This article also appeared in our Privacy Law Blog.
With virtually every employer performing some kind of employee monitoring, cyber surveillance on the work place remains a hot topic in Belgium. The last annual report of the Belgian DPA (‘Privacy Commission’) revealed that labour related phone queries make up the top 5 of the most frequently asked issues, and the Privacy Commission’s president stated in a recent newspaper article that not a day goes by without someone asking for clarification.
As the results of employee monitoring are often used in connection with dismissal procedures, no wonder employers want to know under what conditions the results can be used, whereas employees wonder what their privacy rights are.
A lot of this confusion results from a multitude of legal text dealing directly (e.g. Collective Bargaining Agreement n° 81 on the monitoring of electronic online communication data, hereafter ‘CBA n°81’) or indirectly (e.g. the 1992 Data Protection Act) with this issue, and which sometimes seem to contradict each other. In addition to that, there is a lot of debate around whether a CBA – negotiated between the employer’s and worker’s representations, and subsequently ratified by Royal Decree – prevails over an Act adopted in parliament.
Being faced with the growing confusion of the key stakeholders, the Privacy Commission has therefore opted to publish draft guidelines on the monitoring of email and internet traffic in the work place, which are aimed at clarifying its previous recommendations and at offering practical recommendations.
The highlights of the draft guidelines are:
- The Privacy Commission now also covers the modalities of the employer’s access to professional data stored on the employee’s computer, instead of its exclusive focus onprivatedata in the past. Thus, it offers a more complete oversight of the topic.
- A detailed justification is given as to why, in the Privacy Commission’s opinion, the rules of CBA n°81 do not conflict with higher ranked legal texts, especially sections 124 of the Electronic Communications Act (unauthorized perusal of the existence of electronic communication) and 314bis of the Criminal Code (unauthorized tapping during the transmission).
- According to the Privacy Commission, the most important recommendation for employers is to completely ban the use of the professional email account forprivatepurposes. In case the IT-policy obliges employees to use a webmail client for theirprivateemails, all email in the professional email account is assumed to be professional. As a result, the employer would be entitled to access those emails to ensure the continuity of the services to its clients. While this does indeed seem the easiest solution, one may wonder whether in practice such approach is workable.
- Most of the other recommendations focus on putting in place detailed and clear preventive rules and procedures that minimize the employer’s need to actually access or control personal information of its employees. This may include implementing a proper document and email management system on a company level and implementing business continuity measures in case of employees’ absence.
The Privacy Commission’s guidelines are not law as such but any employer wanting to undertake employee monitoring which does not strictly comply with these guidelines must be able to justify that the applicable rules and regulations are still complied with – especially the principles of proportionality, transparency and finality.
All stakeholders are invited to provide the Privacy Commission with their observations or comments on the draft guidelines by 30 November 2011.