also includes an Auto Delete Scheduler to periodically cull URL, bandwidth, application, and peripheral device usage data. In addition to reducing storage requirements for the CurrentWare database that is managed by your company, this is a valuable feature for automatically maintaining compliance with the data retention requirements of your organization.

The information contained here is for reference purposes only and is current as of June 2021. For the most up-to-date information on CurrentWare products, please refer to our Release Notes or contact your CurrentWare Account Executive.

BrowseControl

Web Filtering Software

• Logs of websites that have been blocked (optional feature for troubleshooting)

BrowseReporter

Employee Computer Monitoring Software

• Websites visited including URL, content category, timestamp, and browsing time
• Application usage tracking
• Bandwidth usage, including the source URL
• Remote screen capture, including screenshots
• Search engine queries
• IP address of client computer (disabled by default)

AccessPatrol

Device Control & Data Loss Prevention Software

• Logs of inserted portable storage devices (USB, DVD/CD, Tape, SD Card, etc), scanners, webcams, printers, and mobile phones. | Learn More
• Logs of allowed vs denied peripheral devices
• File operations to portable storage devices (files copied, created, renamed, and/or deleted to/from these devices)

enPowerManager

Remote PC Power Management Software

• Timestamps of computer power states: Startup, shutdown, and sleep events
• Timestamped logon and logoff events
• Duration of logons

More Resources

• Acceptable Internet Use Policy [Free Template]
• How to Make a Work From Home Policy [Free Template]
• Workplace Privacy and Employee Monitoring: Best Practices for Balancing Productivity, Security, and Privacy (White Paper)
• SANS Institute – Information Security Policy Templates
• 5 Ways to Enforce Your Acceptable Use Policy (AUP)