An independent European advisory body has published some useful guidance on the fundamental data protection principles which employers should take into account when putting in place systems for monitoring their employees.
This is in particular light of recent technological developments. The Article 29 Working Party (WP29) looks at data protection and privacy issues and provide expert advice regarding data protection.
3 Main Principles Employers Should Consider
The advancement of technology and working practices, including homeworking and remote working, has created more intrusive and pervasive ways for employers to monitor their employees. Employers should be careful to ensure that, when putting in place workplace monitoring systems, a balance is struck between safeguarding their legitimate business interests and respecting and upholding their staff's reasonable expectation of privacy.
The guidance contains three main principles for employers to consider:
- Legal Grounds (Consent/Legitimate Interests)
Staff consent is unlikely to be a justifiable reason for workplace monitoring, unless staff can refuse their consent without fear of adverse consequences. There must also be a legitimate reason for processing data and the chosen method must be necessary, proportionate and implemented by using the least intrusive means.
- Automated Decisions
Employers should not make a decision about a member of staff based solely on the automated processing of data intended to evaluate certain personal matters, for example performance at work, unless this is necessary to enter into or perform a contract, or the member of staff has given their express consent to such a decision being made.
How to Handle Data Processing
The guidance also contains some helpful suggestions on how an employer should handle its data processing in the different scenarios, including:
- Social Media Profiles
In general, employers must have a legal basis, such as a legitimate business interest, to monitor employee's (or prospective employees') social media profiles. For instance, employers should not simply assume that they are permitted to inspect a candidate's social media profile during the recruitment process, even if the profile is publicly available. Employers should only process data that is necessary and relevant to the job and this data should be deleted as soon as it becomes clear that an offer of employment will not be made or accepted to that particular candidate.
- ICT Usage
An employer's decision to monitor all online activity is likely to be disproportionate, even where there are legitimate interests for doing so. Employees must be notified of the type of monitoring which their employer is carrying out and the methods used should cause as little invasion of privacy as possible.
- Remote Devices
Employers are encouraged to carry out a data protection impact assessment (DPIA) before use of such technology and employees must be fully informed of any monitoring that is taking place.
In light of this latest guidance, employers are advised to create policies that comply with their data protection obligations and to ensure that their systems are transparent and fair. This becomes of increasing importance with the new General Data Protection Regulation fast approaching. We have a team of expert Data Protection lawyers who can assist you with navigating this complex area of law.