Legal considerations

Legal guidance

At NOFRAUD, we offer general guidance to organizations interested in implementing The Fraud Explorer, our solution for the early detection and prevention of unethical behavior and occupational fraud. Our goal is to provide compliance, risk, information security, technology, and human resources professionals with a clear understanding of the legal principles that typically govern corporate employee monitoring.

While every country has its own regulatory framework, there are virtually universal principles derived from international personal data protection standards, modern labor law doctrine, and best practices in cybersecurity and compliance. We summarize these common principles here to serve as a starting point for the legal assessment that each organization should conduct with its local legal counsel prior to deploying the solution.

This document does not replace qualified legal advice within the client’s specific jurisdiction; it is intended solely for informational purposes.

Privacy right

The right to privacy is a fundamental right recognized in most constitutions and major international human rights instruments. In the workplace, this right does not vanish, but it is modulated by the existence of a relationship of subordination and the use of employer-owned tools intended for the performance of job duties.

The workplace constitutes a semi-private space where the reasonable expectation of privacy is limited but not eliminated. There is a legitimate tension between two equally valid interests:

  • The employee’s right to privacy, dignity, and the free development of their personality.
  • The employer’s right to protect its assets—including information assets—and reputation, and to prevent conduct that could constitute fraud, corruption, or other unethical behavior.

A universally accepted principle is that the employer’s authority arising from the subordination relationship is not absolute; it is limited by the worker’s human dignity. Therefore, any monitoring activity must strike a proportionate balance between these two interests.

Universal principles

Virtually all modern personal data protection frameworks share a common core of guiding principles. These principles should govern all corporate monitoring activities:

  • Principle of legality: data processing may only be carried out within the framework of a valid legal basis and a documented corporate policy.
  • Principle of purpose: data must be collected for specific, explicit, and legitimate purposes that have been previously disclosed to the data subject.
  • Principle of freedom and consent: processing must—where applicable—be based on the data subject’s prior, express, and informed authorization.
  • Principle of proportionality and necessity: collected data must be adequate, relevant, and limited to what is strictly necessary for the stated purpose.
  • Principle of security and confidentiality: information must be protected through technical and organizational controls that prevent unauthorized access, loss, or misuse.
  • Principle of transparency: data subjects have the right to know what information is being collected, for what purpose, who is processing it, and under what rules.

At NOFRAUD, we use the European Parliament’s GDPR as a benchmark for best practices in personal data processing; however, it should be noted that not all countries that have adopted this framework have incorporated every one of its articles.

Legal monitoring

Based on international doctrine and compliance best practices, any corporate monitoring activity must simultaneously and concurrently meet four essential conditions:

  1. Documented and communicated corporate policy: There must be a clear internal policy outlining the scope, methods, systems subject to monitoring, intended purposes, and employee rights. This policy must be disseminated in a verifiable manner.
  2. Express and informed employee authorization: The employee must consciously consent to the monitoring, fully understanding its scope. Ideally, this authorization should be in writing or in an equivalent digital format.
  3. Proportionality and legitimate purpose: Monitoring must be limited to what is strictly necessary to achieve legitimate corporate objectives: fraud prevention, protection of information assets, regulatory compliance, and ensuring business continuity.
  4. Confidentiality of captured information: Collected data must be handled under strict protocols regarding privacy, restricted access, and chain of custody, and used exclusively for the stated purposes.

It is neither necessary nor recommended for the express authorization to disclose that the software is named “The Fraud Explorer.” The recommended approach is to provide a general description of the monitoring systems existing within the organization that are designed to monitor employee activity for security reasons—such as antivirus software, DLP, web browsing filters, surveillance cameras, etc.

Personal and corporate devices

The distinction between employer-owned devices and personal devices used for work purposes (BYOD—Bring Your Own Device) is one of the most critical factors when implementing any monitoring solution:

  • Corporate devices: Since these are owned by the employer and intended exclusively for work-related tasks, the employee’s expectation of privacy is limited, provided that the usage policy has been communicated beforehand in a verifiable manner.
  • Personal devices (BYOD): The expectation of privacy is significantly higher, as these devices often contain personal, family, and third-party information. In these cases, express, specific, prior written authorization is required, formalized through a separate BYOD agreement that strictly defines which information is monitored and which remains outside the employer’s scope.

As a general recommendation, extending monitoring to personal devices is not advisable without a clear contractual framework that guarantees the separation of corporate data from personal data.

Right to digital disconnection

A growing global trend is the recognition of the right to digital disconnection, understood as an employee’s right not to be available for work-related matters outside of their working hours. An increasing number of jurisdictions are incorporating this right into their legislation or case law.

As a general principle, corporate monitoring should focus on systems and activities related to job functions and carried out during working hours. It should not be used as a tool for constant surveillance or to pressure employees regarding their performance outside of working hours, except in duly justified, exceptional cases (for example, ongoing information security incidents).

Information classification

Any monitoring solution must recognize the different categories of information and assign the appropriate level of protection to each:

  • Public information: information that is not restricted and is accessible to anyone.
  • Semi-private information: information of interest to a specific sector or to the data subject themselves, the disclosure of which is subject to reasonable controls.
  • Private information: information pertaining to the data subject’s personal or family sphere, which may only be processed with their authorization or by order of a competent authority.
  • Sensitive data: data that affects privacy or the misuse of which could lead to discrimination. This includes, among others: racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions or social organizations, health data, sexual life, and biometric data. These categories are subject to stricter restrictions and, as a general rule, must not be monitored. Any accidental capture must be discarded and not used.

The Fraud Explorer is not designed to capture private or sensitive information; however, due to the nature of monitoring, such information could be captured as a result of intentional or unintentional employee actions while using corporate tools.

Required policies

To ensure the system’s implementation aligns with international legal best practices, we recommend that our clients have, at a minimum, the following four documents in place:

  1. Technology Asset Usage Policy: Defines the rules for using corporate equipment, systems, networks, and applications, as well as the scope of monitoring. It must be communicated to all employees in a verifiable manner.
  2. Express Contractual Clause: Incorporated into the employment contract or a signed addendum, acknowledging the employee’s awareness and acceptance of the applicable monitoring policies.
  3. Authorization for Personal Data Processing: A separate document in which the employee authorizes the collection, use, and processing of their data within the context of monitoring, clearly stating the purposes.
  4. Confidentiality and Evidence Management Protocol: Defines who may access the captured information and under what conditions, how the chain of custody is preserved, and how evidentiary integrity is guaranteed.

The expectation of privacy must be defined by the employer, not the employee. This expectation can be defined within the technology asset usage policy. It is recommended that the expectation of privacy regarding corporate IT assets be defined as non-existent. The use of computers and mobile phones for personal purposes should be prohibited.

What is prohibited

There are practices that, as a general rule and in most jurisdictions, are prohibited or constitute a violation of the worker’s right to privacy. Among the most significant are:

  • Disclosing intimate information captured accidentally during monitoring.
  • Using collected information for purposes other than those stated in the policy and the authorization.
  • Monitoring an employee’s personal devices without explicit, prior, specific, and written authorization.
  • Conducting monitoring in a manner that is abusive, degrading, or discriminatory, or that infringes upon the worker’s dignity.
  • Systematically monitoring the worker outside of working hours without legitimate and proportionate justification.
  • Performing analyses or drawing inferences regarding special categories of (sensitive) data without a specific legal basis.

The difference between spying and monitoring lies not in the technologies used, but in the way those technologies are employed. It is recommended that the presence of monitoring systems never be concealed, although this does not require disclosing their specific names or methodology.

Monitoring as a workplace harassment

Corporate monitoring, in itself, does not constitute a workplace harassment practice when it conforms to the conditions described in this document. However, it can amount to harassment when circumstances such as:

  • It selectively targets a specific employee with the aim of pressuring, intimidating or discriminating against them.
  • It extends to strictly personal dimensions of the worker without work justification.
  • The right to digital disconnection is systematically violated.
  • It is used as an instrument of retaliation against the legitimate exercise of rights by the collaborator.

Therefore, it is recommended that monitoring always be general, systematic, automated and aimed at fraud prevention, and not a tool directed against specific people for reasons unrelated to the declared objectives.

Probatory value of the information

Information collected through corporate monitoring may carry full evidentiary weight in disciplinary, labor, administrative, or judicial proceedings, provided the following conditions are met simultaneously:

  • The employee was informed beforehand and expressly about the existence, scope, and purposes of the monitoring.
  • The monitoring focused on corporate tools and systems used for the performance of work duties.
  • The collected information does not reveal private aspects unrelated to work performance.
  • The capture, storage, and custody of the evidence were carried out in strict compliance with internal policies and protocols.
  • The integrity of the evidence was preserved through a traceable and auditable chain of custody.

As a general rule regarding The Fraud Explorer, while the captured data holds evidentiary value, we recommend always accessing the original source where the data resides rather than disclosing the use of the tool itself.

Legal notice

This document serves as a general guide prepared by NOFRAUD to assist prospective clients in understanding the legal principles and best practices commonly applicable to corporate monitoring in the context of implementing The Fraud Explorer.

This document does not constitute legal advice, nor does it replace consultation with a qualified attorney in the client’s jurisdiction. Each country has a specific regulatory framework regarding labor law, personal data protection, cybersecurity, and the law of evidence; a specific analysis of these regulations is essential prior to any implementation. NOFRAUD assumes no liability for decisions made based solely on this document.

For specific guidance regarding the implementation of The Fraud Explorer within your organization, please contact our sales and compliance teams.

© NOFRAUD Latam LLC.