The Article 29 Working Party (an independent European working party that deals with issues relating to the protection of privacy and personal data - WP29) recently released a new opinion on data processing at work which looks at updating previous opinions from 2001 and 2002 on employee data processing and the surveillance of electronic communication.
The opinion refers to the growth of homeworking, remote working, wearables and bring-your-own-device (BYOD) policies that are blurring the lines between workplace and home and raising the risk that individuals could be monitored in a private context.
The WP29 reiterates the importance of fundamental data protection principles, such as solid legal grounds to process employee data, protection against automated decision-making, and the need for compliance with transparency and proportionality of the processing.
With regard to the General Data Protection Regulation, the WP29 refers to the new obligations for data controllers (including employers), such as the implementation of data protection by design and by default (Article 25) and the requirement to carry out a Data Protection Impact Assessment (Article 35) when processing is likely to result in a high risk to the rights and freedoms of employees. It also mentions the possibility offered to Member States to provide for more specific data protection rules in the workplace (Article 88) than those stated in the Regulation.
The term “employee” is defined broadly as “new business models served by different types of labour relationships, and in particular employment on a freelance basis, have become more commonplace”. This reflects the position of the WP29 not wanting to restrict the definition to persons with an employment contract recognised as such under the applicable labour laws, but instead extending it “to cover all situations where there is an employment relationship”, whether based on an employment contract or not. This position is mainly aimed at businesses operating in the so-called “gig economy”, but also at other industries which are starting to rely on a very diverse workforce, mixing classic employees with workers and freelancers.
The opinion assesses the balance between legitimate interests of the employers and the reasonable privacy expectations of employees, providing a series of guidelines and good practice recommendations for employers in relation to a series of practical scenarios. For instance, employers may want to implement an “all-in-one” monitoring solution (eg a suite of security packages) enabling them to monitor all ICT usage in the workplace. However, the proportionality of the measures should be evaluated, as well as any additional actions that can be taken to mitigate or reduce the scale and impact of the data processing. Secondly, employers must implement and communicate acceptable policies, outlining the permissible use of the organisation’s network and equipment, and strictly detailing the processing taking place. In some countries this would require approval of a Works’ Council or other employee representative body. Interestingly, WP29 recommends that, in any case, an employee representative sample is involved in assessing the necessity of the monitoring, as well as the logic and accessibility of the policy.
On BYOD specifically, location tracking is unlikely to be appropriate for a personal device. Security softwares should not scan parts of the devices considered personal, such as the photos folder, while "sandboxing" (ie storing data within a specific app to protect it) is encouraged. The fact that employers have ownership of the electronic means does not rule out the right of employees to secrecy of their communications, related location data and correspondence. Employees should be given the opportunity to shield their private communications from any work-related monitoring.