Employer spying on employee

Marcon

IMC2 said:

A friend has told me of a colleague who is being disiplined for being abroad while they were off sick.

The way in which they got caught was the company had tracked there location on their person phone as they had an app on their phone which was logged into their company email account.

I know that employers can track you on company provided devices.

But what is rules around person phone, tablets, laptops, etc?

Me personally I would have thought this would be a breach of privacy and illegal but I can't really find anything online about this.

Does anyone know what legality of this is?

App on phone logged in to company email - what on earth did they expect?

Bobbobbobingalong

Being abroad, or for that matter in London, Tesco or the local pub is not an issue when signed off work ill. Accessing an employer's IT system whilst abroad regardless of your leave status may well be and could very well result in dismissal.

That said, without more accurate, first hand information all you will get here is speculation. Why not have the individual at the centre of this issue post their account here directly?

IMC2

Bobbobbobingalong said:

Being abroad, or for that matter in London, Tesco or the local pub is not an issue when signed off work ill. Accessing an employer's IT system whilst abroad regardless of your leave status may well be and could very well result in dismissal.

That said, without more accurate, first hand information all you will get here is speculation. Why not have the individual at the centre of this issue post their account here directly?

Unfortunately I don't know them so I can't ask.

 I've known people to get into bother for using work devices for visiting 'nsfw' websites, personal business, etc. But tracking someone's location on a person phone is a new one.

From what I've read online it's all very vague, plus you need to know what the companies policies are too.

As someone mentioned in another post, keep everything work related off of personal devices and everything personal off of work devices. 

Undervalued

Despite the emotive title of this thread (Employer spying on employee) I don't think they are "spying". When you install an app (certainly on Android) you will have to click to agree that it can have access to various things, often including location data. If you don't agree and the app requires it you can't install it. The employee will also have agreed to the employer's IT policy as part of accepting the job. It is perfectly reasonable for a company system to keep records of who has logged in, when and where from.

Separately, in dealing with misconduct an employer only needs a reasonable belief that the misconduct took place. How they came by that reasonable belief is almost entirely irrelevant. Rules of evidence that apply in a criminal court do not apply.

So even if the employer was doing something wrong on the IT front, whilst they might get a slap on the wrist from the Information Commissioner, it doesn't prevent the employer from dealing with the abuse of sick leave etc (if indeed that is what happened).

NCC1701-A

Surely this is the same as trying to view Netflix when abroad and not being able to see certain programmes as you're outside UK.  The app checks where the log in is being attempted from, its not "spying".  Most places I've worked, if you are sick, you are supposed to advise work before going outside UK whilst off sick. 

TELLIT01

How and why the employer was able to monitor an employee's phone is a valid question.  If they were able to install a monitoring app on the phone without the employees permission or knowledge there needs to be further investigation.

On the holiday aspect, if the employee was off with a bad back and supposedly bedridden it would not be unreasonable for the employer to wonder about the accuracy of their claim to be sick.  That kind of information can be picked up on social media.

DullGreyGuy

IMC2 said:

A friend has told me of a colleague who is being disiplined for being abroad while they were off sick.

The way in which they got caught was the company had tracked there location on their person phone as they had an app on their phone which was logged into their company email account.

I know that employers can track you on company provided devices.

But what is rules around person phone, tablets, laptops, etc?

Me personally I would have thought this would be a breach of privacy and illegal but I can't really find anything online about this.

Does anyone know what legality of this is?

You need to understand the basics of how the internet works. When your phone connects to the internet it is given an IP address by the ISP or Mobile Network you are connected to. When you use your email app to contact your email server (in this case their employers) the server receives the IP address to be able to send the response back to the app. 

IP addresses are broadly geographic and you can easily lookup an IP address to see where in the world it is. It is normal good practice for servers to log who/what is requesting what which includes the IP of the devices. Its similarly good practice to try and spot potential bad actors accessing data by looking at where they are located... if suddenly the server finds a host of attempts to access the CEO and CFO's emailboxes from Russia or N.Korea then that's something you are going to want to be on top of. Many companies setup monitoring of connections coming in from high risk locations or potentially any non-UK location depending on what their Data Privacy statement says about exporting data

Your colleague has two options... disable the work email so the phone doesn't contact the server or use a VPN such that their IP appears to be in the UK despite the fact they aren't.

I would argue that not only is it perfectly legal but highly prudent. It can form part of the evidence to a regulatory body like the ICO that inline with your data privacy policy you aren't exporting data to the USA. If you dont log where IPs are for all you know people are taking their laptops to Florida and downloading the whole customer database to their C drive. 

Dakta

It would be interesting to hear the mechanics of how they've tracked the location as opposed to say, a work app reporting phone gps position - if it is IP based there does raise the question that whilst IP's are geographic I wouldn't want to rely on it - especially as you can use a VPN and I've investigated impossible travel incidents where people have appeared to be in Brazil where in fact they were just logging on before making coffee at home downstairs and just happened to have privacy software on their bring your own device. 

Some good and interesting points though, I think more info needed to really pin this down but the good thing is if it goes to disciplinary, or even an investigation you (or the subject of it) can request sight of evidence. It's a bit dubious about whether they have to provide full evidence pre-disciplinary but you can ask, and you should have the full report to review before so you should get some opportunity to get sight of the evidence, in which case it might reveal (or otherwise) if concerns about tracking are valid.

Some companies do actively use monitoring software on employee devices, in the absence of this I would have thought the likelihood of IT staff with access to sign in logs wouldn't correlate much to HR matters such as sick leave so in the absence of active monitoring there has to be something that has made this person a person of interest. 

DullGreyGuy

Dakta said:

Some companies do actively use monitoring software on employee devices, in the absence of this I would have thought the likelihood of IT staff with access to sign in logs wouldn't correlate much to HR matters such as sick leave so in the absence of active monitoring there has to be something that has made this person a person of interest. 

In my case, I got contacted by InfoSec because my device was connecting from overseas in what they considered a "high risk country" and one in which they dont have offices. As such the connection, not me, was suspicious so they made enquiries inc looking at my diary to see if I had planned trip there etc. 

That client had a "no overseas working" policy for Employees and FTCs during Covid times (as these were) and so IT were also reporting these cases to HR. I was fine as I had already cleared my trip with the person I reported to and he sat above HR as well as Transformation. For me it was all fine, InfoSec noted I was going to be there for up to 6 months and just asked for me to let them know if that changed.

There are a host of possible reasons why InfoSec got interested in the overseas connection and multiple reasons why they could have contacted HR or the persons line manager (who may then have gone to HR)

Dakta

Yeah I'm normally the guy that makes these enquiries and the usual suspect is signing in from either locations or times not statistically considered normal for that user or role, or even if they happen to have a IP with a poor reputation (which can happen even for dynamic ISP provided IP's that change hands a lot).

You can use it as a basis for reaching out to the users manager for instance to see if they're on holiday etc, which may be one way the manager became aware of this activity, because obviously if you get a call 'Is owen in spain by any chance?' when he's supposed to be off sick or something it might make the manager feel they have cause to do an investigation from a more HR perspective instead. Though I'd expect that to be seperate from the infosec concern.  

In my experience though managers sometimes jump to conclusions etc, or interpret things in ways which can either be a bit aloof or too trigger happy, whilst I've used IP address locations as a basis for running investigations I try to avoid them as ways of substantiating things.  In the absence of confession, or other evidence I wouldn't want to rely on a sign in location derived from an IP as anything other than an indicator/observable. Which is probably why it's worth looking into, as you wouldn't want to make your own life harder....