Monitoring employees in the modern workplace - has your organisation struck the right balance?
July 25, 2017
The modern working environment has embraced the concept of flexible working and has equipped employees with multiple devices such as laptops, tablets, smartphones and wearables. In a battle for market share, employees are also being encouraged to use personal social media accounts to promote work related products and services.
The combination of these factors mean that organisations may have less visibility and control over incidents such as unauthorised disclosure or loss of valuable company IP and confidential information. Further, the General Data Protection Regulation (“GDPR”) introduces higher standards for safeguarding personal data and mandatory breach reporting obligations where certain personal data breaches will have to be notified to regulators without undue delay and, where feasible, no later than 72 hours.
As a result, organisations are understandably looking to new monitoring technologies to ensure that these company interests and compliance obligations are adequately managed and addressed. The challenge here, however, is ensuring that the right balance is struck between monitoring employees through the use of technology (for legitimate reasons such as the data breach detection) and protecting their reasonable privacy expectations.
The privacy challenges of new monitoring technologies
The Article 29 Working Party ("WP29") recently issued Opinion 2/2017 on data processing at work (the “Opinion”) which outlines the privacy risks introduced by new monitoring technologies and sets out proportionality assessments of a number of scenarios in which they could be used.
The Opinion notes that technologies enabling data processing at work can now be implemented at a fraction of the cost of several years ago whilst the capacity for processing personal data by these technologies has increased exponentially. New forms of processing which are less visible, such as collecting location data from smart devices, mean that employees may not be fully aware of the extent that they are being monitored. Boundaries between home and work are also becoming increasingly blurred, meaning that monitoring activities outside the physical working environment runs the risk of monitoring employees in a private context.
With this in mind, the Opinion sets out a series of scenarios where the use of technology may result in intrusive or unlawful processing of personal data and where organisations can take steps to mitigate data protection risks. The scenarios covered are wide-ranging and include monitoring in the context of the recruitment process, wearable devices, clocking in and out of work using biometrics, video systems and vehicles. For the purposes of this article, we have summarised the following three scenarios:
- In-employment screening
New analytical technologies together with social media profiles mean that employers have the ability to monitor a multitude of information about an employee relating to their friends, opinions, beliefs, interests, habits, whereabouts, attitudes and behaviours.
WP29 confirms that in-employment screening of employees’ social media profiles should not take place on a generalised basis. Monitoring for specific reasons such as checking a former employee’s compliance with non-compete clauses is permissible if organisations can prove that (i) it is necessary to protect its own legitimate interests; (ii) the employee has been appropriately informed; and (iii) there are no other less invasive means available.
- Monitoring electronic communications
Although technologies such as Data Loss Prevention (DLP) tools, Next Generation Firewalls (NGFWs) and Unified Threat Management (UTM) systems help organisations detect potential data breaches and block access to certain websites that may attract viruses, they also have potential to allow unauthorised access of legitimate e-mails that have been sent by employees on a private and personal capacity.
WP29 advises that in the context of a DLP tool, the rule that the system follows to characterise a potential data breach should be fully transparent to employees. Further, where the tool recognises emails that will be marked as a possible data breach, warning messages should inform senders so that they have an option to cancel the e-mail transmission.
Where organisations have cloud-based solutions, which provide tools for an employee’s day to day work (such as calendars, email, chatrooms), private spaces should be created for employees to separate their private life. For example, employees should be able to mark their personal calendar appointments as ‘private’ making its contents invisible to others.
- Monitoring of home and remote working
With a growing emphasis on better workplace flexibility, there has been a surge in homeworking, remote working and employees using their personal devices. In these environments, employees are accessing their organisation’s infrastructure without the physical security measures in the office which increases the risk of a security incident involving the loss or destruction of personal data.
To mitigate these risks, organisations can implement software packages that would enable the logging of key strokes and mouse movements, screen capturing and logging of applications used. Webcams could also be enabled to collect footage of such activities. Again, this has potential to be overly intrusive to the employee from a privacy perspective and as such, the use of these software packages should be proportionate and non-excessive.
How to overcome these challenges in a privacy compliant manner
Our paper published earlier this year on technology’s role in data protection highlighted the importance of looking to technology to address the GDPR requirements. In particular, the paper emphasised that organisations who fail to translate GDPR requirements into technology run the risk of operational failure, which in turn can lead to reputational and legal damage.
The introduction of new monitoring technologies can form part of an organisation’s implementation of appropriate technical measures to ensure and demonstrate that data processing activities are being performed in compliance with the GDPR (as per Article 24(1) GDPR). However, when planning to implement such measures, it is important to note that Article 24(1) GDPR also requires organisations to take into account the nature, scope, context and purposes of the data processing (introduced by the new technology in this case) as well as the varying likelihood and severity for the rights and freedoms of natural persons. In short, there is a requirement to undertake a proportionality assessment which should be documented, reviewed and updated where necessary.
Further, according to Article 35 GDPR and WP29’s opinion on DPIAs, data processing involving new technologies and systematic monitoring of individuals is in fact “likely to result in a high risk to the rights and freedoms of natural persons”. Therefore, in this context, conducting Data Protection Impact Assessments (“DPIAs”) would be a mandatory GDPR requirement within which the Article 24 GDPR proportionality assessment can be included.
Carrying out thorough and well considered DPIAs will enable organisations to get close to new technologies, understand the personal data flows to better identify the privacy risks and ensure adequate controls are implemented to address these risks. This, in turn, will ensure that organisations are:
- monitoring employees and collecting personal data as strictly necessary for a legitimate purpose;
- conducting an adequate proportionality assessment between the risk of harm to individuals and the identified legitimate purpose;
- identifying the correct lawful basis to rely on to process personal data by way of monitoring (e.g. relying on ‘consent’ is difficult in this context given that the employee/employer dependency makes it hard to prove it was ‘freely’ given); and
- providing employees with effective communication concerning any monitoring that takes place including the purposes and circumstances. Policies and rules regarding legitimate monitoring must be clear and readily accessible.
The carefully considered planning and implementation of new monitoring technologies is therefore critical for organisations; what could first appear as a positive move towards GDPR compliance or protecting company interests, could result in having opposite effect by being overly intrusive to the employee. It should go without saying that GDPR requirements must be addressed in a data protection compliant manner.
For insight on the new GDPR requirements for carrying out DPIAs, read our recent article here: Demystifying DPIAs.