A changing landscape
While employee monitoring can be a contentious issue in the workplace, it is both a necessary and important practice for employers.
Greater reliance on technology over recent years has led to improved monitoring capabilities for employers and an increase in the reasons why an employer may wish to monitor employees. It can be conducted for various reasons such as, for example, to monitor performance and productivity, prevent fraud or protect trade secrets.
Engaging in employee monitoring practices or introducing a new piece of monitoring technology does, however, trigger data protection responsibilities and challenges for employers. Monitoring can pose significant risks to employee privacy where it is excessive or is not underpinned by a reasoned and proportionate business interest.
Active v Passive Processing
Employees may be monitored as a result of active measures, such as telephone and email monitoring or by the use of CCTV in the workplace. Employers may also adopt software or devices that process data passively, such as keystroke logging data or using smartphones as an instrument to collect vehicle (and vehicle operator) data.
Passive processing has been facilitated by increasingly sophisticated IT applications and devices. An array of technologies that observe, track and evaluate the actions, and even behaviours, of employees are now at the disposal of employers. These pose significant privacy risks as they are capable of collecting, processing and storing greater volumes of data than ever before.
The legal framework
Employers must ensure that their monitoring practices are compliant with national and EU data protection law. In particular, under the General Data Protection Regulation (GDPR) which came into force in May 2018, all personal data processing must conform to the key principles of: lawfulness, fairness and transparency; purpose specification; data minimisation; accuracy; storage limitation; integrity and confidentiality, as well as complying with key data protection requirements.
Additionally, under the Human Rights Act 1998, the compatibility of employee monitoring will be assessed for its compatibility with the fundamental right to privacy under Article 8 of the European Convention of Human Rights. The rulings of the European Court of Human Rights on employee monitoring offer insights into how to balance employee privacy rights with business interests, and the factors which influence whether monitoring is deemed to violate an employee’s right to privacy or not.
Key points for employers to consider include:
- Ensuring that a legitimate interests assessment or data protection impact assessment has been undertaken prior to carrying out employee monitoring;
- Providing a clear and transparent notice on monitoring to employees. This should detail specifically why the monitoring is taking place, the legitimate interest being pursued and the particular nature and extent of the monitoring;
- Providing employees with a written policy during the onboarding process which sets out how monitoring is conducted. This policy should also be displayed visibly in the workplace and be re-issued if monitoring activities change; and
- Choosing a method of monitoring which is not excessive, and which takes into account the reasonable privacy expectations of employees (where a less intrusive option to employee monitoring exists that will achieve the same results, the employer should opt for this). Care should be taken to avoid monitoring purely personal and non-professional data where its personal nature is clear from the outset, regardless of whether such data is stored on IT equipment belonging to the employer.
Guidance from the Information Commissioner’s Office (the ICO) and from the Article 29 Working Party which reflects new and advanced monitoring techniques and technologies is available for employers considering carrying out employee monitoring. Employers are well advisable to keep track of developments in this area as the law continues to development post-GDPR.
What the future holds
Following the current trend, employee monitoring is likely to become more and more extensive and increasingly intrusive in the future. At the same time, employees are increasingly aware of their privacy rights and are willing to challenge decisions in the Civil Courts and the Employment Tribunal, as well as making complaints to the ICO.
As a result, now more than ever, businesses should have an awareness of the legal framework surrounding such practices and be able to independently assess the proportionality and legality of monitoring. They must not lose sight of their responsibilities under data protection law and they should incorporate the evaluation of employee monitoring software and practices into their compliance programs.
Ultimately, the monitoring of employees requires a very careful balancing act between an employer’s interests and its employees’ right to data protection.
Chris Tutton, Synchrony Law Limited