The pitfalls of monitoring employees

Simon McMenemy explains what employers should consider before implementing tools to remotely track their workers’ activity

The pandemic has resulted in many organisations adopting remote or hybrid working. While this shift has been embraced by much of the workforce, the lack of employee oversight has worried many employers, leading to an increase in the adoption of remote monitoring software. 

According to research from Skillcast and YouGov, as many as one in five businesses are either using tools capable of tracking workers’ activity or have plans to do so in the future.

However, with the rising legislative and cultural emphasis on personal privacy, employee monitoring is fraught with potential legal potholes, and organisations should carefully consider its implementation.

Artificial intelligence (AI)

Artificial intelligence is probably the most controversial aspect of monitoring right now. The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 largely prohibit the use of automated decision-making. This means that if a machine is processing data gathered by the monitoring of employees and then producing a decision based on that data, it could be unlawful. 

A good example of this in action would be if the AI determined how many hours an employee was getting paid based on keystroke monitoring. If pay was reduced based on that decision it would likely be unlawful, as the employee would not have the opportunity to explain why there was a drop in their keystrokes – such as being on the phone to a customer.

Regulation guaranteeing employees’ privacy rights

GDPR made ‘employee notices’ compulsory. Although UK organisations had been bound by the Data Protection Act 1988 for nearly 20 years, there was not such an explicit requirement to tell staff how their personal data was collected, processed and stored, as there is under GDPR. 

Now, to avoid a complaint to the Information Commissioner – the regulator which can impose fines of up to £17.5m or 4 per cent of an organisation’s total annual worldwide turnover, whichever is higher – businesses must be fully transparent and inform workers about how their personal data is collected and processed.

Another major GDPR requirement that will not only help employers stay on the right side of the law, but also help them think through the issues and consequences of their monitoring is the completion of a ‘data protection impact assessment’. Article 35 states that these are carried out where an organisation is ‘in particular using new technologies’ and there is a high risk to the employee’s ‘rights and freedoms’.

It boils down to a risk assessment that balances the action the employer wants to take (monitoring) with the possible compromises to individuals’ privacy it will bring about. For example, where the employee is working from home but must have their laptop camera enabled, will this intrude not only on their private life but those of their family or housemates, too? 

Managers should ask whether the scrutiny is really necessary and worth the possible risk of offending privacy laws. By posing and answering these questions in advance, they will be in a strong position if challenged by the data subject of the planned observation.

Avoid violating employees’ rights

Technology has rapidly outpaced the laws intended to regulate its use for many years. GDPR was finalised as legislation in 2016. After a two-year ‘waiting’ period, it was already becoming outdated by the time it came into force. Because of this, employers should be wary of blindly following the latest tech trends in case these are declared illegal in the near future. 

The situation for international employers can be even more complex, as being allowed to use technology in one territory does not mean you can in another because of differing data protection laws. 

GDPR, with privacy being one of its guiding principles, is intended to prevent this happening, but much of the technology used in the UK is developed in the US, where data privacy is largely still sector specific rather than all-encompassing. This means that until a Federal Data Privacy Act intervenes, it is largely left to the tech companies to regulate themselves. 

Regulation defines what is permissible and fair but cannot possibly keep pace or anticipate shifts in how we work or the technology we use. For best advice on what is and is not allowed or what likely controls will be applied, employers should consult a legal practice with an established track record in employment law and data protection law.

Simon McMenemy is managing partner at Ogletree Deakins