What’s the issue?
There are strict rules under the Data Protection Directive about how employers can collect and process employee data and what it can be used for. From 25 May 2018, the General Data Protection Regulation (GDPR) will update these rules. Some of the technology increasingly used by employers such as tracking and monitoring, together with the rise in home working and ‘Bring your own Device’ (BYOD), increase privacy risks for employees, as well as the risk of non-compliance for employers, if not handled appropriately.
What’s the development?
The Article 29 Working Party (WP) has published an Opinion on data processing at work. This covers all work scenarios, not just strict employer/employee relationships. It complements Opinion 8/2001 on the processing of personal data in the employment context (WP48) and the 2002 Working Document on the surveillance of electronic communications in the workplace (WP55). It focuses mainly on the application of the Data Protection Directive (DPD) but also looks at the changes which will be brought in under the GDPR.
What does this mean for you?
While restating much that is in WP48 and 55, this Opinion focuses on the issues around employee data in the context of new technology. The Opinion underlines the importance of the data protection principles and stresses repeatedly that consent is extremely unlikely to be a legal basis for data processing at work as it is unlikely to be freely given, revocable, specific and informed.
Employers may be able to rely on the grounds of processing being necessary for performance of a contract or in the employer’s legitimate interests provided the processing is strictly necessary for that purpose and complies with the principles of proportionality and subsidiarity and then only where the legitimate interest is not overridden by the rights and freedoms of the individuals. They may also be required to process personal data under other legal obligations.
Also stressed repeatedly is the need for compliance with transparency requirements and for employees to be informed about any processing taking place in a clear and accessible manner. The newer the technology, the greater degree of transparency is likely to be required. In addition, any international transfers must only take place where there is an adequate level of protection.
The Opinion identifies a number of key risk areas which include: tracking across devices; technologies which monitor communications; the increase in available data and the potential for data analysis and cross matching; the difficulty in achieving genuine anonymisation; and the potential reduction of anonymity which may impact on whistle blowing.
The Opinion considers a number of key points relating to employer data processing including:
- during recruitment (personal data collected during recruitment should be deleted as soon as it becomes clear the candidate is not being employed);
- operations resulting from in-employment screening (screening of social media profiles should not take place on a generalised basis and employees should not be required to use an employer-provided social media profile);
- processing operations resulting from monitoring ICT usage in the workplace (proportionality is key and DPIAs should be undertaken backed up by implemented and accessible policies);
- processing operations resulting from monitoring ICT usage outside the workplace e.g. monitoring of home, remote working and BYOD, wearables and mobile device management; processing operations relating to time and attendance;
- operations using video monitoring systems;
- processing operations involving vehicles used by employers; event data recorders; and
- processing operations regarding disclosure of data to third parties or international transfers.
In its conclusion and recommendations, the WP makes a number of points:
- the contents of communications and traffic data often enjoy the same fundamental rights protections as analogue communications;
- electronic communications made from business premises may be covered by notions of “private life” and “correspondence” within the meaning of Article 8 paragraph 1 of the European Convention on Human Rights;
- under the DPD, employers may only collect the data for legitimate purposes with the processing taking place under appropriate conditions (e.g. proportionate and necessary, for a real and present interest, in a lawful, articulated and transparent manner), with a legal basis for the processing of personal data collected from or generated through electronic communications;
- the fact that an employer has the ownership of the electronic means does not rule out the right of the employee to secrecy of their communications;
- tracking should be limited to where it is strictly necessary for a legitimate purpose;
- prevention is always preferable to monitoring e.g. if you can block certain types of websites, that is preferable to monitoring employees to find out whether they access them;
- employees are almost never in a position to freely give, refuse or revoke consent;
- legitimate interests of employers can only be invoked if the processing is strictly necessary for a legitimate purpose and the processing complies with the principles of proportionality and subsidiarity;
- effective communication must be provided to employees concerning any monitoring which must be clear and readily accessible;
- data processing at work must be proportionate to the risks faced by an employer – there is no general right to monitor;
- data minimisation principles should be applied to data collected from employees and should be taken into account when deciding on deployment of new technologies;
- retention periods should be specified and deletion should take place when the data is no longer needed;
- employers should consider designating private spaces within office applications; and
- international transfers must provide adequate protection of data.