Beyond Bossware: The Rise Of ‘wellbeing-monitoring’ In The Workplace

A leading global investment bank has begun piloting a system that compares junior bankers’ self-reported working hours with computer-generated estimates. The estimates are based on their digital activity. The system uses indicators such as desktop keystrokes, video calls, and scheduled meetings to build an estimated weekly activity footprint. The bank describes the initiative as a wellbeing-measure that promotes transparency and encourages open conversations around overwork, rather than to penalise staff. The bank maintains it will not use the tool for performance evaluation.

This pilot is part of a wider trend in the financial services sector. More employers are adopting monitoring technology, often described as “bossware”, to track workloads and address long standing concerns about excessive hours, burnout and the pressures associated with remote work. The industry has already introduced measures such as capping working hours and restricting weekend work to ease its culture of gruelling schedules. Even so, employee surveillance, even when framed as supportive, raises concerns about privacy, workplace trust and the risk of a “Big Brother” environment. Some critics remain sceptical, arguing that the initiative is likely to increase pressure on workers rather than alleviate it.

Data privacy and employee monitoring in Hong Kong

If the bank wanted to roll out these measures in Hong Kong, they would need to be considered in conjunction with the Personal Data (Privacy) Ordinance (“PDPO”). The PDPO, Hong Kong’s main data protection legislation, does not prohibit workplace monitoring outright. However, any monitoring that involves collecting personal data must comply with the legislation.

Data Protection Principle 1 requires employers to ensure that:

• the personal data is only collected for a lawful purpose directly related to a function or activity of the data user; and
• the collection of personal data is adequate but not excessive.

Employers must also inform employees, on or before collecting their data, the purpose for which the data will be used.

The Office of the Privacy Commissioner for Personal Data in Hong Kong has recommended that employers undertake the “3As” assessment process, which refers to:

• Assessment – assessing the risks and benefits of employee monitoring, having regard to the purposes that relate to the employer’s business functions or activities;
• Alternatives – considering other options that may be equally cost-effective and practical, yet less privacy-intrusive; and
• Accountability – implementing privacy-compliant data management practices for handling personal data obtained from employee monitoring.

When examining the bank’s pilot programme through this lens, the monitoring raises several privacy concerns.

Assessment: The pilot aims to identify overwork, but the monitoring may still capture personal activity on work devices. For example, sending a personal email to a family member during their lunch break. Employees may find this to be intrusive. Even with assurances the bank will not use the data for performance evaluation or enforcement purposes, there is a risk that managers may rely on it informally. This could undermine trust and cause unintended harm to employees.

Alternatives: The bank’s well-being goals could arguably be achieved through less intrusive means. This may include regular supervisor check-ins where employees are given the opportunity to speak with their supervisors directly and voice any concerns about their workload. This would enhance communication and help build trust between the bank and the employee. Other alternatives include having a “workload dashboard” which sets out work allocations for projects, deadlines, and staffing data. It might also include optional “digital wellbeing summaries” akin to screen-time tools on smartphones. If the bank has not properly considered these options, it may struggle to justify its monitoring approach in Hong Kong.

Accountability: Employers must create clear policies to explain what data they collect, how it will be used, and who can access it. They should also keep data only for as long as needed and delete it once the wellbeing purpose is met. Finally, they should strictly limit access to monitoring data to HR or senior management. Internal controls must prevent use of the data for performance evaluation or anything other than the stated purpose. Regular reviews should ensure the tool remains necessary and proportionate.

Implications for employers considering employee monitoring

Employers introducing similar monitoring tools in Hong Kong would face significant compliance obligations under the PDPO. They would need to conduct privacy impact assessments, update internal policies, revise privacy notices and ensure any third-party providers meet regulatory standards. Because these systems generate sensitive behavioural data, organisations must also implement strong security controls such as access restrictions, encryption and defined retention schedules. Any breach involving such detailed information could lead to serious legal and reputational consequences.

Beyond legal compliance, employers must consider the impact on workplace culture and employee trust. Even when framed as supportive, monitoring tools often create anxiety and can erode psychological safety, particularly in high pressure sectors. Experience in other financial institutions shows that such tracking has caused tension and concern among junior staff, who may fear indirect performance assessment or increased scrutiny. Monitoring can also unintentionally encourage presenteeism or employees to “look busy” rather than focus on meaningful productivity. Without genuine changes to workload management and leadership practices, these tools risk worsening the very wellbeing issues they claim to address.

Takeaway for employers

If a Hong Kong employer were to pilot monitoring technology, they would face significant PDPO compliance obligations, including transparency, proportionality and purpose-limitation requirements. The legal risks are substantial, but the cultural and trust related risks may be even greater.

In Hong Kong, as elsewhere, employers seeking to improve wellbeing may achieve more through meaningful workload management, supportive leadership and cultural change than through algorithmic oversight.