As much as many of us may not relish the idea, we are living and working in a time when it is sometimes necessary to monitor the activities of our Employees.
Several years ago, monitoring only extended as far as to keeping track of stock levels, stationery supplies in the office, and analysing the ‘accuracy’ of timesheets and expense claim forms. Today, we have technology so sophisticated that it is easier than ever to monitor Employees, even from afar – which may be tempting if your employees work remotely. While these advances have made it possible to save money and even save lives, we’re also confronted with questions of data protection (i.e.: how much we have a legal right to know what they are doing), and ethics (i.e.: how much we have a moral right to know what they are doing).
Where is an Employer to start?
The Information Commissioner’s Office (ICO) recently published draft guidance on the matter of monitoring at work (open for consultation until 11 January 2023), and we are often asked questions by clients on these very topics, so this month’s blog will be a Q&A, on the initial basics of keeping an eye on what’s going on in our workplaces.
First, what is Monitoring at Work?
Employers usually monitor Employees for work quality, productivity levels, to ensure they are operating within Health and Safety guidelines, and to meet specific Regulations. In some organisations, monitoring may be required to protect personal information (i.e.: bank cashiers handling customer transactions in branch). In more recent years, monitoring has become a tool for predicting and tracking Employee performance and keeping an eye on their wellbeing.
Monitoring can be carried out by cameras, webcams, hidden audio recording devices, wearable and vehicle tracking devices, Internet activity tracking tools, and productivity tools that measure how Employees are spending their time. There are even keystroke tracking tools that log keyboard activity.
To keep in line with Data Protection law, any monitoring must be lawful and fair to Employees, and secure in its nature.
Q: I want to start monitoring my Employees. How soon can I start?
A: Before you start monitoring Employees, you need to be able to identify a lawful basis for doing so. There are 6 lawful bases:
- Consent: The Employee has given consent to process their personal data for a set purpose;
- Contract – Monitoring is part of the pre-agreed Employment Contract;
- Legal Obligation – Monitoring is necessary to comply with the law (i.e.: monitoring drivers’ speeds);
- Vital Interests – It is necessary for protecting someone’s life;
- Public Task: It is necessary for performing tasks in the interest of the public; and
- Legitimate Interests – It is necessary for the legitimate interests of the Employer or a third party, unless risks to an Employee’s rights override them.
Q: Are there any limits to how far I can monitor my Employees’ activities?
A: Yes. If you are monitoring simple business transactions, this will be fairly straightforward, provided you have an appropriate lawful basis for doing so. However, if you wish to monitor aspects beyond this, such as Employees’ activities, behaviours or communications, you will likely find that you also need a special category condition before you can start monitoring. Special category data, in accordance with the Data Protection Act 2018 (which incorporated the UK GDPR), is personal data that reveals or relates to:
- Race or ethnicity;
- Religious or philosophical beliefs;
- Political opinions;
- Trade Union Memberships;
- Genetic Data;
- Biometric Data;
- Health or Disability;
- Sex Life; and
- Sexual Orientation.
For example, if you run a financial operation, monitoring transactions carried out by your cashiers would constitute a fair lawful basis, as doing so can identify and prevent fraud. But if you wish to monitor their movements and conversations too, you may be crossing into the realms of accessing sensitive data (elements that fall into the above special categories).
Working with sensitive data dictates that a Data Protection Impact Assessment (DPIA) needs to be carried out before any monitoring can commence.
Q: What is a DPIA?
A: A Data Protection Impact Assessment (DPIA) is a process for identifying risks associated with processing personal data, and how to minimise them. It is a mandatory requirement under the Act if your activity (in this case, monitoring) risks potentially impacting the rights and freedoms of your Employees.
Q: Can I monitor Employees’ phone calls?
A: You may monitor business calls if the content serves as evidence of business transactions, or for training and quality control purposes. A DPIA should be conducted prior to monitoring. Details of your intended monitoring, including the purposes and extent, must appear in your Privacy Statement, and your Employees should be informed via their Employment Contracts and Handbooks (where they exist) and/or relevant Policies. Callers into your organisation should also be informed of your monitoring activities, and directed to your Privacy Statement for more information, alongside the option to speak with their call handler.
Q: I actually want to monitor the content of the phone calls, for business reasons. Can I do this?
A: Consider using itemised call records rather than monitoring call content. Please remember that in monitoring content, you will likely gain access to sensitive information about your Employees, as well as the outside parties who are on the calls with them.
Q: What about Employees’ personal phone calls? Can I monitor those?
A: Information from personal calls should not be used for monitoring. You should already have a Policy in place for personal calls and your company’s expectation when it comes to them, and all Employees should be made aware of it. A good Policy will hopefully negate any need for monitoring that side of things or provide suitable recourse if the Employee does not meet the stipulated expectations.
Q: Can I monitor Employees’ emails?
A: In exceptional circumstances, yes, but, it’s time for the DPIA again! Whether intentionally, or as a by-product of simple conversation, emails invariably reveal personal information about the sender and the receiver, and as such, monitoring email content poses a high risk to data protection rights and freedoms, falling under the umbrella of the Act’s special category data.
Additionally, a formal Policy and accompanying documents would need to be in place, advising Employees of your intentions to monitor their emails, your reasons for monitoring, and the various circumstances under which monitoring could and would take place.
A simpler and more justifiable approach may be to monitor the network data – this reveals where emails are going, where they are coming from, and the times they take place. This data may be sufficient for keeping track of Employees’ email activities.
Q: Can I monitor Employees without their knowledge?
A: There are not many normal circumstances under which this would be required or appropriate. However, there are occasionally exceptional circumstances where you may be justified in doing this, such as in the detection of suspected gross misconduct, negligence or criminal activity.
You should have Policies in place that advise Employees that they may be subject to covert monitoring if they are suspected of engaging in prohibited activities or behaviours at work. To proceed, again, a DPIA is required, and covert monitoring must be strictly targeted at obtaining evidence within the shortest time frame possible, ceasing once the investigation is complete.
Covert monitoring should not take place in areas where Employees would expect privacy, such as toilets or changing rooms, or within communications, such as personal emails.
Q: I have a client who has insisted I monitor my Employees. Do I have to?
A: It is understandable that you may have customers, clients or suppliers who wish to know your Employees’ activities, or are keen on running security checks. However, even if they present this as a condition of business, it is very unlikely to be a justifiable reason for monitoring your Employees (it does not fall under any of the six lawful bases).
Conclusion
While this Q&A reflects the typical aspects of monitoring that Employers first think about engaging in, it is far from an exhaustive list of the considerations that need to be made before proceeding with any form of workplace monitoring activity. If you would like support in navigating this very complex and tricky area of Employment Law, please do not hesitate to contact us.