As employers, managers need to be aware of their employees’ right to a reasonable expectation of privacy in the workplace, but what does this mean on the ground? Many employers still need additional support to recognise the scope of this obligation and implement adequate controls to mitigate privacy and data protection issues.
The terms privacy and data protection are often used interchangeably but they are two distinct rights under EU Law. The right to data protection means that personal data must be processed fairly and securely. The right to privacy is about respecting an individual’s private life and autonomy, and this may or may not involve data.
In the workplace
Employee monitoring can be viewed in terms of very deliberate and structured forms of monitoring. Common examples include the use of CCTV or voice recording tools for customer service phone calls. However, any activity that takes place with the objective of monitoring employees must be taken into consideration.
Other examples of workplace monitoring can include:
- Using time and attendance systems
- Monitoring network activity
- Accessing staff emails
- Using GPS technology to track company vehicles
- Notes taken or observations regarding an employee’s performance
When considering any activity that involves monitoring employees, a specific and legitimate business need must be identified to justify this activity. Employers may only lawfully conduct monitoring in very limited and controlled circumstances.
Legitimate business needs may include:
- To ensure policies and procedures are followed.
- To prevent or respond to cybersecurity incidents.
- To prevent or respond to health and safety incidents.
- To prevent or detect crime.
- To conduct an investigation.
Whatever lawful basis is identified, this should be documented and communicated to staff before the monitoring begins. Each monitoring activity must be considered on a case by case basis. Where Legitimate Interest is used as the lawful basis, a legitimate interest assessment needs to be completed.
One of the key considerations in such an assessment is whether the same outcome can be achieved in a less privacy intrusive manner. In 2019, Dutch supermarket chain Albert Heijn requested that their employees provide photos of themselves in tight fitting garments to assist in uniform fittings. After employee complaints and media attention, the Nijmegen Albert Heijn branch quickly abandoned this trial and apologised to all involved. In this case, there are a range of methods that are less privacy intrusive but would achieve the same result.
In many cases, achieving the same result in a less privacy intrusive manner may not be as apparent. An employer can reduce the risk of running into privacy and data protection issues by implementing appropriate safeguards such as:
- Carry out an appropriate assessment before the processing takes place
- Engaging in a meaningful consultation with employees.
- Collecting the minimal amount of personal data needed.
- Avoiding the use of technologies if the same objective can be achieved without them.
- Limiting the scope and duration of the activity.
- Ensuring transparency about the means and purpose of such monitoring.
When considering if you can move forward with a monitoring activity in compliance with the General Data Protection Regulation (GDPR) and other applicable Data Protection Law, be mindful that consent cannot generally be used by employers as a workaround to green light workplace monitoring given the imbalance of power. This was highlighted in a recent case resulting in a fine of €150,000 against PwC by the Hellenic Data Protection Authority for inappropriately using the legal basis of consent in the context of employment activities. Article 88 and recital 155 of the GDPR highlight the necessity in treating data processing in the context of employment with a higher level of consideration.
Finding the balance
To lawfully conduct any workplace monitoring a balancing act between meeting the legitimate needs of the business and respecting the rights of the employee must be conducted before the processing takes place. The organisation must have sufficient policies in place to cover any monitoring that takes place, setting out the purpose and the extent. Any assessment of monitoring undertaken by an employer must document the necessity and proportionality.
When considering to what extent an organisation can fairly and ethically monitor employees, it is strongly advised that:
- A Data Protection Impact Assessment (DPIA) be used to identify, document and mitigate the risks associated with a monitoring activity.
- The advice of the Data Protection Officer (DPO) or data protection advisor is sought.
- Staff are consulted in a meaningful way as part of the process to ensure their views are captured.
- Where monitoring activity takes place under the legal basis of legitimate interest, the controller carries out a Legitimate Interest Assessment (LIA).
Using these tools an employer can demonstrate the efforts made to determine what a reasonable expectation of privacy in the workplace looks like in practice. The outcomes of which should satisfy more than just compliance, but aid in fostering a culture of operating to high standards and measuring success without engaging in unlawful monitoring.
If your organisation needs help with assessing the balance point, necessity and proportionality of any monitoring to be implemented, our advisors are available to assist. Our templates and experience in risk assessment have been of benefit to diverse organisations in sectors such as education, healthcare, marketing, finance and the public sector.
For more information, please visit our Data Governance and Cyber-Risk Service page and do not hesitate to contact one of our advisors.