A new opinion by the Articles 29 Working Party ("WP29") has been published on the monitoring of employees. It seeks to clarify the legal position under the Data Protection Directive (as well as foreshadowing the obligations under the imminent General Data Protection Regulation ("GDPR")) and to reflect new and advanced monitoring techniques and technologies. Ways in which employers can monitor an individual today include systematic reviewing of electronic communications; location tracking and telematics technology; logging of access data using security cards; and monitoring browsing patterns, keystrokes and other behaviour on work and personal devices.
Whilst the opinion of the WP29 (which is an amalgamation of the data protection authorities from across the EU) does not have direct legal effect, it is likely to be relied upon by regulators and will undoubtedly be persuasive in courts and tribunals tasked with enforcing data subjects' privacy rights.
Key themes of the opinion are as follows
-
Before carrying out any form of monitoring, employers must:
-
consider what its interest is (for example, uncovering some fraudulent behaviour) and balance that against the effect it might have on the employees' expectation of privacy; and
-
ensure that steps taken are limited as far as possible (for example, where mailbox searches must be carried out in order to comply with a data subject access request, limited date ranges and keywords are applied)
-
-
This balancing and limitation exercise is particularly important in light of the impending obligations of the GDPR, including requirements to implement "privacy by design and by default" with respect to relevant data processing activities by controllers and to undertake and evidence privacy impact assessments in certain circumstances.
-
There is a particular health warning around those more novel monitoring techniques (for example, geo-location trackers through work applications) which are less obvious to employees than traditional methods (for example, CCTV) and which, in combination with the prominence of agile working and blurred boundaries between home and work life, can result in the monitoring of employees' personal activities.
-
Employees must be informed about any monitoring activities undertaken, including through clear policies and rules which are regularly reviewed and updated. In fact, the WP29 suggests that employee representatives should be involved in the drafting and review of such policies. Engaging with a sample of employees in this way may be far more effective in both conveying the vital messages around how employee data is dealt with to the wider workforce and in demonstrating a transparent and fair approach to employee engagement more generally. Of course, it will also make it more difficult for employees who subsequently seek to challenge the types of monitoring carried out – particularly where, for example, the results of such monitoring help to evidence some act of alleged misconduct by them.
-
Employers are unlikely to be able to rely on the consent of employees (which can rarely be genuinely freely-given) or an assertion that monitoring is necessary so that a contract with its employees can be fulfilled, in order to be able to justify monitoring activities.
-
There is a suggestion that employers who carry out extensive monitoring activities may be compromising whistle-blowers, or dis-incentivising employees who may otherwise blow the whistle on some malpractice by their managers.
Suggestions made by the opinion in respect of specific types of monitoring
The opinion cites and makes suggestions on a number of particular examples of monitoring, including the following:
-
The vetting of job applicants' social media profiles in order to consider their suitability for the role in question will be unlawful unless the information is relevant to the role in question and applicants have clearly been warned that their accounts will be reviewed;
-
The use of highly invasive techniques like keystroke logging, mouse-movement tracking, webcam enabling or screen capturing software packages to monitor employees is likely to be unlawful in any circumstance;
-
Software enabling remote mobile device management (for example, enabling employers to access or wipe applications, data or the entire device) must only be rolled out following a privacy impact assessment and applied in a limited way, for example, so that any tracking features are only enabled once the device is reported lost or stolen;
-
Aggregated health data should not be collected or accessed by employers directly from wearables (e.g. Fitbits), even where attempts have been made to anonymise the data; and
-
The use of telematics to provide detailed information on the behaviour and location of vehicles and drivers for performance management purposes is also unlikely to be justifiable and therefore unlawful. This is in contrast to the use of telematics as necessary to ensure compliance with working time limitations, which is much more likely to be lawful (although the obligation to limit steps taken will still apply).
The WP29 opinion, whilst not radically saying anything new, serves as a timely reminder that despite reasonably priced tech solutions being readily available to monitor most aspects of employees' working (and non-working) activities, employers must not systematically access and review employees' personal data unless they are transparent in doing so and without first carefully considering the implications of each particular instance of monitoring.
As a starting point, employers should update and review their relevant policies and rules on the processing of employees' information – to reflect any new and emerging techniques and technology that they are now using - and ensure employees are made aware of them.