Should HR Snoop? Establishing employee privacy guidelines

If your organization is like most, employee information is stored in multiple programs and devices, creating a trove of data made up of personal information, internet history and private conversations.

By now, most employees know “private” conversations aren’t really private after all. And as communication platforms proliferate — think Skype, Slack, texting, email — so will the ways conversations are tracked. As an HR professional, you could access it all. But with great power comes great responsibility.

Here are some ideas for ensuring that your company has respectful, reasonable protocol for accessing employee information.

The do’s:

Make IT and HR accountable to each other. “Whoever controls access to the company’s systems has to be 100 percent aware of the policy and 100 percent accountable for upholding it,” says Britt Harris, human resources manager at VISANOW.

IT should know the protocol stands no matter who is asking, whether it’s a friend or a member of leadership. “A lot of times, these parameters aren’t solely determined or enforced by HR,” Harris says. Rather, they fit into the company’s broader plan of how information is accessed and how data is kept secure. “Make sure you have trustworthy people in critical positions, and ensure that your employee privacy guidelines align with your company’s culture and behavioral expectations,” she adds.

Set up a system of checks and balances. No one person or department should have unbridled access to employee data, Harris says. When a situation arises that may call for reviewing a worker’s information, managers should need approval from a department head, who should seek approval from HR. Then when it comes time to look into the employee’s data, internal legal counsel would assess the situation, and HR and a witness (usually legal counsel) would be permitted to view the information. “The process varies based on company size,” Harris says. Talk to people in your network to compare their policy and procedures to yours to determine the best procedure for your organization.

Craft a policy establishing clear bring-your-own-device and company device guidelines. As more employees blend work and home, the question of company access to information on personal devices — or work devices that are used at home — can get tricky and needs spelling out.

If an employee is texting or emailing at work on a personal device — but sending the information over the company’s Wi-Fi network, who owns the data? If an employee is at home looking at not-safe-for-work websites on a company computer, what’s the course of action? “That might seem benign, but what if the employee unknowingly downloads a virus and plugs into the company network? That’s a big deal,” Harris says. “There are a lot of aspects people don’t think about. Tech [usage] policy is something that’s going to be continuously evolving. Every time technology advances, we have to figure out what that means for the current policy.”

The don’ts:

Never go on a fishing expedition. “If you’re accessing an employee’s email or web-browsing history, it shouldn’t be for the purpose of proving a general suspicion,” Harris says. “Your intent should be to substantiate a specific claim or concern.” If HR needs to look into an employee’s chat history, for instance, the conversation in question should already be known. “You should have an idea of the message content, who it was sent to and the time frame. If you think it was sent on Wednesday, don’t pull the whole chat history,” she says. “Start with a narrow search and expand only if needed.”

Don’t ignore the real problem. Usually, accessing an employee’s Web history or chat conversations are symptoms of a bigger issue — one which some managers don’t want to talk about. “If I think you’re surfing the internet all day and not working, it’s easy to just ask for your browsing history,” Harris says. “But I don’t need to access that information to address the problem.” Instead, encourage managers to have a candid conversation about work time frame expectations. “There’s a way to be more interactive in that situation rather than just pulling the employee’s browsing history.”

Don’t rely on your personal judgement. “Just because you don’t go shopping online during your lunch break, doesn’t necessarily means there’s something wrong with it. It just means you don’t do it,” Harris says. “Any determination of wrongdoing and resulting action should be based on the expectations set through company policies, not your own behaviors or beliefs.” Staying flexible is crucial, especially given how quickly the tech landscape shifts and informs new policies and perspectives.

Originally published at on April 27, 2016.