By Ellen Goodland, employment lawyer and a specialist in data protection at independent UK law firm Burges Salmon
Prompted, no doubt, by the growth in home working since the pandemic, the monitoring, by employers, of their employees is becoming increasingly common. The tech market has been quick to catch on to this trend and, alongside the tried and tested methods of CCTV, attendance logs and email and telephone monitoring. numerous new monitoring technologies are now available including keystroke-logging, browser monitoring, and social media tracking.
However, with some methods of monitoring potentially at odds with the employee’s rights in relation to privacy and data protection, it is not surprising that the Information Commissioner’s Office (ICO) is taking a keen interest in these activities and has issued specific guidance for employers on monitoring.
Employees are also much more aware of their rights leading to an increase in employee grievances about misuse of their data. Similar arguments around misuse of personal data are also appearing within Employment Tribunal claims.
Against this background, we consider some key points for employers, who want to monitor their staff, to bear in mind.
Biometric Data Primer
Of recent interest to the ICO is the use of an employee’s biometric data, not least because biometric data is ‘special category data’ and so requires employers to adhere to a more stringent regime around its use. In February this year the ICO produced specific guidance relating to using biometric data (Biometric data guidance: Biometric recognition | ICO).
Biometric data is defined by the GDPR as data ‘relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person’. In essence, biometric data can include fingerprint, face, iris and DNA-based recognition. Given that biometric data relates to an individual’s unique and distinctive biological characteristics, this type of data is treated as ‘special category’ data and so afforded additional protection. As a result, there are additional legal requirements with which an employer must comply when processing biometric data because it is accepted that use of this data could create more significant risks to the individual’s fundamental rights and freedoms.
The processing of biometric data is more intrusive, by its nature, than processing other types of personal data and, therefore, employers who want to use it to monitor employees will first need to give proper and careful consideration as to whether a less intrusive way of monitoring could be implemented. If there is, the ICO guidance confirms that it would not be lawful for an employer to process the biometric data for this purpose and they would need to adopt the less intrusive method for monitoring instead. As a result, the use of biometric data in the workplace to monitor staff is now on the wane because it is difficult to justify why an alternative, less intrusive method, such as employee ID cards, cannot be used.
When it comes to employee monitoring, the ICO is not only interested in the use of biometric data. The use of other technologies and methods for employee monitoring will also be subject to scrutiny by the ICO because of the potential intrusion on an individual’s right to privacy. It is important to recognise that for monitoring to fall foul of what’s permissible, it does not have to involve a specific type of technology nor does the monitoring need to be part of a formalised arrangement. The monitoring can be as simple as noting down how long someone is ‘away’ on Teams or logging the details of employees who arrive late to work.
Where an employer is undertaking monitoring, it will need to identify a lawful basis for doing so. The six bases available (as set out in the GDPR) are as follows: employee consent, performance of a contract, compliance with a legal obligation, protection of the vital interests of an individual, performance of a public task or for the employer’s legitimate interests.
Care needs to be taken when identifying a lawful basis for the monitoring as it is not always straightforward. For example, whilst ‘consent’ may seem like an obvious option, there are issues for employers with seeking to rely on consent as it must be freely given and unambiguous, and there must be an equal bargaining power between the parties (and this is often the stumbling block in an employer/ employee relationship). Equally employees must be able to withdraw their consent at any time.
The employer’s ‘legitimate interests’ is, in most circumstances, the appropriate lawful basis for most monitoring. However, this basis can only be relied on if the employer can demonstrate that the monitoring is ‘necessary’ to achieve the legitimate interest. The ICO confirms that: “Necessity does not mean that processing of personal information has to be absolutely essential in order for a lawful basis to be valid. However, necessity does mean more than just useful or desirable. You cannot argue that processing is necessary just because you have chosen to operate your business in a certain way.” With this in mind, it will be important for an employer to be able to demonstrate why the monitoring is necessary to achieve a legitimate interest (e.g. when considering the use and location of CCTV where there is a known issue of theft or dishonesty) and how that has been balanced against the employee’s fundamental rights and freedoms (such as the risk of data breaches or the risk of discrimination).
Regardless of the type of monitoring in operation (and assuming that you have a lawful basis), if, as a result of the monitoring, an employee could face consequent repercussions, such as disciplinary action or performance management, this processing could be considered ‘high-risk’. If the processing is ‘high risk’ the employer must take additional steps to demonstrate why the monitoring is ‘necessary’ and how it considers this is balanced against the employee’s fundamental rights and freedoms.
A legitimate interests impact assessment is one way for an employer to establish if the proposed monitoring can be justified. It enables the organisation to demonstrate that appropriate weight to the interests of a data subject (i.e. the employee) has been given as well as showing that alternative and/or less intrusive options to the monitoring (and the method of monitoring) were considered. Often an employer will carry out a legitimate interests impact assessment even where the monitoring isn’t ‘high-risk’ as a matter of best practice.
Key considerations when undertaking a legitimate interests impact assessment include:
- What is the purpose of the monitoring?
- Is the method of monitoring you are proposing necessary to achieve that purpose?
- Is there a less intrusive way to achieve the purpose?
- Will you be transparent with those employees you will be monitoring about the purpose of the monitoring and is this reflected in your policies and communications to staff?
Aside from good employee relations, it is very important that, as an employer, you look to ensure that any monitoring of employees is undertaken lawfully as the potential consequences of getting it wrong can be extensive. The ICO has the powers to investigate monitoring off their own initiative or an employee may complain to the ICO about the (mis)use of their personal data, which could also result in an ICO investigation. If the ICO finds there have been data breaches then it can take enforcement action, including through information notices (requiring certain information being provided to the ICO), enforcement notices (requiring action to be taken or not taken) and imposing (sometimes heavy) financial penalties.
In addition, as we mentioned above, it is not only the ICO that the employer needs to be aware of. It is becoming increasingly common for employees to raise internal grievances about how monitoring is being undertaken or – even more commonly – to argue that a misuse of their personal data has contributed to their dismissal or resignation, leading them to bring claims in the Employment Tribunal.
As an employer, if you are considering monitoring employees or are already doing so, we would suggest taking the following actions:
Audit how your business monitors its employees and the purpose(s) behind that monitoring
You may not know where or to what degree your organisation already monitors its employees and how that data is being used; for example, technology brought in to do other things may also include monitoring capabilities – it is important to identify what monitoring is taking place or is proposed not least so you can be fully transparent with employees about what you are doing.
As part of the audit, identify who has access to the data you are monitoring – access should be restricted to only those who need to know – and how they are using it. It will be important to establish this because the answer to that question may indicate the need for a legitimate interests impact assessment – for example where the data could be used to support disciplinary action or a performance improvement plan or if the monitoring has any knock-on impact on an individual’s terms of employment including, for example, pay grade, bonus or benefits or other considerations or could feed into a redundancy selection process.
Consider your lawful basis for monitoring and, where relying on the employer’s legitimate interests, whether the monitoring is ‘necessary’
Once you have completed your audit, you will then need to assess, in each instance of monitoring, the lawful basis for the processing (i.e. the monitoring). Unless the monitoring is to comply with a legal obligation, the lawful basis is likely to be for your organisation’s ‘legitimate interests’.
This means you will then need to consider whether the monitoring is necessary and as part of this assessment you will need to consider if there is a less intrusive means to achieve the purpose for processing. Depending on the context of monitoring and how the results of the monitoring are being used, you should consider whether a legitimate interests impact assessment should be completed to demonstrate you have properly identified your purpose and considered the impact on individuals.
In general, it is best practice to undertake a legitimate interests impact assessment for all monitoring because this will help you demonstrate your compliance and justification to undertake the monitoring, but undertaking this assessment is absolutely required for ‘high risk’ processing, as set out above.
Simply listing the other, less intrusive options you have considered will not be enough. You must be able to demonstrate clearly why the other less intrusive options are not sufficient and that you have balanced this against the risk to the employee’s rights and freedoms.
Review your privacy policy and communications to staff to ensure you are being transparent about your monitoring
Where monitoring is taking place, a key part of GDPR compliance will be to ensure that employees are informed of what monitoring is taking place and why. This should be clearly stated within your privacy policy.
If you are proposing to process ‘special category’ data, such as biometric data, having a separate policy in place which is transparent about what processing is taking place is a fundamental requirement.
Communications to employees about any monitoring you undertake need to be easy to understand, drawing their attention to the appropriate policy and making it clear who they can speak to if they have concerns. Transparency is a fundamental principle of data protection compliance and organisations will be required to demonstrate they have been transparent with employees about what monitoring is taking place.
There will be circumstances in which organisations will have legitimate, commercial and/or legal reasons to undertake employee monitoring. However, understanding the parameters and constraints that need to be adhered to for that monitoring to be lawful will be key to avoiding an unlawful invasion of the employee’s privacy and/ or breaching their data protection rights. Taking the time to get this right at the outset of any proposed monitoring will be time well-spent as the penalties for getting it wrong can be high.
Photo by Thomas Lefebvre on Unsplash