Dear Atty. Peachy,

Our company recently implemented a new remote-work policy and updated the data-privacy policy to allow monitoring of employee devices and communications used for work. I am concerned about the extent of monitoring, the kinds of data they can collect, and how long they can keep it. I also worry about using personal devices for work and how separation between personal and company data is maintained.

What are employers allowed to monitor when employees work from home or use company devices, and what privacy protections do workers have? Can an employer require employees to install monitoring software on their personal devices or to give access to personal data? Are there limits? How should the company communicate these policies to employees, and what notice is required for policy changes? If I disagree with the monitoring policies, what remedies or options do I have?

Tina

θ θ θ

Dear Tina,

Employers can set reasonable policies on data protection and remote-work security, but they must respect workers’ privacy, especially when it comes to personal devices and personal data. Monitoring on company devices is usually allowed if it is done transparently, proportionally, and for legitimate business purposes. Monitoring of personal devices or personal communications is much more restricted. Changes to policies should be clearly communicated, with proper notice and opportunities to ask questions or raise concerns.

Read the policies carefully. Look for what data can be collected, how it will be used, how long it will be kept, and who can access it. Check for consent and limits on personal devices. If the policy asks you to install monitoring software on a personal device, ask for a written scope of what will be monitored and confirm whether you can opt for a work-only device. Ask for transparency and notice. Request an explanation of the justification for monitoring, what kinds of data are collected, and the procedures for data review and deletion. Protect personal information. Separate work data from personal data where possible, use company-approved apps and devices, and disable features that are not essential for work. If you disagree or suspect misuse, raise concerns through formal channels (HR, data privacy officer) in writing.

Employers can implement data-protection and remote-work policies, but they must respect privacy, obtain appropriate consent, and limit monitoring to legitimate business purposes. Always push for clear, written policies with explicit details about data collection, retention, and access, and seek advice if a policy seems overly intrusive.

Atty. Peachy Selda-Gregorio