Polling carried out last year by the TUC found that at least 60 per cent of employees believe they have been subject to some form of surveillance and monitoring at work. As hybrid forms of working show no signs of going away, employers and employees can expect the topic of monitoring to remain high on the agenda in 2023.
Know your limits
A recent case involving Chetu and a telemarketer working from his home in the Netherlands has provided a timely reminder for businesses with international operations to review their compliance with human rights and data protection laws.
In the Chetu case, a Dutch court found in favour of the worker, who was dismissed for allegedly refusing to keep his webcam on for nine hours per day. The company had requested that he participate in a ‘corrective action’ programme, during which he was to keep his webcam on at all times – the worker objected to this and was terminated for ‘refusal to work’ and ‘insubordination’.
In deciding that the worker’s employment rights had been breached, the court ruled that Chetu’s actions were contrary to article 8 of the European Convention on Human Rights, stating: “Video surveillance of an employee in the workplace, be it covert or not, must be considered as a considerable intrusion into the employee’s private life.”
Because there was no evidence that the company actually stored or processed the webcam recordings, but only wished to observe them, the court found that the application of the GDPR did not arise on the specifics of this case. However, where other forms of monitoring take place and result in personal data being processed, a US (and UK) employer would need to ensure it is complying with the applicable data protection regime, including having a lawful basis for the monitoring and carrying out a data protection impact assessment (DPIA) given the high risk to rights and freedoms of the individual.
In October 2022, the UK’s Information Commissioner’s Office (ICO) launched a consultation on its monitoring at work draft guidance.
This new guidance will cover both systematic monitoring, where an employer monitors all workers or groups of workers as a matter of course (for example, if software is used to monitor productivity), as well as occasional monitoring, where an employer implements monitoring as a short-term response to a specific need (for example, installing a camera to detect suspected theft).
Businesses should be aware of the following summary points:
The UK GDPR and the Data Protection Act 2018 do not prevent monitoring. They set out a framework for the collection and use of personal data. Employers must balance the level of intrusion caused by monitoring against their legitimate business needs and those of their workers.
Employers must make staff aware of the nature, extent and reasons for the monitoring unless exceptional circumstances mean that covert monitoring is necessary.
Businesses must be clear about their purpose for monitoring. They must not use the information collected for a new purpose unless it is compatible with the original purpose in most circumstances.
Employers must carry out a DPIA for any monitoring that is likely to result in a high risk (as above), and should keep this under review. Where a DPIA is not mandatory, they should consider completing one anyway to demonstrate overall compliance and best practice.
The ICO extended the deadline for responses on the draft guidance to 20 January 2023, after which it is anticipated the finalised guidance will be published later this year.
Daniel Stander is an employment lawyer at Vedder Price