The Article 29 Working Party (WP29), the grouping of representatives from the various national privacy regulators in the EU, has issued an updated opinion on employee monitoring.
WP29 opinions are not legally binding under EU data protection law, but do set out how the national privacy regulators (as a collective group) view how the law should be interpreted.
The WP29 last looked at employee monitoring in 2001, when it issued its original opinion. That opinion was followed up in 2002 with a working document on surveillance of electronic communications in the workplace.
The latest opinion is timely, reflecting changes in technology, the growth of things like homeworking and “Bring Your Own Device”, and the General Data Protection Regulation (GDPR), which comes into force in May 2018.
Legal grounds for processing
The Opinion emphasises that for the majority of data processing at work, consent will not be an appropriate or valid ground for processing, as the nature of the relationship between employee and employer means that consent is unlikely to be freely given.
In most cases, employers will therefore need to identify another basis for processing, such as it being:
- necessary for the performance of the employment contract;
- necessary to comply with legal obligations; or
- necessary for the legitimate interests of the employer, having regard to the impact on the rights of the individual.
In each case, the requirement is that the processing is necessary, not simply desirable. The employer will need to be able to justify its position if challenged.
Privacy impact assessments and data protection by design
When considering any new processing, employers should adopt data protection by design. For example, when issuing devices to employees, the Opinion suggests that the most privacy friendly settings should be used if tracking technologies are involved to minimise the intrusion and amount of personal data collected. The Opinion identifies the risk of “over collection” in systems, where data is collected beyond that which is necessary for the purpose.
In line with GDPR, employers should also carry out a data protection impact assessment (DPIA or PIA) to identify the risks and identify steps that can be taken to mitigate those risks. A DPIA will also help employers to comply with the obligations under GDPR to maintain records and be able to demonstrate compliance with GDPR.
You can download our handy guide to DPIAs on our GDPR Hub.
Guidance on specific scenarios
The Opinion sets out the WP29’s views on a number of specific scenarios, including:
- the use of social media during recruitment
- in-employment monitoring of social media profiles
- monitoring ICT usage at the workplace
- monitoring ICT usage outside the workplace (eg remote working, BYOD/MDM and the provision of wearable devices)
- monitoring time and attendance
- monitoring using video surveillance
- vehicle tracking
- disclosing employee data to third parties such as customers
- international transfers of HR and employee data (including cloud hosted office or HR system)
“<REDACTED> will deliver your parcel between 1307 and 1407”
Whilst the WP29’s views on many of these subjects reflect the general principles of necessity, proportionality and transparency, some sections may cause surprise. These impact not just on internal HR but wider customer service.
For example, the WP29 concludes that it would not be lawful for a delivery company that provides customers with a real time link to the deliverer’s location to also provide the name and photograph of the scheduled delivery driver for the purposes of allowing a customer to check that the deliverer is indeed the right person.
The WP29 states that it is not necessary to provide the name and photo. However, it is unclear if the WP29’s concern is with whether the purpose (allowing a customer to verify the deliverer’s identity) of the processing is in the delivery company’s legitimate interests or (having accepted that this is a legitimate interest) with whether the company’s proposed steps to enable this are actually necessary. These are quite different things. Unfortunately, the Opinion does not explain this.
Arguably, providing real time location information is the more intrusive action here (when a customer need only really know the current estimated delivery time). Again, it is unclear whether the WP29 would have an issue if the name and photo were provided without the real time location information.
As noted above, the WP29’s opinions are not binding law. They do, however, give an indication as to how the WP29’s members will consider specific areas of data protection law. As part of a privacy impact assessment, employers should therefore consult the guidance and take this into account when considering employee monitoring.
If employers decide to proceed with monitoring that is at odds with the views of the WP29, then employers should ensure that they document their approach (and the steps taken to mitigate the impact) and their reasons for proceeding in that way.
Where can I find the WP29’s opinion?
You can download the WP29’s opinion from the WP29 website.