The pandemic has resulted in a seismic shift in the number of employees working from home. For employers, this can bring advantages and disadvantages. One of the key disadvantages is that some employees may feel more inclined to shirk their usual responsibilities due to the lack of facetime or supervision they would normally experience when working from the office.
As usual, technology has a solution for this with more and more tech companies providing products which help you monitor your employees when WFH. The question which therefore arises is: can employers use these products to monitor employees lawfully in accordance with data protection laws?
Unfortunately, there is no one size fits all answer and there are a number of factors you will need to consider before implementing such technology. We have set out some of the key data protection considerations below:
- Lawfulness of processing: all processing needs to have a lawful basis under the GDPR. When it comes to employee monitoring tools, there is only really one option – legitimate interests (remember that consent is generally not appropriate in an employment situation due to the imbalance of power between employer and employee). Legitimate interests can only be relied on if your interests in carrying out the processing override the rights, interests and freedoms of the individuals affected by the processing. To establish this a legitimate interests assessment (“LIA”) should be carried out. Note that even though legitimate interest may be appropriate in some cases, it will not always be possible to justify remote employee monitoring on this basis. As a general rule, the more intrusive the monitoring, the more difficult it will be to rely on legitimate interests.
- Data Protection Impact Assessment (“DPIA”): the GDPR requires controllers proposing to carry out higher risk processing, to carry out a DPIA before doing so, particularly where the processing involves the use of new technologies. DPIAs are intended to focus the mind on the risks involved with certain types of processing and the safeguards which can be put in place to minimise those risks. The use of employee monitoring technology will often trigger the need to conduct a DPIA, and even if it does not, it would still be prudent to carry out a DPIA before rolling out any new monitoring technology to mitigate the privacy risks associated with that technology.
- Transparency: This is one of the key considerations. If you are planning on implementing a new monitoring technology, your employees should be made aware of it. Relevant details will need to be added to your staff privacy notice. However, simply updating your staff privacy notice on your intranet normally will not be enough. The use of monitoring technology will usually also need to be specifically drawn to the attention of your employees (e.g. by way of cover email accompanying your updated privacy notice) to adhere to the GDPR’s transparency requirements.
- Purpose limitation and data minimisation: These are two of the GDPR’s overarching principles which tend to go hand in hand. Purpose limitation requires that you only collect data for clear, specified and legitimate purposes. Data minimisation provides that you shouldn’t collect more data than you need to achieve your intended purpose. This is relevant in the context of monitoring technologies as often they can lead to more data than was originally envisaged being collected and that additional data being used for novel purposes. Employers seeking to use monitoring technologies need to be aware of this potential scope creep – breach of the GDPR’s principles is serious and can result in heavy sanctions (as various regulators have reminded us recently).
- Right to privacy: finally, it is important to remember that employees in the UK have a right to privacy under the Human Rights Act 1998. Although there are limitations to this, particularly in a work context, it is likely that individuals’ right to privacy will be greater when working from home than it would be in an office environment. Employers which are considering acting on information they have obtained from the use of monitoring technologies will need to weigh up the risk of employees claiming violation of their rights in the event they do act.