This article is a continuation of my series on the role of HR in GDPR compliance. In this article I offer my insights on Employee Monitoring and how HR can adapt existing policies to continue monitoring activities in compliance with the requirements of the GDPR.
Employee monitoring or workplace monitoring is the oversight of employee behavior through various mechanisms such as monitoring emails, internet traffic, and telephones, or using physical surveillance such as CCTVs. Employee monitoring can take many forms that include monitoring social media activity, telecommunications, physical behavior, device management, and so forth. Although, employers may have a justifiable reason for monitoring, the reason must be a balance of the employer’s interests and employees’ privacy expectations.The human resources department has to justify the benefit it reaps from employee monitoring policies, as well as the reasons why the monitoring policy overrides the employee’s rights and interests, where applicable.
In the context of the GDPR, employee monitoring is relevant due to the personal data collected from constant behavior monitoring. As the GDPR’s defining principle is the lawful, fair, and transparent processing of personal data, organizations have to be ‘explicit’ about their monitoring policies. These policies are legal and permissible; however, they have to function within the framework of the GDPR. Hence, policies have to be fair and transparent to the employees, and proportionate to the aims and concerns raised.
Monitoring activities and policies become a point of contention when their purpose is ambiguous or if the employer is not able to justify them. They may be instances where the HR leader is unable to utilize data gathered from monitoring activities in dispute resolution or some equivalent HR activity because of this purpose restraint. Moreover, despite meeting transparency standards, the use of personal data gathered through particular monitoring activities as evidence may be considered disproportionate. For example, some organizations install camera surveillance technology such as CCTVs for purely security purposes. This surveillance technology cannot be utilized as a performance monitoring tool subsequently. Furthermore, as the surveillance technology was installed from a security standpoint, any employee data collected from it can’t be used for evidentiary purposes in dispute resolution or disciplinary actions regarding employee conduct without there being a security issue involved therein. Should the monitoring policy permit evidentiary usage per the transparency principles, the same could be considered excessive and disproportionate, bringing scrutiny from a separate provision of the GDPR.
The test of proportionality will invite examination of key-logging, webcam access, screen capturing, and mouse tracking measures. Location tracking is also potentially intrusive. Should HR managers implement an employee monitoring system or policy, they should also account for the employees’ rights to object to the processing of their personal data or restrict personal data processing in certain circumstances (these rights will be discussed in a subsequent article on Employees’ Rights).
HR function should also address the monitoring of informal communication especially when there is an overlap or merging of formal and informal communication in its policy. For example, an email contains business-related information as well as personal correspondence. While employers can monitor informal or private communications, they must have a strong legal basis for doing so and the merging of business and personal correspondence can lend ambiguity to otherwise transparent monitoring policies. It is advised that any monitoring of communications, such as e-mails, be focused on contact names, headings, and subject lines to avoid privacy violations.
Monitoring of social media can become fraught in circumstances where demarcating work and private areas is complicated. It is even more complex when factoring in privacy and data protection requirements. For example, a situation similar to the case Game Retail Ltd. V. Laws, where an employee uses a private social media account capable of publishing content publicly. This account is linked to employer-related accounts among others and the employee’s conduct via this private account is derogatory or obscene in relation to the employer, thereby amounting to gross misconduct. In such circumstances, employers may face difficulties in determining whether this conduct is non-work related/private, or work-related; and whether this account can be justifiably monitored.
The GDPR requires employers to provide a rational, lawful basis for employee monitoring activities. Incidents are likely to occur where employees claims discrimination against monitoring policies on the basis of race, ethnicity, religion, disability, etc. Entities outside the EU, conducting monitoring of EU data subjects remotely will also fall within the purview of the GDPR. These multinational entities may encounter regulation disparity within the EU depending on the implementation and amendments made by member states. Employment law and information technology law also interact with the GDPR, and legal liability may be imputed under either even though policies are GDPR compliance, or vice-versa. Thus, employee monitoring policies are a contentious aspect of human resource management and need to be designed in consonance with the legal and compliance department.
It is recommended that HR personnel seek detailed guidance from the Employment Practices Code and the Article 29 Working Party’s opinion on data processing at workfor sample checklists to help determine the acceptability of employee monitoring policies.
Steps and Solutions
- Policies governing monitoring have to be fair and transparent to the employees, and proportionate to the purpose for which monitoring is conducted. The policy has to demonstrate necessity and proportionality of all monitoring activities, and the scope of each deployed mechanism has to be mapped out.
- Seek employee feedback regarding privacy concerns and develop policies based on the outcomes of these feedback sessions.
- Ensure monitoring policies and protocols are in consonance with the purposes for which they have been implemented. For example, monitoring employees’ IT systems and work-related communication to prevent theft of intellectual property.
- Inform employees that they are being monitored and the communicate basis for workplace monitoring. Explain expectation for privacy standards and employee conduct, especially where monitoring is used to enforce standards or internal rules.
- Ensure employees are aware of the nature, extent, and scope all monitoring measures undertaken – technical, physical, or otherwise.
- Employee personal data can only be used for the purpose it was initially collected. Employee monitoring policies, as well as associated HR employee policies such as employee code of conduct and dispute resolution, should incorporate these processing restrictions.
- Conduct proportionality reviews for monitoring activities and surrounding policies to ensure they are justified. Conduct data protection impact assessments to determine risk of privacy invasions through employee monitoring, and adapt recommendations on policy amendments.
- Develop alternative monitoring techniques that are low-key and able to achieve HR objectives.
Advisory to CRIS
Co-founder & CEO, CyberImmersions Solutions
The ideas, view and opinions expressed above are those of the author and do not necessarily reflect the opinions or official position of any agency, organization, employer, or company. The views expressed are for informational purposes only. They are not intended to constitute legal advice. For legal reliance on GDPR compliance, please consult your attorney.
ICO: The Employment Practices Code: https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf
Article 29 Data Protection Working Party: Opinion 2/2017 on Data Processing At Work: https://www.huntonprivacyblog.com/wp-content/uploads/sites/28/2017/07/Opinion22017ondataprocessingatwork-wp249.pdf