The current climate means that we are seeing a significant increase in employee monitoring prompted by factors such as:
- Managing performance remotely.
- Covid-19 health concerns (such as health symptoms or overseas travel information).
- Increasing regulatory scrutiny and the #metoo campaign (for example, policies requiring declarations of relationships with colleagues, customers and suppliers intended to prevent and/or manage conflicts of interest and undue influence).
In our experience, the increase in employee monitoring is usually driven by good intentions rather than a desire by untrusting employers to spy on employees in order to catch them out. However, most forms of employee monitoring will involve processing of personal data. In practice, this means that in addition to considering the impact on employee relations of introducing such monitoring, employers must also consider their obligations under the General Data Protection Regulations 2016 (GDPR). Failure to comply with GDPR can result in action being taken by the Information Commissioner's Office (the UK data protection regulator), which heightens the risks of negative press coverage and a damaging impact on the employer's reputation.
So, in respect of any employee monitoring activities, employers should ask themselves the following 5 questions:
1. Is the processing necessary and limited?
This should be the first question to ask in relation to any processing of personal data, whether that processing is new or existing. What is the purpose behind the processing and can you use a less intrusive alternative means instead? Is the data being collected limited in respect of what is being collected and the period of time for which it is being retained?
The bottom line is that if the processing isn't necessary, it won't be lawful under GDPR.
2. Do you need to carry out a data protection impact assessment (DPIA)?
GDPR imposes a legal obligation to carry out a DPIA if the processing of personal data presents a high risk to the rights and freedoms of individuals. A DPIA provides a systematic approach to considering the what, where, why, how long, etc. of the proposed processing, along with consideration of any risks the processing may present and how these can be mitigated. Ideally, it should be undertaken at the initial 'ideas' stage so that any issues can be addressed in the design of the new policy, process or system.
Even if the legal obligation to carry out a DPIA is not triggered, a DPIA can still be a helpful mechanism by which to flush out and address the wider considerations such as employee relations issues and employment law considerations, as well as data protection issues. We've seen a number of employment related policies which are already in operation, which no doubt would look very different and for the better had a DPIA been carried out before their implementation.
Where new ways or practices relating to employee monitoring are being introduced, a DPIA is almost always a 'must do'.
3. Have you audited existing employee monitoring practices?
Avoid falling into the trap of assuming that processing is necessary and lawful just because historically it's been done that way. Revisit existing practices – are they necessary? Consider whether it would be helpful or necessary to carry out a DPIA.
4. Are any amendments to the staff privacy notice required in relation to the monitoring activities?
Check the employee privacy notice to see if the monitoring is already covered. If not, it should be updated to reflect the new processing activities.
5. What will be the impact, if any, on employee relations?
Last but definitely not least, don't fall into the trap of ticking all the GDPR boxes but failing to consider the impact of monitoring activities on employee relations – these should be considered 'hand in hand' with the data protection considerations. You might have a monitoring proposal that satisfies GDPR requirements, but if it causes a staff rebellion and feeling of mistrust, the monitoring activities could do more harm than good. So, how do you get employees 'on board' with the proposed monitoring? Ideas could include: have a working group to feed into the design of the proposed monitoring; listen to feedback and factor this in to the proposal; think about how you'll introduce the monitoring and whether it would be helpful to introduce it on a small scale pilot basis first.
The golden rule is 'no surprises'. Employees must be given, in advance, a heads up in respect of monitoring processes and practices. Otherwise, they may well face challenges down the line from a data protection and/or employee relations perspective.