As many businesses moved to being entirely remote last year, the more traditional oversight that organisations have over their staff members when they are in the office suddenly disappeared. The level of control and security that is available to an employer in an office seems impossible to recreate when your team is in home offices, at dining room tables and in bedrooms around the world. It has also raised the question of how best to keep people safe when a return to offices becomes a practical possibility in the future.
The solution that many organisations have turned to is workplace surveillance. A recent survey found that more than one in seven employees reported that monitoring by their employer had increased since the pandemic began in March and that more than a quarter reported having their work communications screened1. There have also been numerous organisations who have investigated operating contact tracing systems, another form of monitoring, as a possible solution to the issue of how to return safely to the office.
Of course, workplace surveillance pre-dates the current situation. How many will have an access card to their building that logs entry and exit? Or expect to be on CCTV for a portion of their working day? But it can be very different to have this level of surveillance on company property, as opposed to it coming into an employee's own home. The technology is there to provide surveillance that would make Big Brother proud: monitoring email content, traffic and internet use, recording keystrokes, audio/video monitoring, screenshots of a computer screen and location tracking are all possible. It is easy to see this as a perfect solution to safety concerns and keeping track of staff efficiency, but should organisations be doing this, just because they can?
What should an organisation take into account when considering monitoring staff?
- Make sure the monitoring is strictly limited to what is required to fix the organisation's problems.
- Comply strictly with the legal requirements of data protection law.
- Be transparent with staff about the monitoring that is taking place.
- Limit any intrusion into staff member's personal lives.
Be sensitive to any current events which might affect people's views on monitoring on particularly intrusive technology.
Employers need to pay close attention to data protection legislation. Any type of workplace monitoring in EU is subject to the General Data Protection Regulation 2016 (the GDPR), as well as any state level legislation. In the UK, the GDPR is implemented by the Data Protection Act 2018 and there are many older laws, some dating from the early days of telecommunications, that still limit the ability of an organisation to engage in surveillance. The Information Commissioner's Office (ICO), the UK data protection regulator, has the power to impose sanctions for breach of these regulations.
So, in more detail, what practical questions should an organisation ask to make sure that workplace surveillance is the right approach?
- What is the problem that the organisation intends workplace surveillance to fix?
It is important for the first step to confirm that monitoring is the appropriate solution for the problem. Are you concerned about efficiency while working remotely? Is there a specific individual you are worried about? Would monitoring internet traffic be enough or is keylogging required? How much monitoring would actually be needed to address this? Do you need to monitor the content of communications, or just metadata concerning this content (such as access to websites, notification of numbers called/emailed and so on)?
This achieves the twofold purpose of ensuring that proportionality is addressed in the project from the beginning (a key requirement in data protection), as well as the practical issue of helping the employer work out their true concerns and how to address them to protect themselves. If there is a less privacy intrusive way of achieving the same goal, the employer would be expected by the ICO to always pick that one. A data protection impact assessment can be used to work through and document the organisation's thinking.
- Is the organisation compliant with the GDPR?
Workplace surveillance is just another form of personal data processing and requires a legal basis for the processing and various compliance documents in place in the same way as other processing activities. This applies equally to any processing of Covid-19 related data or contact tracing.
Organisations should make sure that their existing compliance programme is observed from early on; as monitoring is a type of surveillance, it is high risk processing and a data protection impact assessment as well as, possibly, a legitimate interests assessment need to be carried out before the project is implemented. It is important to have this documented, as it will be the first resource needed to respond to any claim from a disgruntled employee or query from a regulatory authority.
Another key data protection consideration is the security and retention of the results of the monitoring. Organisations should make sure the data is secure and only retained as long as it is accurate and required. This is even more important when the data is particularly sensitive, such as health data like records of vaccinations or sickness absences. It helps organisations comply if these issues are included in the project from inception.
- Are staff aware of the monitoring?
It might be tempting for organisations to think they are likely to experience less resistance from staff if the monitoring is implemented quietly. However, it is critical that employers are transparent about the measures being put in place and provide training, when appropriate. This also help reduce 'mission creep', where data collected for one purpose is used for another, which is contrary to data protection law. Monitoring data should only be used for the purpose for which it is collected; any change to this will require all compliance measures to be reassessed. Covert monitoring is extremely risky and would require extreme circumstances for it to be considered appropriate, such as suspected criminal activity.
In addition to being the legal requirement, having the correct policies in place helps everyone be clear on the agreed procedure and protects the organisation from potential grievances emerging at a later stage when employees (or trade unions) may have other issues which can inflame the situation. Employee communications that strike the right balance are key to ensuring that any risks are dealt with in advance, rather than too late.
- How far can an organization extend their monitoring?
Just because an organisation has the technical capability of undertaking monitoring, does not necessarily mean that they have the right to do so. It is inevitable normally that the personal lives of individuals become slightly intertwined with their work but this is true even more so now that so much office work is taking place at home. There is also a risk that the further the monitoring extends, the higher the risk that it will capture data that is sensitive in nature, possibly even special category data which requires even more legal justification to process legitimately. For example, technology that screenshots a desktop might capture information from an individual's personal email – anything from emails with family to doctor's appointments.
Anything marked as personal or on a personal device should not be accessed by the organisation, unless there is a very good reason to check it, even if it is on their systems or using their software. Organisations should also be cautious in allowing other use of systems (such as WhatsApp) where it may be difficult to control usage. Always have a policy to deal with the overlap between the personal and professional spheres in technology, as well as setting out any monitoring that takes place. Accessing telecommunications without safeguards in place and an appropriate reason could amount to an offence for the business, including directors personally.
- What are particular red flags to a regulator?
There are some types of monitoring that a regulator may be particularly sensitive about, depending on jurisdiction and sector, as well as recent developments worldwide. As a general rule, avoiding these types of monitoring is sensible to reduce risk.
Some examples are taking screenshots or keylogging - the guidance issued by the European Data Protection Board on monitoring specifically highlights this type of software as disproportionate and not likely to qualify for some legal grounds for processing. Location tracking is also seen by the ICO as particularly invasive - this can include an organisation tracking their own devices unless they are fully anonymised, although there may be scenarios in which this is more acceptable such as personal safety in dangerous locations.
What are the possible risks?
Data subjects can complain to the ICO about any improper data use, including improper monitoring, and the regulator has the power to impose sanctions, including ordering a halt to processing activities, suspending data transfers and imposing fines. Fines can be up to 4% of global annual turnover or €20m, whichever is greater.
Even if they do not complain, if staff are nervous about the extent of monitoring, they can make a data subject access request for personal data, which could include monitoring data. This can be very disruptive to some businesses if they are required to comply. These requests are also often a precursor to employment action. There might also be claims regarding stress or illness resulting from the surveillance or issues arising from a person being treated differently at work following a positive diagnosis of Covid-19.
Apart from data protection, what else might be a concern for employers considering workplace surveillance?
The European Convention of Human Rights (Article 8) guarantees a right to privacy, albeit it can be interfered with for certain specified purposes. Effectively the court will ask whether employees have a reasonable expectation of privacy. Care needs to be taken to ensure that employees are aware of the level of interference to minimise the scope for any Article 8 type argument to be made in any disciplinary proceedings. If Article 8 is applied, then a court would evaluate any surveillance and ask if it was necessary and proportionate. What this means is that any intrusion into an employee's privacy should be the minimal required.
It should be noted that in the event that unlawful surveillance has taken place, an employer could bring a claim against an employer for breach of privacy. In 2016, the European Court of Human Rights ruled that an employer had breached the privacy of an employee when they fired him for using their work messaging service to carry out intimate conversations with his family. Despite the fact that it was on work systems and the employee had been informed of a staff policy that restricted internet use, the employer was still considered at fault for accessing the records of the discussions and using them to inform their dismissal decision.
Monitoring is a contentious issue and may be even more of a sensitive one when people are dealing with the stress of lockdowns and working from home.
It is more important than ever for organisations to make sure that workplace surveillance is the right solution for them and ensure that, if so, it is carried out in a way that complies with applicable laws – not doing so can carry significant risk for the organisation and serious issues with staff members.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.