As mentioned in our previous GDPR update, the sixth update in this series will deal with privacy considerations in the workplace and how far an employer can go to protect its interests.
Modern technologies enable employees to be tracked over time, across workplaces and their homes, through many different devices such as desktops, smartphones, tablets, vehicles and wearable devices. In light of the impending GDPR and the increased obligations on employers to demonstrate that employee privacy is protected, a frequently asked question by employers is whether they can continue to monitor employee behaviour to protect their business. In short, the answer is yes, provided it is done so appropriately.
The collection, use or storage of information about employees, including the monitoring of their email or internet access or surveillance by CCTV involves the processing of personal data and, as such, data protection law applies to such processing. The rapid adoption of new information technologies in the workplace, in terms of infrastructure, applications and smart devices, allows for new types of systematic and potentially invasive data processing at work. Many employers currently have policies in place setting out the extent to which they monitor the use of their IT systems, including email and internet usage. The monitoring of employees may be necessary for different reasons, including protecting the company’s IP, ensuring employees are not breaching confidentiality obligations or addressing bullying and / or harassment complaints.
The GDPR does not mean that these policies are no longer valid or that employers must now stop protecting other employees. However, what it does mean is that they should be reviewed to ensure they meet the requirements of the GDPR. Employers should assess any employee monitoring activities (particularly if using new technologies) and ensure:
- the processing activity is necessary and there is a legal basis for the activity;
- the proposed monitoring activity is fair to the employees;
- it is proportionate to aim being achieved and to any concerns raised; and
- the monitoring is transparent to employees.
On transparency, employers need to clearly communicate to their employees the basis on which the IT systems are monitored in all relevant policies. It is imperative in all situations that employers make sure its employees are aware that the IT systems can be monitored and the reasons for the monitoring.
In deciding what monitoring activities can take place, an employer must ensure that it does not do anything that goes beyond what is strictly necessary and proportionate in the circumstances. This means that an employer must be able to justify monitoring employee behaviour. For example, CCTV systems that are legitimately installed for security reasons cannot then be used to monitor the availability, performance and customer-friendliness of employees. For the same reasons, it may not be possible to use such CCTV evidence in a disciplinary process relating to employee conduct issues, unless security related. Even if the company policy allows for such use, which may meet the transparency requirement, such a practice may be considered disproportionate, so it falls on a separate GDPR ground. An employer must therefore weigh the reasons for the monitoring activity against the rights of the employee that it is actually being monitored. Employers should also bear in mind that employees retain the right to object to the processing of their personal data in certain circumstances, although this right is not absolute.
In some respects, monitoring of employees becomes a balancing exercise for the employer. The legitimate interests of the employer to protect its business must be assessed against the employees’ reasonable expectation of privacy. Employers should therefore carry out a proportionality test in this regard. The key practical point is that while employers can continue to carry out monitoring, they must also work harder to be able to justify that it is necessary and proportionate.
Similarly for many employers the issue where this arises the most is in relation to email or internet usage monitoring. This too may continue, provided the employer can demonstrate that its practice meets the new higher standards of necessity, proportionality and transparency.
Following our recent GDPR updates and with the implementation of the GDPR only a week away, one of the most pressing questions concerning employers is whether or not their organisation has to appoint a Data Protection Officer (DPO). Our update later this week will deal specifically with whether an employer is required to appoint a DPO or not.
If you are interested in further detail on the HR aspects of the GDPR, you can access a panel discussion on this from the Matheson Employment Law Podcast series.