SOFTWARE FOR MONITORING EMPLOYEES' ACTIVITIES UNDER THE SPOTLIGHT OF SECURITY SERVICE OF UKRAINE
ARZINGER law firm,
Kyiv, Ukraine, Thu, Jan 26, 2017
Software intended for monitoring employees’ activities during normal working hours has recently come in the view of the Security Service of Ukraine (hereinafter – the SSU). In particular, software used for monitoring their active time, used software, websites, entered text, data transfer etc. is kept under active scrutiny.
As seen from judgments available in the Unified State Register of Court Decisions (http://www.reyestr.court.gov.ua/) and from rulings of investigative judges rendered upon consideration of petitions filed by SSU investigators, the above software may fall under the indicia of special technical devices for covert collection of information (cover surveillance).
However, conclusions on whether to classify particular software as special technical devices for covert surveillance are made exclusively by the Ukrainian Scientific and Research Center for Special Equipment and Forensic Examination of Security Service of Ukraine.
Please note that the initial/intended purpose of software use is not taken into account by law enforcement authorities, if there are indicia that such software is capable to covertly (invisibly) collect and capture information about an employee’s activity without the latter’s knowledge or ability to identify the activity of such software at his/her workplace.
At the same time, we emphasize that the current Ukrainian legislation provides for criminal liability for illegal purchase, sale or usage of special technical devices for covert collection of information. Criminal liability for the said criminal offense is stipulated by Article 359 of the Criminal Code of Ukraine, the maximum penalty being up to 7 years of imprisonment. Therefore, employees of the following entities fall under the risk of criminal prosecution under Article 359 of the Criminal Code of Ukraine:
- companies that develop the relevant software;
- companies that distribute the relevant software;
- customers and users of the relevant software.
These categories of persons are recommended to implement the following measures to eliminate the risk for their software to be classified as a special device, both at the development stage or when obtaining technical specifications for software development and at the stage of actual implementation of a monitoring system. In particular, they should remember
- when developing/preparing technical specifications for developing software for monitoring:
o that software may not be configured for collecting information in a secretive/covert way according to its purpose;
o that the terms of software use should be reflected in the relevant license agreement. - when distributing software for monitoring:
o that the purpose of software should be checked and no software configured for collecting information in a secretive/covert way should be distributed.
- when implementing software for monitoring:
o that software settings should be checked and data should be localized in the corporate computer system;
o that compliance with data protection laws should be ensured; o that internal monitoring procedures should be regulated;
o that information on the monitoring system implementation should be brought to the attention of the relevant range of persons (employees).
Kind regards and best wishes,
Kateryna Gupalo Partner,
Head of White-Collar Defense practice
Senior Associate, IP and IT practice,
Patent Attorney of Ukraine