The recent decision of the European Court of Human Rights in Barbulescu v Romania (see our Be Aware blog post of 7 September) has placed the spotlight once more on the extent to which employers are permitted to monitor their employees’ communications and activities.
The adoption of new information technologies in the workplace allows for systematic and potentially invasive monitoring, enabling employers to track employees not just in the workplace but potentially in their homes through many different devices including smartphones, tablets and wearables. The boundaries between work and home have become more blurred as more employees work remotely using their employer’s equipment, or bring their own devices to work. Monitoring of individuals at work can increasingly shade into monitoring in a private context. A further risk comes from the over-collection of data such as WiFi location data; analysis of meta-data may allow for invasive detailed monitoring of an individual’s life and behaviour. Such new technologies create significant privacy challenges. Whilst data privacy and human rights legislation do not prevent employers from monitoring workers, employers should remember that workers are entitled to some privacy at work.
The General Data Protection Regulation (GDPR), which comes into force in May 2018, will significantly raise the stakes for employers to ensure that their monitoring systems stay on the right side of the privacy line. With this in mind, on 8 June 2017 the EU Article 29 Working Party on data protection adopted a new Opinion on data processing at work. Whilst primarily concerned with employers’ current obligations regarding monitoring the Opinion looks forward to the additional obligations which will be placed on employers by the GDPR.
In order to process personal data in the employment context, the employer must have a legal basis for doing so. Processing of special categories of data (usually referred to as sensitive personal data) is prohibited unless an exception applies; if such an exception applies, the employer must still have a legal basis for processing the data. The Opinion emphasises that for the majority of processing at work, including monitoring, the legal basis cannot and should not be consent. Consent is generally not valid in the employment context as it cannot be freely given due to the real or potential prejudice which will usually arise from the employee not consenting.
Employers will more commonly be seeking to rely on the processing being necessary for a legitimate interest as the legal basis. Where the employer relies on legitimate interest, the processing must also be proportionate and should be carried out in the least intrusive manner possible. Specific mitigating measures should also be put in place to ensure a proper balance between the legitimate interest of the employer and the rights of employees; such measures might include only monitoring in certain areas, or avoiding monitoring sensitive areas such as changing rooms, avoiding monitoring of personal communications and undertaking spot check rather than continuous monitoring.
Employees must be informed of the existence of any monitoring, the purposes for which personal data are processed and any other information necessary to ensure fair processing. The information requirements under the GDPR will be more detailed and specific.
In order to comply with GDPR, employers as data controllers are required to implement data protection by design and default. An example of the impact which this has on workforce data is that where an employer issues devices to employees, the most privacy-friendly solutions should be selected if tracking technologies are involved.
The Opinion addresses a number of data processing at work scenarios in which new technologies have the potential to result in high risk to the privacy of employees:
- Processing during recruitment
Employers should not routinely inspect the social media profiles of prospective candidates during recruitment processes. Such information should only be reviewed if it is necessary for the job, for example in order to be able to assess specific risks regarding candidates for a specific function. Candidates must be informed if social media information will be reviewed during recruitment.
Data collected during the recruitment process should generally be deleted as soon as it is clear that an offer of employment will not be made or not be accepted.
- Processing during in-employment screening
Similarly, in-employment screening of employees’ social media profiles should not take place on a generalised basis. Employees also should not be required to use a social media profile provided by their employer; the option of a ‘non-work’ profile must be available.
- Monitoring ICT usage in the workplace
Technological developments have enabled newer, potentially more intrusive and pervasive ways of monitoring employees’ ICT usage. The Opinion suggests that as good practice employers should offer alternative unmonitored access to communication technologies where employees can exercise their legitimate right to use work facilities for some private usage. Employers can implement an “all-in-one” monitoring solution for all ICT usage in the workplace, for example applications to decrypt and inspect secure traffic to detect anything malicious that can also record an employee’s online activity on the network. The employer can rely on legitimate interests to protect the network, however monitoring every online activity of employees is an interference with the right to secrecy of communications. A policy should be developed and made easily accessible concerning the purposes for which, when and by whom suspicious log data can be accessed and to guide employees about acceptable and unacceptable use. If it is possible to block websites rather than continuously monitoring communications, blocking should be chosen. Prevention should be given more weight that detection – it is in the employer’s interest to prevent internet misuse rather than detecting it.
- Monitoring ICT usage outside the workplace
ICT usage outside the workplace has become more common with the growth of home and remote working and ‘bring your own device’ (BYOD) policies. These technologies can pose a risk to employees’ private lives as workplace monitoring extends into the domestic sphere.
In respect of remote and home working, the use of, for example, software which logs keystrokes and mouse movements or captures screenshots, logging of applications used and remotely enabling webcams will be disproportionate.
In respect of BYOD policies, appropriate measures must be in place to distinguish between private and business use to prevent monitoring of private information.
Where employees are provided with wearable devices which track health information, processing of the data by the employer is prohibited as it falls within a special category of data. The health data should only be accessible by the employee.
- Time and attendance data
Systems that allow employers to control who can enter their premises or restricted areas can also allow the tracking of employees’ activities. New technologies may also process biometric data. Employees must be informed about any such processing and continuous monitoring of entrance and exit times cannot be justified for purposes such as performance evaluation.
- Vehicle tracking
Any employer using vehicle telematics will collect data about the employee using the vehicle. Employers may be legally obliged to install some tracking eg for driver hours records and may have a legitimate interest in knowing where company vehicles are. However, use of such data should be proportionate. If private use of a vehicle is permitted, employees should have the opportunity to turn off location tracking where appropriate. The employer must also clearly inform employees that company vehicles are installed with trackers.
- Disclosure of employee data to third parties
It has become increasingly common for companies to transmit employees’ data to customers for the purpose of ensuring reliable service provision. However, such data should only be provided if it is proportionate. For example, in the case of a delivery driver, the company might have a legitimate interest in transmitting information regarding the driver’s location to a customer, but not their name or a photograph.
Employers need to re-examine their employee monitoring systems and policies as part of their preparation for being GDPR-compliant.