Protective Monitoring and Privacy Law:

Guidance for
Multinational
Organisations
Copyright 2013
Deloitte LLP is the United Kingdom member frm of Deloitte Touche Tohmatsu Limited (DTTL)
Document available for download at www.dtexsystems.com/protectivemonitoring
For more information contact: compliance@dtexsystems.com
Protective Monitoring : the role of monitoring in the protection of
commercially sensitive data, information systems and the people who use them.
All rights reserved. Copyright 2013 Page
Protective Monitoring and Privacy Law: Guidance for Multinational Organisations
1. Introduction
2. Protective Monitoring: Implementing a
Global Programme
3. Protective Monitoring: A Core Requirement
for Mitigating Risk
4. Privacy Impact Assessment: Understanding
Local Requirements
5. Acceptable Use Policy: Driving Governance
6. Technology Considerations for Multinational
Organisations
7. A Simplifed Guide to International
Implementation
8. Some Key Regions for Consideration
Table of Contents Disclaimer
The content of this briefng is of general interest and is not
intended to apply to specifc circumstances. The content
should not, therefore, be regarded as constituting legal
advice and should not be relied on as such. In relation
to any particular problem they may have, readers are
advised to seek specifc advice. Further, the law may have
changed since frst publication and the reader is cautioned
accordingly.
2
........3
........4
........5
........5
........6
........7
........8
........9
page
All rights reserved. Copyright 2013 Page
Protective Monitoring and Privacy Law: Guidance for Multinational Organisations
1. Introduction
The protective monitoring of employee activities in
the workplace is now recognised as a core security
requirement for many multinational organisations.
Navigating the different privacy laws in each country may
seem like a daunting task, but by clearly understanding the
legal requirements and taking an international perspective
from the outset, a global implementation can be achieved
effciently and effectively with very positive results for the
business.
This document provides guidance regarding some of the
international laws and regulations related to the monitoring
of computer activities in the workplace. It focusses
primarily on regions that have already established laws
in this area, with particular emphasis on those countries
where the laws or regulations are well developed, but not
necessarily easy to understand. However, there are many
other countries in the process of establishing such laws
and regulations which are not addressed in this document
and therefore we recommend seeking legal advice where
you are unsure of the laws in a particular country.
The table on page 8 provides a simplifed view of the
international landscape by highlighting the key variations
between the relevant privacy requirements in different
countries. This chart can be used as a high-level reference
from which to draw on the additional information provided
for each of the countries later in the document.
The vast majority of
your employees will be
responsible and loyal;
however, there will
always be a few who are
less reliable or honest,
who can expose your
business to risk. One step
you can take to mitigate this risk is
to implement a protective monitoring
solution. Provided you follow a few
simple steps - a number of which
are outlined in this helpful guidance
note - it is possible to implement such
tools, which inevitably involve some
form of employee monitoring, in a
privacy compliant way (for example
by communicating a clear Acceptable
Use Policy to staff and ensuring the
tool is fexible enough to have different
confgurations for different countries).

Suzanne Rodway
Group Head of Privacy
Royal Bank of Scotland
3
All rights reserved. Copyright 2013 Page
Protective Monitoring and Privacy Law: Guidance for Multinational Organisations
2. Protective Monitoring:
Implementing a Global Programme
Multinational organisations must consider local legal and
regulatory requirements prior to the implementation of
protective monitoring (PM) technologies, as privacy laws
can vary from country to country. The following approach
has been successfully adopted by large multinational
organisations and is an example of how an organisation
might prepare for implementing a PM programme:
1. Identify a global Programme Manager to supervise
and manage implementation and maintenance of the
PM programme.
2. Determine which countries will be prioritised for
PM programme rollout. The following criteria should
form part of this decision making process:
a) Privacy legislation and other relevant laws and
regulations within each country. A Privacy Impact
Assessment should be conducted in each country to
assess the risks and benefts of PM implementation.
Adequate time will need to be given to countries with
more complex or more stringent privacy laws as go-live
will necessarily fall later in an international roll out.
b) Risk profle of the user groups based in each country.
Users who have access to sensitive data and/or systems
should be targeted frst. It is recommended that an
Internal Risk Assessment be conducted across all user
groups to fully appreciate the risk profle of users in each
jurisdiction.
c) Readiness of the local operation.
Technical infrastructure: The ease of PM software
implementation may be affected by the technical
infrastructure within a local operation. Selecting a PM
solution which has a light footprint with minimum impact
to system performance will be critical.
Resources: What is the ability of the local team to support
implementation? Key criteria should include:
Is there a Country Manager who can be trusted with
local management of the PM programme?
Does the local IT team have the skill set to support
the implementation? (Selecting a PM solution which
is easy to deploy with a light footprint will reduce the
need for a highly skilled IT team).
User policies and processes: A well-defned and
well-communicated Information Security Policy and/
or Acceptable Use Policy must be in place prior to
deployment.
Employee relations: Some countries will require there
to be consultation or approval from local employee
representative bodies.
Privacy compliance: As well as communicating with
users, any flings with national data protection authorities
will need to be checked and may require updating to
cover PM and possible pre-approval by the regulator.
The selection of a PM solution that can be customised by
jurisdiction will allow the global PM programme to avoid
the use of different solutions in different jurisdictions. It
will also allow the IT team to manage and aggregate
results centrally and provide senior management with
more useful outputs.
3. Develop a global PM programme plan which
should include the following interdependent project
streams:
a) Technical Deployment Project Plan. How will the PM
solution be deployed globally?
b) Operating Model Project Plan. How will the PM
service be delivered as a BAU function for the group?
c) Business Implementation Project Plan. How will the
programme team interact with the business stakeholders
(e.g. Legal, HR, IT, Security) to implement and maintain
the PM service?
4
All rights reserved. Copyright 2013 Page
Protective Monitoring and Privacy Law: Guidance for Multinational Organisations
3. Protective Monitoring:
A Core Requirement for Mitigating Risk
Protective Monitoring is a term used to describe
the role monitoring plays in the protection of
commercially sensitive data, information systems
and the people who use them. An increasing awareness
of the benefts provided by protective monitoring can be
seen in the UK. The UK government has promoted the
use of protective monitoring within the public sector for
a number of years. More recently, guidance published
by the Centre for Protection of National Infrastructure
(CPNI) has emphasised the positive impact of monitoring
for private sector organisations. The guidance, Holistic
Management of Employee Risk (HoMER), received
strong support from the Information Commissioners
Offce (ICO), and set out the benefts of a risk-based
approach to monitoring and implementing a well-
structured PM programme. For many organisations,
protective monitoring will become a fundamental
requirement for protecting IT systems and mitigating
internal risks.
The ICO in the UK, as well as CPNI, have provided clear
guidance for the implementation of employee monitoring
solutions, largely based on a judgement of fairness to
the employee via the communication of a well-defned
Acceptable Use Policy (AUP). While other countries
may not have such clear guidance on PM in their
jurisdiction, compliance with most laws and regulations
regarding employee monitoring will be underpinned by
conducting the appropriate Privacy Impact Assessments
and implementing a well-defned and well-communicated
AUP.
4. Privacy Impact Assessment:
Understanding Local Requirements
A Privacy Impact Assessment (PIA) is conducted on a
country-by-country basis to help assess the potential
impact of PM to individuals in the collection, use and
disclosure of their personal data. PIAs help identify privacy
risks, foresee problems and evaluate PM solutions. A
PIA should be conducted at the start of a PM project in
order to help shape the project implementation strategy
and determine the most appropriate confguration for the
monitoring technology. Some of the countries covered
by this document require organisations to conduct a PIA
before implementing a PM solution.
The use of a PIA template or checklist is a common
approach which helps to simplify the PIA process. Such
a template should be adjusted to suit the requirements
of each country and is likely to contain the following key
components:
Project introduction: Provide some background
regarding the intended project.
Purposes and benefts: Why is this project being
considered and what are the benefts?
Adverse impact: Are there any potentially negative
impacts and how can these be overcome?
Alternatives: Have other alternatives been
considered and why have they been ruled out?
Obligations: What are the obligations on staff if the
project goes ahead and how will these be managed?
Conclusion: Do the results of the PIA justify
commencement of the project? If so, how will the
project be aligned with the fndings of the PIA? This
conclusion should then be used as the basis of design
for the PM solution.
5
All rights reserved. Copyright 2013 Page
Protective Monitoring and Privacy Law: Guidance for Multinational Organisations
5. Acceptable Use Policy:
Driving Governance
An AUP (also known as a Fair Use Policy) is a set of
rules applied by the owner/manager of a computer
network that restrict the ways in which the network may
be used. AUPs in the employment context often serve
to inform employees of the expected standards of use
and the potential consequences of infringement, while
also establishing a foundation for PM. They can also
include the information notices about PM systems, which
are legally required in most jurisdictions, although some
organisations choose to do this in a separate PM policy.
New employees are generally asked to sign the AUP
before they are given access to an employers information
systems. For this reason, an AUP must be concise and
clear, while at the same time covering the most important
points about what users are and are not allowed to do
with an organisations IT systems. In order to meet the
privacy requirements of most countries, an AUP should
defne what sanctions will be applied if a user breaches
the AUP, making clear that monitoring may be used to
ensure compliance. Compliance with the AUP should then
be measured by regular audits.
In some countries, as explained further in this document,
it may be illegal to monitor employees (or to use evidence
from monitoring) to reprimand or dismiss an employee
unless an AUP has been well communicated to staff.
In particular, in countries with well-established data
protection laws, organisations are required to provide
individuals with certain information about the processing
of their personal data. This information typically includes:
The purposes of PM
How PM is implemented
Under what circumstances PM might take place
The types of information collected by PM
Details about how the collected information is
processed, including who has access to the
information and how the information may be used
This information should be provided in writing, for exam-
ple within an organisations AUP.
The rules around employee
monitoring, as with many privacy
requirements, can vary greatly
country by country. Much of this is
driven by underlying cultural and
social differences, which can be
deeply embedded into a particular
countrys society, so getting
monitoring right is very important
to any organisation. Having a
fexible approach that can
be tailored to different
country requirements is
key.
Peter Gooch
Director
Security and Privacy
Deloitte LLP

6
All rights reserved. Copyright 2013 Page
Protective Monitoring and Privacy Law: Guidance for Multinational Organisations
6. Technology Considerations For
Multinational Organisations
Where multiple jurisdictions are involved, organisations
may be tempted to apply a harmonised approach, for
example by choosing the regime of the country with the
strictest privacy laws and applying this uniformly across
its network. However, as different countries may have
contradictory requirements (for example, banning private
use of work email is illegal in France whilst being common
practice in Germany), particular care should be observed
if a harmonised approach is to be taken, especially as
non-compliance in some countries can lead to criminal
liability.
Organisations are likely to fnd broad commonality in
the PM compliance requirements of many countries.
However, confguring any monitoring system for the
specifc legal requirements of each country (in terms of
the tool and also the procedures around handling positive
results) is likely to be the most appropriate approach for
multinationals, where contradictory laws are almost certain
to apply. It is advisable that an Internal Risk Assessment
is undertaken in order to gain a clear understanding of
the actual risks created by user activities in each country.
Its important to understand that the chosen monitoring
technology must be fexible enough to enable different
confgurations in different territories, providing the ability
to quickly and easily adapt confgurations either centrally
or in a distributed fashion. This will ensure that each
operating entity is well positioned to maintain compliance
as privacy laws and regulations evolve internationally.
It is also advisable that any offcially appointed Data
Protection Offcer is involved in the planning and
implementation of the PM programme and that they
keep any Works Councils and/or trade unions informed
where necessary. In some countries, consultation or
even approval may be required from the local employee
representative body.
The locked-down security model
is challenged when looking to
support the fexibility required
for some companies to operate.
This can result in the perception that
the security strategy is not aligned
with the business strategy and lead
the business to circumvent restrictive
security controls. As a comparison,
protective monitoring
is an effective way of
ensuring compliance with
acceptable use policy
without having to limit
user access to resources.
The trust and verify approach allows
the business the fexibility to operate
and compete while supporting the
governance, compliance and risk
frameworks.

Mo Ahddoud
Programme Leader
International Security
NBC Universal
7
All rights reserved. Copyright 2013 Page
Protective Monitoring and Privacy Law: Guidance for Multinational Organisations
7. A Simplifed Guide To International
Implementation
8
P
r
i
v
a
c
y

I
m
p
a
c
t

A
s
s
e
s
s
m
e
n
t
s
W
o
r
k
s

C
o
u
n
c
i
l
s

o
r

e
m
p
l
o
y
e
e

r
e
p
r
e
s
e
n
t
a
t
i
v
e
s

t
o

b
e

c
o
n
s
u
l
t
e
d
?
M
a
n
d
a
t
o
r
y

A
c
c
e
p
t
a
b
l
e

U
s
e

P
o
l
i
c
y
?

(
i
.
e
.

r
u
l
e
s

f
o
r

u
s
e

o
f

I
T

e
q
u
i
p
m
e
n
t
)
M
a
n
d
a
t
o
r
y

E
m
p
l
o
y
e
e

N
o
t
i
c
e
s
?

(
i
.
e
.

n
o
t
i
c
e

o
f

m
o
n
i
t
o
r
i
n
g

t
o

e
m
p
l
o
y
e
e
s
)
A
n
y

r
e
q
u
i
r
e
d

f
l
i
n
g
s

w
i
t
h

d
a
t
a

p
r
o
t
e
c
t
i
o
n

a
u
t
h
o
r
i
t
i
e
s
?
I
s
s
u
e
s

r
e
l
a
t
i
n
g

t
o

p
e
r
s
o
n
a
l

u
s
e

o
f

w
o
r
k

e
m
a
i
l

/

I
T

e
q
u
i
p
m
e
n
t
USA
but highly
recommended
plus consent
required
Employers entitled to monitor private emails to
establish whether business related. Content of
clearly personal emails should not be proc-
essed, unless there is a genuine suspicion of
misconduct.
UK
but highly
recommended
Employers entitled to monitor private emails to
establish whether business related. Content of
clearly personal emails should not be proc-
essed, unless there is a genuine suspicion of
misconduct.
MEXICO
but highly
recommended
but highly
recommended
Employer should not process emails marked as
personal, unless employees have been banned
from using email for private use. Where
unmarked, processing is permitted until private
nature discovered.
JAPAN
but highly
recommended
If justifying
PM to uphold
procedures
Employer may monitor private emails sent
using company equipment if it has justifable
grounds. However, it is highly advisable not to
process personal emails which the company
becomes aware of during monitoring.
HONG KONG
but highly
recommended
but highly
recommended
Employers are entitled to monitor private
emails if they are work related but there is
greater risk in monitoring emails which are
purely private in nature.
SWITZERLAND
but highly
recommended
but highly
recommended
Illegal to process the content of private emails.
An employer may be permitted to open an
email to establish whether it is a business or
personal email, but processing must be ceased
if the email is found to be personal.
GERMANY
but highly
recommended
plus
authorisation
required
if Data
Protection
Offcer
appointed
In practice, personal use of work email is
usually banned on the recommendation
of lawyers to avoid application of
telecommunications law. Such a ban would
need to be enforced in order to be effective.
FRANCE
but highly
recommended
Illegal to ban personal use of work email / IT
systems.
SPAIN
but highly
recommended
but highly
recommended
Employers in Spain are entitled to ban
employees from using their work email for
private purposes. When employers have
informed employees that their work email will
be monitored, they are entitled to do so. If
they have not informed employees about the
specifc monitoring measures, employees can
expect a reasonable level of privacy.
Not a mandatory requirement
A mandatory requirement
All rights reserved. Copyright 2013 Page
Protective Monitoring and Privacy Law: Guidance for Multinational Organisations
8. Some Key Regions for
Consideration
EUROPE: GENERAL
For countries in the European Union, Data Protection
Directives 95/46/EC and 2002/58/EC (as amended)
provide the legal framework for PM. These set out general
principles and are not specifc to PM. Implementation of
the Directives differs in each Member State, and some
Member States have additional legislation addressing
this issue. Guidance at a European Union level has been
provided by a body known as the Article 29 Working Party.
In a document published in 2002
1
, the Working Party
noted:
Employees have a legitimate expectation of a certain
degree of privacy in the workplace
A PIA should be carried out before rolling out PM
Employees should be given notice of PM.
The European Convention on Human Rights is also
relevant to EU Member States as well as 20 additional
European countries.
UNITED KINGDOM
The UKs Data Protection Act 1998 regulates the use of
personal data. The Regulation of Investigatory Powers
Act 2000 (RIPA) and the accompanying Regulations
2

are also relevant, as they regulate the monitoring and
interception of communications. The Regulations allow
monitoring (that would otherwise be prohibited under RIPA)
when it is conducted for legitimate business purposes
over an employers network. To rely on the Regulations,
the employer must have made all reasonable efforts to
ensure that employees are made aware of the possibility
of monitoring. Detailed guidance on PM is provided in the
Information Commissioners Employment Practices Code
(The Code)
3
.
The Code states that an employer should conduct an
impact assessment prior to using PM. This should assess:
What are the lawful purposes for monitoring? (e.g.
upholding policies and standards which have been
brought to employees attention, specifc business
threats etc.)
What are the adverse impacts of monitoring? (e.g.
impact on employee privacy, mutual trust and
confdence, relationships with third parties)
Whether these aims can be achieved in a less intrusive
way (e.g. greater supervision, targeting high risk
individuals, spot checks over systematic checks etc.)
What obligations arise from the monitoring? (e.g.
notifying employees of the monitoring, secure handling
of data)
GERMANY
Although there is no law specifcally regulating privacy
in the workplace, Germany does have strict general
communications privacy requirements (partly based on the
German Constitution) which are, along with general data
protection principles, relevant for monitoring activities.
There are plans to introduce a specifc data protection
regime for employees which will likely contain detailed
provisions on PM which may change the legal position set
out below.
Under the current law, whether personal use of company IT
resources is permitted/tolerated by the German employer
is key. If personal use of telecommunication infrastructure
(email, telephone, internet access, etc.) is permitted, this
subjects the employer to stricter requirements, because
the employer would be regarded as a telecommunications
services provider under the German Telecommunications
Act (TKG). The TKG contains regulations protecting
telecommunications secrecy, including a prohibition on
general monitoring of both usage data and the contents
of personal communications. This then restricts the ability
of an employer to monitor professional communications,
as, in most instances, employees do not separate their
personal and professional use of IT resources.
In order to avoid the application of these stricter
requirements of the TKG and allow broader monitoring,
a German employer can expressly forbid private use of
internet and email systems (which many companies in
Germany do). Such a ban should be enforced through
regular spot checks, otherwise the TKG may still apply.
Where private use of company IT systems is allowed,
monitoring rights are more limited but PM is still possible if
1 See http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2002/wp55_en.pdf
2 Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBP Regulations) (as
amended)
3 See http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/employment.aspx
9
All rights reserved. Copyright 2013 Page
Protective Monitoring and Privacy Law: Guidance for Multinational Organisations
(i) it is not applied to all employees generally, but only when
and where there are specifc suspicions of wrongdoing
(although this may change under draft legislation) or (ii)
(arguably) employees consent to a monitoring scheme.
The latter is not without complication as consent is only
valid if employees have genuine choice (which may be
the case if a company provides options, e.g. allowing
an employee to choose whether he or she wants to use
company email for private use and accept monitoring, or
use a private webmail without being monitored.)
There are additional requirements if a works council exists.
Works councils are particularly prevalent in Germany and it
is common for large organisations to have one, as do many
SMEs any business with over 5 employees may have a
works council if its employees choose to elect one. A works
council has co-determination rights for matters regarding
the introduction and use of technical devices designed to
monitor the behaviour or performance of the employees,
which covers the implementation of automated PM tools.
Organisations are therefore required to obtain consent
from the relevant works council before implementing a
PM programme, and a veto from the council can only be
overturned by a mediation committee or a court. In order to
gain consent from a works council, an employer will need
to be able to demonstrate to the representatives that it
has taken steps to ensure employee privacy is protected.
An ability to confgure PM technologies can prove helpful
here, where steps can be taken to ensure data from certain
fles or folders are not collected.
FRANCE
The right to privacy in the work place is enshrined in the
French labour code, which also imposes an obligation
of fairness: employers must consult work councils
4
and
inform employees prior to the implementation of any PM
system
5
. In addition, there are limits to email monitoring
and access to employees private fles under the Penal
Code. Employers should also be aware that it is illegal to
ban employees from using the employers IT resources
(including email) for personal use.
The 1978 French Data Protection Act (relating to Data
processing, fles and liberties) also imposes privacy
obligations. The French Data Protection Authority (the
CNIL) has long-standing guidance on how to implement
PM correctly, now contained in the CNILs guide for
employers and employees
6
. The main obligations are:
Identifying the lawful purpose of the data processing
and informing employees of this purpose, such as
4 And also, under certain circumstances, the Health and Safety committee.
5 Labour code articles L1221-9, L2323-4, L2323-13, L2323-32.
6 See http://www.cnil.fr/fleadmin/documents/Guides_pratiques/Livrets/travail/index.html
through an AUP.
Respecting individual rights and liberties, as well as
the fairness and proportionality principles (employers
should assess in particular whether less intrusive
means of monitoring can be applied)
Complying with fling obligations regarding any PM
data processing (including CCTV), unless a data
protection offcer (CIL) has been appointed.
Tolerating reasonable use of the IT system for private
purposes, clearly defning limits in the AUP and
respecting the secrecy of private correspondence
and the right to privacy where fles/emails are clearly
marked as personal or private.
In order to comply with the above obligations, employers
should conduct a PIA the output of this will be a conclusion
as to whether monitoring is justifable.
SPAIN
The principal laws regulating employee monitoring are
Royal Decree 1/1995 on the consolidated text of the Law
of the Statute of Workers (Statute of Workers), Organic
Law 15/1999 on Data Protection (DPA) and Royal Decree
1720/2007 that develops the DPA (the Regulation).
Article 20.3 of the Statute of Workers states that employers
may adopt measures to monitor employee compliance
subject to limits in respect of human dignity. Although this
does not expressly include PM carried out electronically,
the Spanish Supreme Court held in 2007 that an employer
is entitled to carry out PM on their IT system when
employers own the computers, as they are entitled to
ensure that they are used for work purposes. However,
even when employees are using the employers equipment,
employees may have a reasonable expectation that a
minimum level of privacy will be respected. This tolerance
will only be deemed to exist where the employer has failed
to set specifc rules on the use of electronic resources and
has not informed employees that they may be monitored.
Consequently, employers who wish to monitor employees
must ensure that (i) the rules relating to this monitoring are
established in advance, and (ii) employees have been
informed of these rules and how compliance with them will
be monitored. These details will generally be covered by
an AUP (see above).
In addition to the duty to inform employees, employers are
required to inform and consult workers representatives
(works council) before any monitoring activity in relation
10
All rights reserved. Copyright 2013 Page
Protective Monitoring and Privacy Law: Guidance for Multinational Organisations
to worker behaviour is introduced. Whilst works councils
are common in Spain, they do not have a statutory right to
veto the introduction of PM systems as exists in Germany.
Instead, the works council can only issue a non-binding
report on the measures following the required consultation.
Monitoring measures to be applied must be proportional.
The test, much like that set out by the ICO in the UK,
requires employers to check by way of a PIA:
Is the measure necessary, i.e. will PM adequately
address the purpose for which it has been
implemented?
Is the measure suitable, i.e., are there any other less
intrusive measures that would achieve the same aims,
or can the employer show that PM is more effective?
Is the measure justifed and balanced, i.e. will the PM
solution be confgured in such a way that it does not
signifcantly impact employee privacy without cause?
Employers must also comply with the Spanish Data
Protection Act and its Regulations. Amongst other
requirements, this means providing employees with
detailed information about the processing, which can be
covered in the AUP. There is no need to obtain employee
consent to PM.
SWITZERLAND
The relevant legislation with respect to employee
monitoring is the following: the Swiss Federal Data
Protection Act (DPA), the Swiss Federal Ordinance 3 to
the Labour Act (LAO), the Swiss Code of Obligations and
the Swiss Federal Penal Code.
Monitoring systems may be implemented for reasons such
as security but they must be confgured so that the health
and mobility of employees is not affected and so that
employee performance is not reviewed. In addition, the
principles of the DPA must be observed. Under the DPA,
PM is only permitted if (a) the processing can be justifed
(see below), (b) there is no other way to achieve the
targeted aim (principle of proportionality), (c) the personal
data collected will only be used for the stated purposes,
(d) the security of the collected data is guaranteed at
all times and (e) the employees have been informed of
the surveillance system. These issues can be picked up
through a PIA before PM and an AUP. Employers should
note that they are not allowed to collect data which is
not relevant for the employment relationship, although
data collected to monitor compliance with contractual
obligations such as the AUP is permitted. Employers who
wish to monitor email or internet use must issue a policy
to employees that describes the surveillance, how it works
and what kind of sanctions may apply in case of non-
compliance. This should ideally also contain information
on acceptable internet use and private e-mails. This could
all be included within a single AUP.
Any internet/email surveillance must consist of two
phases: in a frst phase, the surveillance has to be
made on an anonymous (or non-personal) basis
(nichtpersonenbezogen). In practice, the employer should
exercise all technical steps possible to prevent the person
monitoring email and internet usage from identifying the
individual until necessary to investigate a misuse. If the
employer discovers a misuse (as defned by the employer
in its AUP), in a second step it is allowed to analyse the
personal data on a personal basis (personenbezogen).
Employers are not allowed to read the content of personal
e-mails. If the email address or title makes it clear that
an email is private, then the employer should not process
it. If the employer learns that a certain e-mail is of a
private nature, it must stop processing that e-mail and the
employer is not allowed to take notice of the content of
such e-mail.
UNITED STATES
The United States is known to have far less stringent
privacy laws than the European Union and most of
its Member States. While there is no U.S. federal law
specifcally addressing PM, the Electronic Communications
Privacy Act of 1986 (ECPA) (18 U.S.C. 2510-22) allows
employers to monitor activities on their own networks and
equipment where monitoring serves a legitimate business
purpose and is conducted with employees express or
implied consent.
MEXICO
Mexico also has a data protection law, the Federal Law
on the Protection of Personal Data held by Private Parties
(the Law), which regulates the processing of personal
data carried out by all private entities with the exception
of credit reporting companies (who are regulated by
other laws). The Law establishes general principles and
obligations for data controllers that are not specifc to
employee monitoring or employers.
Neither the Law nor Mexican employment law requires
employers to consult or seek authorisation from work
councils or the Mexican Data Protection Authority before
implementing PM technologies. Employees must be
provided with clear and unambiguous information about
PM and the processing of their personal data. Employees
must also be informed of their employers policy on
acceptable use for company IT systems through the
issuance of rules for the correct use of emails/desktops/
11
All rights reserved. Copyright 2013 Page
Protective Monitoring and Privacy Law: Guidance for Multinational Organisations
JAPAN
Under Japanese law, employees have a legitimate
expectation of a certain degree of privacy in the work
place. However, monitoring can be used in a broad number
of situations for example, for preventing disclosure of
trade secrets and confdential information, investigating
suspected unlawful actions, and ensuring compliance
with internal company regulations as well as legal and
regulatory requirements.
The Act on the Protection of Personal Information (Act No.
57 of 1993, as amended) (APPI) sets out general rules
concerning the handling of personal data by a business
operator in Japan. The Consumer Affairs Agency is
responsible for establishing the legal framework for the
handling of personal information by a business operator.
Employers are required to implement PM in a manner that
complies with the APPI. For example, under the APPI, the
employer must identify the purposes for which the personal
data collected during PM will be used and disclose such
purposes to its employees.
It is recommended that employers establish internal
guidelines (such as an AUP) and notify employees of
these guidelines before implementing PM. In practice, it is
common to include the following in these guidelines:
The purposes and scope of PM
The manner of implementing PM
The types of the information collected during PM
The audit procedures to confrm that PM has been properly
implemented.
HONG KONG
The Personal Data Privacy Ordinance (Cap. 486) (PDPO)
as amended by the Personal Data (Privacy) (Amendment)
Ordinance 2012 in Hong Kong (including the Data
Protection Principles, DPP) sets out a legal framework
for the collection, holding, processing, transfer and use of
personal data. Detailed guidance on PM is provided in the
Privacy Guidelines: Monitoring and Personal Data Privacy
at Work published by the Privacy Commissioners Offce
in 2004 (Guidelines).
The Guidelines provide that, prior to conducting PM, an
employer should evaluate the need for PM and its impact
upon the employees privacy through a PIA, which should
address similar topics to those highlighted for the UK.
To comply with the PDPO, including the DPP, an employer
should also make sure that a written PM Policy is
published, which sets out the reasons for conducting PM,
the circumstances under which PM may take place, what
data might be collected through PM and how it may be
used. An employer should also take practicable steps to
communicate the policy to employees, e.g. publishing the
policy in the employee handbook and including it as part of
the employment contract.
laptops, etc. All of this information should be provided in
writing, for example in an AUP. If these rules state that
company IT systems may only be used for work related
purposes, employees should not have an expectation of
privacy that would confict with PM. If employers do not
ban use of work email for personal use, then an employer
should not open communications marked as personal.
Employers should also ensure that monitoring measures
are proportionate to the risks that they are trying to avoid
and that the least intrusive means are used. For example,
an employer who wishes to implement PM to prevent the
loss of trade secrets should be able to demonstrate that
they have considered other methods such as internal
audit trails. This can be achieved by performing a PIA, as
in the UK.
12