At present all employers have to comply with the Data Protection Act 1998 (DPA) when conducting employee surveillance, as they will be gathering and using personal data about living, identifiable individuals (location, movements, internet browsing history and so on). Part 3 of the Information Commissioner’s Office (ICO) Data Protection Employment Practices Code is an important document to follow to avoid DPA breaches. It covers all types of employee surveillance.
When the General Data Protection Regulation (GDPR) comes into force on 25 May 2018 it will replace the DPA. The general rules applicable to employee surveillance as espoused by the DPA and the employment code will remain the same. However, there will be more for employers to do to demonstrate GDPR compliance.
One of the main recommendations of the ICO code is that employers should undertake an impact assessment before undertaking surveillance. This is best done in writing and should, among other things, consider whether the surveillance is necessary and proportionate.
Article 35 of the GDPR introduces the concept of a Data Protection Impact Assessment (DPIA) (also known as a Privacy Impact Assessment) as a tool, which can help data controllers (in this case employers) identify the most effective way to comply with GDPR obligations. A DPIA is required when the data processing is ‘likely to result in a high risk to the rights and freedoms of natural persons’. Is employee surveillance ‘high risk’?
The Article 29 Working Party recently published its data protection impact assessment guidelines for comments. It sets out the criteria for assessing whether data processing is high risk. This includes processing involving:
- Evaluation or scoring, including profiling and predicting, especially from aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements;
- Automated decision-making with legal or similar significant effects;
- Systematic monitoring of
- Sensitive data;
- Personal data on a large scale;
- Datasets that have been matched or combined;
- Data concerning vulnerable data subjects;
- Innovative use or application of technological or organisational solutions;
- Data transfers across borders outside the EU;
- Data that prevents data subjects from exercising a right or using a service or a contract.
Employee monitoring is very likely to satisfy a number of the above criteria (particularly 3, 7 and 10) and so will be considered as high-risk processing under article 35 requiring a DPIA.
Failure to carry out a DPIA when one is required can result in an administrative fine of up to €10m, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The GDPR sets out the minimum features which must be included in a DPIA:
- A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the data controller;
- An assessment of the necessity and proportionality of the processing in relation to the purpose;
- An assessment of the risks to individuals; and
- The measures in place to address risk, including security, and to demonstrate that the data controller is complying with GDPR.
Before doing a DPIA, the data protection officer’s advice, if one has been designated, must be sought as well as the views (if appropriate) of data subjects or their representatives. The views of the ICO may also have to be sought. In all cases the data controller is obliged to retain a record of the DPIA which may be reviewed by the ICO at a later date in the event of an audit or investigation arising from the data controller’s use of personal data.
Article 6 – lawfulness
All forms of processing of personal data (including employee surveillance) have to be lawful by reference to the conditions set out in article 6 of the GDPR (equivalent to schedule 2 to the DPA). One of these conditions is consent. Article 4(11) states: ‘“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’
Consent will be more difficult to achieve under GDPR. This is especially so for employers conducting employee surveillance. According to ICO draft guidance on consent under GDPR: ‘Consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.’
Employers may well need to look for another condition in article 6 to justify the surveillance. This could include where processing is necessary:
- for compliance with a legal obligation to which the data controller is subject (article 6(1)(c));
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (article 6(1)(e)); or
- for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6(1)(f)).
Legitimate interests (article 6(1)(f)) will be a favourite condition among employers as usually the employee surveillance will be undertaken to prevent or detect crime or to detect or stop abuse of the employers’ resources, for example vehicles, internet and email facilities.
Article 6 states that the legitimate interests condition shall not apply to processing carried out by public authorities in the performance of their tasks. Herein lies a potential problem for, among others, local authorities, government departments and quangos.
Such organisations will have to consider the applicability of the legal obligation and public interest/official authority conditions (articles 6(1)(c) and 6(1)(e) respectively). We can expect arguments about what surveillance is in the public interest and when official authority is involved. If the surveillance involves a public authority using covert techniques or equipment to conduct the surveillance, it is easy to assume that part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) applies and so the latter condition is met. However, the Investigatory Powers Tribunal has ruled in the past that not all covert surveillance of employees is regulated by RIPA (see C v The Police and the Secretary of State for the Home Department (14 November 2006, No: IPT/03/32/H)).
All data controllers, including employers, have an obligation to ensure that they are transparent in terms of the how they use employees’ information. Consideration will also have to be given to as to what extent general information will have to be supplied to employees in respect of the employer’s surveillance activities (see articles 13 and 14 of GDPR on Privacy Notices).
Of course it is not just about the DPA and GDPR. Whatever type of surveillance is conducted, the right to privacy under article 8 protects employees within the work environment. This means that surveillance must be carried out in a manner that is in accordance with the law and is necessary and proportionate. There have been cases where employers have been criticised by the courts for failing to take account of the human rights issues when doing surveillance of employees. Compliance with the DPA and GDPR will be evidence that the surveillance has also been done in compliance with article 8.
Ibrahim Hasan is a solicitor and director of Act Now Training.