The boundaries between work and home are increasingly blurred. This means employee monitoring activities can inadvertently extend to monitoring employees in a private context.
The Article 29 Working Party recently published a new opinion concerning data processing at work. It covers a wide range of topics, including the processing of employee data on social media platforms and data processing in the cloud.
Although based on the current laws, the Opinion also addresses future GDPR compliance. It appears that data protection authorities are still unclear as to how national legislators will use derogations under Article 88 to establish special rules for processing data in the employment context.
The Opinion takes a broad view of the notion of “employee” and reinforces that consent is highly unlikely to be a legal basis for data processing at work due to the power imbalance between employers and employees. Employers are likely to rely on legitimate interests instead.
The Opinion focuses on use of new monitoring techniques, indicating that the challenges surrounding monitoring for cyber-threats have caught the attention of the regulators. It clearly leaves open the possibility of deploying solutions that monitor employee ICT usage, subject to certain checks and balances. In order to be compliant, such solutions must be proportionate and transparent.
- Solutions must be implemented in the least intrusive manner possible.
- Employers must show that appropriate measures have been put in place to ensure an appropriate balance between their legitimate interests and their employees’ rights and freedoms.
- There should be limitations on monitoring, such as the exclusion of personal files and communication.
- Employers should not be keeping permanent logs of employee activity. If logs are required, systems could be configured not to store data unless an incident occurs.
- As good practice, employers could offer alternative unmonitored access for employees (such as through free WiFi or stand-alone devices).
- Employers should also consider certain types of traffic where interception endangers the appropriate balance.
- Employees must receive effective information about any monitoring that is taking place.
- Policies should explain when suspicious data can be accessed and what rules are used by monitoring tools.
- Policies should be easily accessible to employees.
- Policies should be reviewed annually to assess whether less invasive methods could be used.
The Opinion is not exhaustive. No extensive guidance is provided on HR analytics or biometric data, which may suggest a lack of consensus in these areas.
The full Opinion can be found here: http://ec.europa.eu/newsroom/document.cfm?doc_id=45631.