The pandemic has resulted in a seismic shift in the number of employees working from home. For employers, this can bring advantages and disadvantages. One of the key disadvantages is that some employees may feel more inclined to shirk their usual responsibilities due to the lack of facetime or supervision they would normally experience when working at the office.
Technology has a solution for this with more and more tech companies providing products that help monitor U.K. employees who are working from home. The question that therefore arises is whether employers can use these products to monitor employees lawfully in accordance with data protection laws.
Unfortunately, there is no one answer and there are a number of factors employers will need to consider before implementing such technology. Here are some of the key data protection considerations.
- Lawfulness of processing: All processing needs to have a lawful basis under the General Data Protection Regulation (GDPR). When it comes to employee monitoring tools, there is only really one option—legitimate interests. Remember that consent is generally not appropriate in an employment situation due to the imbalance of power between the employer and the employee. Legitimate interests can be relied on only if the employer’s interests in carrying out the processing override the rights, interests and freedoms of the individuals affected by the processing. To establish this, a legitimate interests assessment (LIA) should be carried out. Note that even though legitimate interests may be appropriate in some cases, it will not always be possible to justify remote employee monitoring on this basis. As a general rule, the more intrusive the monitoring, the more difficult it will be to rely on legitimate interests.
- Data Protection Impact Assessment (DPIA): The GDPR requires controllers proposing to carry out higher-risk processing, to carry out a DPIA before doing so, particularly where the processing involves the use of new technologies. DPIAs are intended to focus the mind on the risks involved with certain types of processing and the safeguards that can be put in place to minimize those risks. The use of employee monitoring technology will often trigger the need to conduct a DPIA, and even if it does not, it would still be prudent to carry out a DPIA before rolling out any new monitoring technology to mitigate the privacy risks associated with that technology.
- Transparency: This is one of the key considerations. If an employer is planning on implementing a new monitoring technology, its employees should be made aware of it. Relevant details will need to be added to the employer’s staff privacy notice. However, simply updating the staff privacy notice on the intranet normally will not be enough. The use of monitoring technology will usually also need to be specifically drawn to the attention of employees (e.g., by way of cover e-mail accompanying the updated privacy notice) to adhere to the GDPR’s transparency requirements.
- Purpose limitation and data minimization: These are two of the GDPR’s overarching principles that tend to go hand in hand. Purpose limitation requires that the employer collect data only for clear, specified and legitimate purposes. Data minimization provides that the employer shouldn’t collect more data than it needs to achieve its intended purpose. This is relevant in the context of monitoring technologies as often they can lead to more data than was originally envisaged being collected and that additional data being used for novel purposes. Employers seeking to use monitoring technologies need to be aware of this potential scope creep. Breach of the GDPR’s principles is serious and can result in heavy sanctions, as various regulators have reminded employers recently.
- Right to privacy: Finally, it is important to remember that employees in the U.K. have a right to privacy under the Human Rights Act 1998. Although there are limitations to this, particularly in a work context, it is likely that individuals’ right to privacy will be greater when working from home than it would be in an office environment. Employers that are considering acting on information they have obtained from the use of monitoring technologies will need to weigh the risk of employees claiming violation of their rights in the event they do act.
Ben Nolan is an attorney with Fox Williams LLP in London. © 2021 Fox Williams LLP. All rights reserved. Reposted with permission of Lexology.