The concept of workplace monitoring to detect or investigate misconduct is not new. Many employers will at some point have engaged in a review of email and internet records for this purpose.
Employers can still carry out monitoring activities under GDPR. There are, however, additional legal considerations that need to be met. In addition to the general rules around processing personal data, there are three key issues:
- What is the lawful basis for processing the data?
- Has a data protection impact assessment (DPIA) been carried out and does this support the use of monitoring?
- Has the employee been given notice that the monitoring may be carried out?
Identifying the lawful basis
Pre-GDPR, many employers relied on consent as the lawful basis for monitoring, normally through generic contractual or policy statements. Post-GDPR, there are very limited situations where such consent will be appropriate. More often, the legitimate interests of the employer may be a more appropriate basis. ‘Legitimate interests’ can only be relied upon where:
- The processing is necessary for the purposes of the legitimate interests pursued by the employer
- These are not overridden by the interests or fundamental rights of the employee
As to necessity, the views of the European Data Protection Board Opinion 2/2017 on data processing at work should be kept in mind:
- Geographical (eg monitoring only in specific places; monitoring sensitive areas such as religious places and for example sanitary zones and break rooms should be prohibited)
- Data-oriented (eg personal electronic files and communication should not be monitored)
- Time-related (eg sampling instead of continuous monitoring)
Most employers state in their various policies that employees should have no expectation of privacy in work, particularly in connection with IT systems. However, this does not provide carte blanche to monitor at will. The ICO draws a distinction between systematic monitoring and occasional monitoring. Excessive or unjustified monitoring of either kind will fall foul of data privacy rules and other legal protections. Proportionality is key in determining lawfulness, ie, the reason for the monitoring.
As a proactive step before monitoring is undertaken, it should be considered and recorded through a DPIA. The purpose of the impact assessment is to:
- Identify the purpose behind the monitoring and the benefits likely to be delivered
- Identify any likely adverse impact of the arrangement
- Consider alternatives to monitoring or testing
- Consider the obligations arising from monitoring or testing
- Judge whether the monitoring or testing is justified
- Identify the lawful basis of processing the data
Notice should be given to workers that monitoring may be carried out. Employers need to be transparent about the way they process data. Workers need to have a clear understanding of what the monitoring entails. Notice can be provided to the employee in different ways: through an employer’s email/internet policies, its data protection policy or employee privacy notice.
Monitoring and the interplay with other rights
Workplace monitoring touches on a number of legal areas. Other rights engaged or impacted could include human rights, trust and constructive dismissal considerations and a need for compliance with wider fields of protection around communications, including emails.
In exceptional cases, employers can undertake covert monitoring, normally where there is suspected criminal activity or malpractice such as theft or fraud by employees. Employers should ensure that their policies explain that covert monitoring may take place. The ICO Employment Practices Code recommends that the decision should be taken by senior management, and that before taking this approach, senior managers need to be clear that notifying individuals about the monitoring would prejudice its prevention or detection.
Where surveillance cameras are being used, employers should also consult the ICO Code of Practice on Surveillance Cameras and personal information. Extreme caution should be applied before doing this on a covert basis. European case law supports that an unfocused and excessive approach will not only breach GDPR obligations but will also lead to infringement of the right to privacy under Article 8 of the European Convention of Human Rights.
Alison Woods is an employment partner at CMS