The EU Data Protection Working Group – the Article 29 Working Party (the “WP29”) has published a revised opinion in relation to data processing in the workplace and employee monitoring.
The WP29 is an EU level advisory group comprising representatives from the data protection authorities of the member states of the EU and whose purpose is to provide guidance to ensure that data protection law is applied uniformly across the EU. The Office of the Data Protection Commissioner in Ireland aligns closely with WP29 opinions in interpreting data protection law.
The WP29 has previously produced guidance around employee privacy and monitoring, emphasising the importance that is placed on maintaining a balance between safeguarding employers’ interests and protecting the privacy of employees. This latest opinion builds on that earlier guidance by focusing both on technologies that have come into use in the period since the previous guidance issued and concurrent obligations set to be introduced under the General Data Protection Regulation (“GDPR”).
Legal grounds for processing employee data
Employers must comply with fundamental principles of data protection if processing of employee data is to be carried out lawfully:
- Legitimate Basis: The processing must be necessary for the performance of a contract, necessary to comply with legal obligations or necessary for the legitimate interests of the employer
- Consent: As outlined further below, employee consent is not regarded as an appropriate basis for processing due to the nature of the employer-employee relationship
- Proportionality: Any impingement on employee privacy must be in proportion to the benefits that employer receives as a result of monitoring
- Transparency: Employees should be informed of what data an employer is collecting about them, the purpose(s) of any processing envisaged or carried out in relation to this data, both now and into the future
The WP29 considers that the changes in technology have made it more important for employers to apply these principles when processing employee data. The WP29 in turn cites a number of examples of processing of data in relation to employment.
Social media in recruitment and in-employment
Employers checking job candidates’ social media as part of the employment screening process requires a legal ground, such as legitimate interest, to justify such processing. Employers should not assume that such information is available for their own purposes simply because it is in the public domain.
In order to establish that legitimate interest it must be evaluated whether the collection of the social media data is necessary and relevant in relation to the specific vacancy being applied for, and employers must also distinguish between social media accounts relating to business and private purposes. So, even if public, it is doubtful whether an employer could legitimately process data relating to a Facebook profile. Candidates must also be informed beforehand, for example in the text of a job advertisement, that such screening will take place.
Equally, employers should not screen media profiles of existing or former employees in the absence of a legitimate basis for doing so. This type of processing should only occur in very specific instances, for example checking the LinkedIn profiles of former employees to monitor compliance with non-compete clauses.
Monitoring information and communication technology (ICT) usage
The monitoring of email, internet use and phones has historically been considered the primary threat to employee privacy. The WP29 now cite the need to take new technological developments into account that potentially enable more pervasive methods of monitoring.
While such new technologies may be employed for example to safeguard against security risks or data loss, or as a means of improving efficiencies, employer using such applications must consider the proportionality of any measures introduced and whether additional actions could be taken to mitigate or reduce the impact if the resultant data processing,
So for example, if blocking websites would produce the same result as monitoring all communications, then that less intrusive method should be adopted. The increased prevalence of remote working, the ubiquity of mobile devices, and the practice of employees using their own devices for work means that monitoring of ICT now also extends beyond the workplace. Employers should assess the specific risks posed prior to putting monitoring in place to ensure the lines between business and private use are not blurred.
Prior to any monitoring technology being introduced, the WP29 recommends that a Data Privacy Impact Assessment (“DPIA”) first be undertaken, to evaluate the impact of the monitoring technology and to ensure that “privacy by design” is built into the implementation of new monitoring technology from the outset, and that and that acceptable use policies be drafted, with employee input. Carrying out of DPIAs will be a requirement under the General Data Protection Regulation (“GDPR”) where certain types of processing, in particular using new technologies, is envisaged by employers.
Employee Consent and the GDPR
As outlined above, an employer, as a data controller, must have a legitimate basis for processing employee data. While consent is included in the Data Protection Acts 1988 and 2003 as a legitimate basis, the WP29 Opinion sets out explicitly that:
It is important to state that employees are seldom in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship. Unless in exceptional situations, employers will have to rely on another legal ground than consent …
This reflects the position as set out in the GDPR, which will come into force across the EU on 25 May 2018. The GDPR will introduce new obligations for all data controllers, including employers. The GDPR will also formalise the position regarding employee consent such that employee consent to processing of personal data will only be valid where that consent can be freely withdrawn by the employee, and without the employee suffering any disadvantage as a result.
Take-Aways for Employers
With the introduction of the GDPR now less than a year away, the WP29 have sought to send a reminder both of the existing obligations attaching to monitoring in the workplace, in addition to drawing attention to aspects of the GDPR which will have a direct impact on employers. Companies need to begin laying the groundwork now to ensure a smooth transition once the GDPR regime commences.
While use of monitoring technology can be of great benefit to employers in terms of improving efficiencies and safeguarding assets, use of such technology requires a legitimate basis under data protection legislation where it gives rise to processing of employee data. The use of such technology must be necessary rather than desirable. The proportionality of such measures must be addressed in terms of the potential impact on employee privacy, and any monitoring must be transparent.
The GDPR will also necessitate a fundamental reappraisal of how companies approach employee consent. Consent to processing of employee data is generally contained within employment contracts, and this will need to be reviewed to ensure employee consent can be given unconditionally, and equally that such consent can be freely revoked.