Surveillance at the Workplace

Information and Communication Technology (ICT) | Surveillance in the Workplace | Technical and Organisational Measures (TOMs)

The use of Information and Communication Technology (ICT) by a company’s personnel can harbour risks, have legal and financial consequences and can possibly damage the company’s reputation. For example, excessive internet consumption by the personnel during work hours or the installation and use of private applications on the company’s IT infrastructure or even the disclosure of confidential facts as well as conducts causing reputational damage on social media platforms come to mind.

According to Swiss law it lies in the company’s discretion how to utilise its operational resources and to instruct its personnel accordingly. Within certain limits and taking into account proportionality, the company may even supervise the use of resources. Especially, when the company has restricted or prohibited a specific use. However, the company must take into account that supervision can infringe personal privacy and even constitute Surveillance in the Workplace with a harmful effect on health. This is the case when supervisory and control systems as for example Key-Logger, Content Scanner or Spyware are used, which allow a detailed control of the personnel and which serve the purpose of inadmissible behavioural surveillance. Therefore, the admissibility and implementation of supervisory and control systems, always has to be determined on a case-by-case basis.

For reasons of transparency the use as well as a possible control should be codified in appropriate regulations. Furthermore, the personnel should be schooled in the proper use of the operational resources. As an accompanying step technical protection measures should be taken in order to minimise the risks of the use of operational resources by the personnel. In this context, for example, password protection, access control, virus protection, frequent updating, backups, recovery measures, limitation of interfaces and blocking of services come to mind. Correspondingly, such measures have to be understood as part of the Technical and Organisational Measures (TOMs), which a company has to implement according to article 7 of the Federal Act on Data Protection (FADP) and articles 8 to 12 of the Ordinance to the Federal Act on Data Protection (OFADP) in order to warrant an appropriate level of personal data protection. Said TOMs have to be adapted to the specific case and to the expected risks in connection with the use of particular devices, applications and technologies.