The move towards digital HR platforms and greater reliance on technology has led to improved monitoring capabilities, and an increase in the reasons why an employer may wish to monitor its workers. In this update we discuss the legal implications of monitoring in the post GDPR landscape.
The growth in monitoring staff behaviour
The concept of workplace monitoring to detect or investigate misconduct is not new. Many employers will at some point have engaged in a review of e-mail and internet records for this purpose, where relevant to allegations, or (for example) reviewed CCTV to investigate an incident. Increasingly however there are increased reasons that monitoring is considered useful, for example relating to general performance, attendance, and cyber security. Tracking equipment on work vehicles, using data from security pass records and more extensive assessment of smart phone use are all examples of monitoring.
Employers can still carry out monitoring activities under GDPR, however there are a number of additional legal considerations that need to be met before they can lawfully do so. In addition to the general rules around processing personal data, there are three key issues that need to be addressed before lawful monitoring can take place under the GDPR:
- What is the lawful basis for processing the data?
- Has a data protection impact assessment (DPIA) been carried out and does this support the use of monitoring?
- Has the employee been given notice that the monitoring may be carried out?
Identifying the lawful basis
Pre-GDPR, we saw many employers rely on (apparent) consent as the lawful basis for monitoring, normally through generic contractual or policy statements. Post-GDPR, and as we have looked at previously, it is clear there are very limited situations where such consent will be appropriate. More often, the legitimate interests of the employer may be a more appropriate basis, while in other situations it may be an employer can point to legal duties to monitor to some extent (e.g. to ensure compliance with limits under the Working Time Regulations, or more narrowly in regulated positions with market access). It should not be forgotten that ‘legitimate interests’ can only be relied upon where:
- the processing is necessary for the purposes of the (clearly identified) legitimate interests pursued by the employer; and
- these are not overridden by the interests or fundamental rights of the employee.
As to necessity, the views of the European Data Protection Board (formerly the Article 29 Working Party) Opinion 2/2017 on data processing at work should be kept in mind, in particular:
- geographical (e.g. monitoring only in specific places; monitoring sensitive areas such as religious places and for example sanitary zones and break rooms should be prohibited);
- data-oriented (e.g. personal electronic files and communication should not be monitored); and
- time related (e.g. sampling instead of continuous monitoring).
Most employers state in their various policies that employees should have no expectation of privacy in work, in particular in connection with IT systems. However, this does not provide carte blanche to monitor at will. The ICO draws a distinction between systematic monitoring (monitoring as a matter of routine) and occasional monitoring (a short-term measure in response to a particular problem or need). Excessive, unnecessary or unjustified monitoring of either kind will fall foul of data privacy rules and other legal protections; proportionality is key in determining lawfulness i.e. the reason for the monitoring being legitimate, and monitoring not being an excessive means of achieving it (as opposed to less intrusive approaches).
As a proactive step before monitoring is undertaken, it should be considered and recorded through a DPIA. Not only will this support that the monitoring is compliant for internal purposes, it will also form useful evidence should the monitoring ever be called into question. The purpose of the impact assessment is to:
- Identify the purpose behind the monitoring and the benefits likely to be delivered.
- Identify any likely adverse impact of the arrangement.
- Consider alternatives to monitoring or testing or different ways in which it might be carried out.
- Consider the obligations arising from monitoring or testing.
- Judge whether the monitoring or testing is justified.
- Identify the lawful basis of processing the data.
If a DPIA indicates that the monitoring would result in a high risk to individuals which cannot be mitigated, the employer must prior to commencing the monitoring consult with the relevant privacy regulator, being the Information Commissioner in the UK.
Notice should be given to workers (and any others impacted) that monitoring may be carried out. Employers need to be transparent about the way they process data. Bland statements are not enough and the workers need to have a clear understanding of what the monitoring entails including: how the information is being or might be obtained, the reason(s) for this, how it is/may be being used and processed, and if it is being sent to or shared with anyone. Notice can be provided to the employee in different ways: through an employer’s e-mail/internet policies, its data protection policy and/or employee privacy notice.
Monitoring and the interplay with other rights
It should not be forgotten that workplace monitoring touches on a number of legal areas, not limited to data protection. Other rights engaged or impacted could include human rights, trust and confidence/constructive dismissal considerations and, in some situations, a need for compliance with wider fields of protection around communications including emails. Advice should normally be taken in case of any doubt about the impact of the proposed activities. There can be a significant degree of overlap between data protection and human rights.
In exceptional cases employers can undertake covert monitoring, normally where there is suspected criminal activity or malpractice such as theft or fraud by employees. Employers should ensure that their policies explain that covert monitoring may take place, and why this may be necessary to give employees notice that this may happen. The ICO Employment Practices Code recommends that the decision to do this should be taken by senior management, and that before taking this approach, senior managers need to be clear that notifying individuals about the monitoring would prejudice its prevention or detection. The number of people involved in the monitoring exercise should be limited and the timeframe should be restricted to obtaining the evidence.
Where surveillance cameras are being used, employers should also consult the ICO Code of Practice on Surveillance Cameras and personal information. Cameras in the workplace are seen as a significant intrusion on employees’ rights and extreme caution should be applied before doing this on a covert basis. European case law supports that an unfocussed and excessive approach will not only breach GDPR obligations but will also lead to infringement of the right to privacy under Article 8 of the European Convention of Human Rights.