Your privacy is important to us.
Monitoring employees is standard practice in many workplaces although the reasons for monitoring can vary greatly. Some companies may be under legal or regulatory obligations to monitor such as those in the financial services sector. Many companies primarily monitor to check their employees’ performance. Although the advantages of monitoring may be obvious, the adverse impact of doing so is perhaps less apparent. A company may view employee monitoring as essential to the effective and efficient running of its business. However, if employees are permitted to use telephones, e-mail and the internet for personal use, it may be difficult for the company to draw a distinction between work and private information and activity, and limit monitoring to the former. Legal obligations on employers engaged in monitoring arise from a range of different enactments. Although employees may be aware and accept the monitoring of their work, the monitoring of their private information and activity is likely to be much less welcome. A company’s failure to consider the adverse impact of monitoring on employees can interfere with, or ultimately destroy, working relationships.
One of the most regular mistakes made by employers when monitoring employees is the failure to recognise that the monitoring involves processing of personal data. For example, when employees’ images are captured on a workplace CCTV system this means their personal data is being obtained along with other information about them, such as what they are doing and their location. Capturing and retaining this information means that the employer is processing personal data and these monitoring activities are within scope of the General Data Protection Regulation. A key principle of the GDPR is transparency and employers must inform staff when it is processing their data, what type of data is being collected and for what purposes, who its being collected for and disclosed to and, finally, how long it will be kept. All of this information and also the statutory rights employees have over the data, including the right to access it, correct it and erase it must be clearly communicated to staff. Many organisations fail to appreciate their legal obligations under GDPR when monitoring and processing employees’ personal data particularly the requirement to give employees all of this information about the monitoring activities. The same data protection principles apply to geo-tagging or geo-mapping and other person or vehicle location tracking devices such as fingerprint recording systems used for building access and security purposes.
While the reasons for monitoring workers’ activities are generally obvious, such as recording client calls for quality control purposes, staff still need to be clearly informed that you are clearly monitoring employees’ performance when they are on customer calls. Even when an employer checks employees’ emails when they are off sick or on holiday, this also amounts to monitoring staff and it is very common for employers to fail to properly or fully inform staff about these types of monitoring activities which amounts to a breach of its GDPR obligations.
Employers can monitor employees covertly without complying with the principle of transparency but only in exceptional circumstances. For instance, it is feasible to carry out covert monitoring where there are reasonable grounds for suspecting criminal activity or similar serious activity, when any notification would prejudice the prevention or detection of that wrongdoing. In these circumstances, covert monitoring is allowed but it should be limited to the investigation of the wrongdoing and it should cease immediately when the investigation has finished.
Even when employers notify staff about monitoring, another common pitfall is to then use the information obtained through the monitoring for purposes other than the originally basis of the monitoring. An employer that decides to install CCTV cameras following a workplace theft cannot use the footage in a disciplinary process for an unrelated and less serious offence that may be captured by the footage.
As well as informing employees about the monitoring, employers also need to undertake a Privacy Impact Assessment particularly where they are monitoring publicly accessible areas as required under Article 35 of GDPR. An impact assessment involves identifying the purposes of the monitoring and the benefits it’s likely to achieve. It also involves considering the likely adverse impact on employees and members of the public, where appropriate, from the monitoring. An employer must consider using alternative methods to the monitoring or ways in which the monitoring can be done differently to reduce any adverse impact as well as considering how to keep the data secure and how long it should be retained. The employer must then decide, when assessing all of the relevant factors, whether the monitoring is justifiable. The ramifications for an employer breaching GDPR are potentially significant in terms of the powers available to the ICO. Employees may also have recourse to civil remedies for breach of privacy under common law and article 8 of the European Convention on Human Rights.
This article has been produced for general information purposes and further advice should be sought from a professional advisor. Please contact our Employment Team at Cleaver Fulton Rankin for further advice or information.