Businesses are under more and more pressure to protect their information and innovation, and this requires, amongst other things, the implementation of policies and monitoring of adherence to those policies. Businesses are required not only to protect themselves from misappropriation of intellectual property, business secrets and personal data but also to ensure compliance with an increasing volume of regulation.Monitoring technology can easily be acquired and implemented, especially when technological developments have brought a vast array of tools that allow employer to monitor employees at their work place. Nowadays employers can easily analyse employee emails, listen to and record landline and mobile phone conversations and voicemails, to analyse online behaviour and even keyboard strokes. Can this be done legally without hindering employee privacy rights?
WHAT TO CONSIDER WHEN SETTING UP MONITORING PRACTICES
Employers are permitted to monitor employees in the EU; however, there are a few legal requirements that have to be met in order to ensure that monitoring is compliant. Monitoring most certainly will consist of the collection of personal employee data; therefore from privacy and data protection perspective, employees have to ensure that they abide by obligations set out in the European Court of Human Rights on Article 8 and the EU Data Protection Directive 95/46/EC.
The guiding principles published by Article 29 Data Protection Working Party are a good starting point when implementing monitoring practises and ensuring that individual privacy rights are protected. Companies have to consider the following:
Establishing legitimacy of data processing: Companies have to be clear on what legitimate purpose they rely before setting up monitoring tools. In some cases, as in the context of some financial services, the employer may be under legal or regulatory obligations which it can only fulfil if it undertakes monitoring activities. In other cases, the employer may have a clear legitimate reason to monitor: to prevent theft, to ensure safety, to ensure that company policies are not breached.
MEASURING THE PROPORTIONALITY
An intrusion into the employee’s privacy must be in proportion to the benefits that employer receives as a result of monitoring. Companies could conduct privacy impact assessment and establish whether the benefits of monitoring justify the adverse effect that employees may experience.
DETERMINING THE NECESSITY OF MONITORING
The employer has to establish if monitoring is necessary to achieve the intended purpose. For instance, installing CCTV in a storage facilities where frequent thefts occur would constitute necessity.
ENSURING ADEQUACY OF DATA
The ‘adequacy of data’ requirement should be considered when accessing the ample information available on social media sites. For example, companies should only collect such information from social media sites, which allow them to determine the suitability of a candidate instead of collecting all available information.
LIMITING PERSONAL DATA USE
Personal data collected through monitoring activities must respond to specific, explicit and legitimate purposes and cannot be used for any other purpose than that originally intended.
INFORMING EMPLOYEES ABOUT MONITORING
It is a fundamental requirement that employees are aware of the monitoring. Employees must have a clear understanding of what information is being collected about them, why it is collected, how it will be secured, who will have access to this information, and what the employees’ rights are with regard to the processing of their information.
Companies should also check whether local data protection authorities and local work council representatives have to be notified about new monitoring tools that process data. For example, since November 2014 businesses operating in France must declare all monitoring tools that process personal data to the local data protection authority. Breach of these obligations exposes the employer to sanctions from data protection authorities as well as risks of court action from employees. To avoid possible liability, business must be fully aware of their obligations under local data protection laws.