COVID-19 , Finance & Banking , General Data Protection Regulation (GDPR)
Barclays Faces Employee Spying Probe
Privacy Watchdog in UK Investigates Bank's Use of Employee Monitoring ToolsThe U.K.'s privacy watchdog is probing banking giant Barclays over its use of employee monitoring tools.
See Also: OnDemand | CISO Leadership Blueprint to Managing Budgets, Third-Party Risks & Breaches
Barclays is the third largest bank in Britain, following HSBC and Lloyds Banking Group.
The U.K.'s Information Commissioners Office, which enforces privacy laws - including the EU's General Data Protection Regulation - has confirmed the Barclays probe to Information Security Media Group.
“We have an ongoing investigation relating to Barclays’ alleged use of employee monitoring tools," an ICO spokeswoman tells ISMG. “People expect that they can keep their personal lives private and that they are also entitled to a degree of privacy in the workplace."
Barclays declined to comment.
News of the investigation into Barclays allegedly spying on staff was first reported by Britain's Sunday Telegraph, which reported that Barclays for 18 months had been using employee monitoring tools from Sapience Analytics to anonymously monitor employees, including how long they required to finish tasks and the amount of time they spent away from their desks.
The Sunday Telegraph reported that Barclays in February had activated a feature in the software allowing managers to see details for individual employees but deactivated the feature later that month and alerted the ICO "after uproar among its workforce."
Pandemic Drives Surge in Monitoring
Sapience, Hubstaff and WorkSmart are the biggest providers of employee monitoring software that offers time tracking and productivity monitoring capabilities. Among the other players are ActivTrak, DeskTime Pro, Hubstaff, InterGuard, StaffCop Enterprise, Teramind, Time Doctor, Veriato, VeriClock and Work Examiner.
Vendors of such software reported a surge in interest earlier this year as a result of the shift to working from home during the COVID-19 pandemic.
Proponents of such tools say they can help organizations better manage remote teams, maximize billable hours, spot idle workers and enforce security policies. But such tools can also offer more "Big Brother" types of capabilities, including the ability to record audio and video of users, log keystrokes, use optical character recognition to record any text that appears on screen and monitor email, chat discussions and social media posts (see: Employee Surveillance: Who's the Boss((ware))?).
For Barclays, the use of the individual employee monitoring feature in Sapience wouldn't be the first time that the bank's employees had complained about its use of monitoring software. Reuters reports that in 2017, employees were unhappy with its use of software called OccupEye, which recorded how much time they spent at their desks.
GDPR's Rules on Monitoring
Regulators say that in Europe, under the GDPR privacy law, whatever organizations do, it must be both transparent and necessary.
“If organizations wish to monitor their employees, they should be clear about its purpose and that it brings real benefits," the ICO spokeswoman says. "Organizations also need to make employees aware of the nature, extent and reasons for any monitoring."
Jonathan Armstrong, an attorney with Cordery in London, told ISMG in a recent interview: "There is this balance always between privacy and security and making sure that we put in place measures that are proportionate. If I'm going to monitor your access to your work network, I have to tell you that; I have to be open with you, and that's one of the core, fundamental principles of GDPR."
Transparency continues to be a theme in many alleged GDPR violations, he said.
"One of the surprises of GDPR is we always knew that we were going to get a lot of cases around data security - that was a given. And we have seen that and they are still the majority of the cases that we're seeing. But what we're seeing a lot of as well is transparency cases," Armstrong said.
Barclays Faces Potential Fine
Under GDPR, EU regulators can levy fines of up to 4% of an organization's annual global revenue or €20 million ($23.5 million) - whichever is greater - if they violate Europeans' privacy rights, for example, by failing to secure their personal data.
Barclays reported 2019 revenue of £21.6 billion ($28.1 billion), meaning it could face a maximum fine of £864 million ($1.12 billion).
But regulators have signaled that they would only expect to levy maximum fines for the most egregious cases, involving sustained wrongdoing backed by criminal intent.