For weeks, the lockdown measures due to the Covid-19 crisis forced millions of employees to work from their homes. Where possible, companies adjusted their internal processes to enable employees to telework. As previously analysed, homeworking has increased the amount of personal data that companies are collecting from their employees as a result of having to implement new online security measures and video conferencing software, for example.
However, while many employees are now being called back to the office, employers may be tempted to turn to more enhanced methods to monitor their employees and to rely on more invasive technology –both at work and at home.
The most visible emerging practice is the collection and processing of employee's health data (e.g. temperature checks, COVID-19 symptom checks and tests, medical history, etc.). Defined as "special categories of personal data", health data enjoys a special legal regime as per the General Data Protection Regulation (GDPR). Health data cannot be processed, except in limited cases. Due to these safeguards, data protection authorities in Europe have issued guidance to help employers determine whether the processing of health data in the context of Covid-19 is lawful. For instance, the CNIL in France has emphasized that employers cannot keep records of their employees' temperature levels nor use any thermal cameras to screen employees. The ICO in the UK issued a set of recommendations on the testing of employees at the workplace, as did the Garante in Italy.
Nevertheless, employee monitoring goes well beyond the mere collection of health data. The reopening of businesses may result in a wide range of new data processing activities aimed at ensuring compliance with applicable laws and recommendations made by the public authorities (1). However, as illustrated by the examples we are seeing in different parts of the world, some employers are taking the fight against the spread of COVID-19 to the next level, in ways that supersede the goals set out by the public authorities (2). Regardless, these new processing operations must comply with applicable data protection laws, which include the GDPR and national privacy and labour laws (3).
Processing beyond the rules set out by the public authorities
Employers will primarily be seeking to comply with the 'de-confinement measures' issued by their respective public authorities. These rules – whether hard or soft law – may be decided upon by ministerial bodies or industry-specific regulators. Some may impose strict obligations on employers while others may leave a wider margin of manoeuvre. They seek to protect employees and find a fair balance between allowing employees to return to the office and protecting their health.
When implementing these rules, employers are likely to embrace new technologies that allow them to monitor their employees and enable them to control access to the company's premises, for example, by assessing the flow of people or enforcing social distancing and other rules.
For example, companies may require employees to register at the lobby and may start tracing their movements. Badges and other wearable devices would enable employers to track their employees based on geolocation data to check whether they come to the office on their assigned shifts only, or on the contrary, they stay at home when they are supposed to.
Automatic and smart doors can count the number of employees that are already present in a given room and deny access to any additional person to enforce physical distancing (e.g. in catering areas). Similarly, wearables such as electronic wristbands worn by employees may emit a sound when it comes too close to another employee.
Employers may also want to place people-counting sensors or cameras all around the office to manage the flow of people. Such sensors could automatically detect large gatherings and warn security agents – or in some cases robots - to send everyone back to their workplace. Lastly, cameras can be re-purposed thanks to artificial intelligence to assess whether employees are wearing a mask.
Company-wide processing amidst the COVID-19 crisis
Some companies are looking into innovative tools and technologies to combat the spread of the virus within the company itself. The stakes are high as employers seek to prevent any clusters from emerging within the company and to avoid having to bear the cost of a second lockdown.
Over the last few weeks, many authorities have issued recommendations concerning contact tracing applications, both at national level, such as the CNIL in France, the Garante in Italy, and at EU level (see the European Commission's communication and the European Data Protection Board's guidelines). While some mobile apps are now operational in Europe, employers may also be keen to develop their own internal contact-tracing tools, alongside those already available at a national level. In fact, large companies that previously received thousands of employees per day may start developing internal mobile tracking apps or wearables that could be mandatory for all employees. Such apps would enable them, for example, to track the location of their employees on the premises at any given moment, as well as their proximity to colleagues and their identity.
In addition, employers may be tempted to profile individuals so as to determine who is allowed to return to the office and who should be denied entry, based on various risk factors, such as: the number of individual's living in an employee's household, the presence of front-line workers, the geographical distance between the office and an employee's home (including the need to take public transportation, if any), age, etc.
Sensors, cameras, trackers, profiling… These are only some examples of the types of data processing to come, some of which may possibly become a part of our daily lives.
Finding the right balance between safety and privacy
When processing personal data, companies must comply with the following general principles (some of which were recalled by the ICO here):
A specified, explicit and legitimate purpose
The purpose of each new processing operation must be specific and predefined. Employers need to carefully analyse the legitimacy of any new processing, in particular by verifying that the purpose of the processing complies with applicable laws, e.g. with labour laws.
Proportionality and data minimisation
These principles are key to protect employees' rights to privacy and data protection. Concretely, employers need to choose the least intrusive technology that will collect, by default, only the data that is strictly necessary for the predefined purpose. Thus, employers should give preference to tools that do not require direct or indirect identification of their employees, data recording or the collection of geolocation data. For instance, the CNIL provides useful criteria to determine whether "smart" camera systems are proportionate, such as the volume of collected data, the camera location, their number and whether or not data is accessible by data controllers.
Determining an appropriate lawful ground
Prior to implementing a new processing operation, employers must determine what the most appropriate lawful ground is. As always, the lawful grounds for processing must be analysed on a case-by-case basis and will vary depending on the specific circumstances, the rights and freedoms of employees, their reasonable expectations and the safeguards that are implemented to protect such rights. In the employment context, it is generally advised not to rely on an employee's consent, given the imbalance of powers between an employee and an employer and the fact that consent is generally not given freely by the employee.
Employers may consider relying instead on the necessity to comply with a legal obligation, e.g. the employer's obligation to ensure the health and safety of its employees. However, the concept of "necessity" is interpreted strictly. Furthermore, according to the EDPB, the legal obligation itself must be "sufficiently clear as to the processing of personal data it requires... [and] the controller should not have an undue degree of discretion on how to comply with the legal obligation".
Employees must be informed individually about any new processing activity, as well as any substantial changes to pre-existing processing activities (Articles 13 and 14 of the GDPR). In practice, employee privacy policies may need to be updated to include any new processing purposes that are required before reopening the office. According to the ICO, employees need to know the nature and the extent of the surveillance and its purposes. Furthermore, transparency ensures fairness, especially when the processing involves profiling, which can lead in some cases to discriminations. Lastly, substantial changes made to the policies will need to be clearly brought to the attention of employees via appropriate means of communication (e.g. on the intranet or directly by email).
To comply with labour laws, companies may be required to inform and consult their representative bodies, such as the work councils. This is the case in France, where prior information and consultation is mandatory in the event of "the introduction of new technologies, [and of] any significant changes in health and safety conditions or working conditions" (Art. L2312-8 of the French Labour Code) and when an "automated personnel management processing" is put in place (Art. L2312-38). However, the role of the work councils varies from one EU Member State to another and this is not an area of the law that is harmonised across the EU.
Accountability and documenting compliance
In accordance with the accountability principle, one of the pillars of the GDPR, companies must be able to demonstrate their compliance with the general principles of data protection, including those described above. Documenting the choice of the tools used and their privacy-by-default settings and design will enable companies to provide evidence to the data protection authorities (if need be) of the measures taken to comply with the GDPR, for example in case of an inspection.
In the given context, any pre-existing guidelines that were adopted by the data protection authorities' on employee data processing activities are unlikely to encompass the specific processing requirements that apply in the Covid-19 crisis. For example, while the CNIL recently adopted an HR Management reference framework that sets out the rules that apply to HR processing activities, this document only applies to the "routine" HR processing activities and does not take into account the more intrusive processing activities that are linked to combating the Covid-19 virus.
Lastly, the accountability principle requires companies to carry out data protection impact assessments when the processing is "likely to result in a high risk for the rights and freedoms” for individuals (art. 35 of the GDPR). In practice, a DPIA must be carried out when at least two of the nine criteria identified by the EDPB are met. In the context of the Covid-19 crisis, the following criteria are likely to be met: (1) systematic monitoring, (2) data relating to vulnerable persons (i.e. employees), (3) innovative use (use of new technology), and (4) assessment/scoring (including profiling) of employees' behaviour, location or movements.
The development of innovative tools in the public space, such as COVID-19 mobile apps, has triggered fierce debates between advocates and critics. As a result, employees are better aware of the risks that such technology poses to their privacy, which may spark questions to their employers about the processing of their personal data. Health-related anxiety caused by returning to the office may be an additional contributing factor, which may also trigger an increase in data access requests. The GDPR grants employees a number of rights with regard to their personal data (including the right of access and the right to object to the processing). However, these rights may be limited or conditioned depending on the legal ground on which the processing is based. This is likely to create more disputes between employers and employees, which ultimately may end up in court. For example, the CNIL warns that most "smart" cameras which are set up in places that are open to the public (e.g. lobbies or shops) are unlikely to be compliant. In fact, while they aim at enforcing social distancing and checking whether employees are wearing masks, they do not enable employees, clients or visitors to exercise their right to object to the processing.
Businesses may view employee monitoring technology as a necessary pre-requisite for a successful reopening of their offices. The ICO summarises that "depending on the specific context of your workplace, there may be a case for you to use overt surveillance systems to monitor staff to ensure essential health and safety measures are followed during the pandemic." Yet, the challenge for both employers and tech developers will be to find the right balance between ever-more intrusive technology and respecting employees' right to privacy.
To view this article in French, please click here.
Sign up to our email digest