Article

Employee monitoring - what are the data privacy rules?

Iain Bourne Iain Bourne

With more people working from home than ever before, many financial institutions are using employee monitoring software to observe remote working practices. Iain Bourne discusses the data privacy implications.

Recording client phone conversations is a regulatory requirement for many firms in the financial sector, supporting fair treatment of customers and good conduct. This can also provide a good evidence trail for audit or dispute resolution.

Under lockdown, however, many firms have rolled out these tools more broadly, using employee monitoring software to track productivity and improve oversight. Some of these tools take regular screenshots of what their people are working on or what they're browsing online. Many also use webcams to take frequent photos of their employees. Bad press around some of these programs even accuses them of monitoring toilet breaks.

With stories circulating of things accidentally seen over video conferencing, such as a politician who took a shower during a Zoom call, there is a very real danger that monitoring software is capturing things it wasn't intended to.

While these programs are not illegal, per se, and in some cases, are necessary for regulatory purposes, firms should consider how to manage their usage effectively and in compliance with the relevant laws. The focus of this article is data protection law, but other laws could also be relevant, for example, interception of communications rules.

Data privacy and employee monitoring

When an employer collects personal information about an employee, for example by making a voice recording or video, or using software to monitor the employee’s keystrokes, the employer will be collecting the employee’s personal information and data protection rules will apply.

Firstly, this means that the default position is that there must be transparency around the employee monitoring. All employees subject to monitoring must be made aware of:

  • the fact that they are being monitored
  • the purpose of the monitoring
  • what the relevant legal basis for the activity is
  • retention periods for the information being collected
  • what rights the employee has in respect of the information
  • their right to complain (in the UK) to the Information Commissioner’s Office, if they have a concern about the monitoring

Usually, the information above will be provided in an employee-facing privacy notice. But this isn't always the case and, from a regulatory standpoint, sometimes there isn't full transparency around employee monitoring.

Awareness of employee monitoring is key

There is often a disconnect between the team managing the employee PC monitoring software - generally the IT or InfoSec function - and the data privacy team.

Given the sensitivities around employee monitoring, some firms are issuing standalone documents and awareness materials to open the discussion. This is certainly good practice.

Remember that the usual transparency rules are suspended if there is a suspicion of criminality or other serious wrong-doing. Specifically, if telling a particular employee about a monitoring operation would prejudice the prevention or detection of crime, by constituting a tip-off.

That said, explaining how employee monitoring takes place in the broad terms required under the law, should not normally prejudice law enforcement, fraud prevention or national security.

Is employee monitoring data relevant?

The information collected through employee monitoring software must also be relevant, necessary, not excessive, and otherwise compliant with the requirements of the data protection principles. This is where compliance becomes a very grey area.

Newspaper reports have detailed some potentially intrusive techniques, such as using facial recognition technology to monitor via webcams. Developments such as empathic computing make it easier to assess employees’ attitudes, motivation levels, and moods remotely. Note that data protection law’s ‘automated processing’ rules may also apply here. For example, if an employee is being sanctioned because a purely automated assessment system – counting keystrokes for example – then additional protections will apply. The employee would have the right to have the decision re-assessed with an element of human intervention. More generally, employers using automated decision-making techniques must be transparent about this, including providing ‘meaningful information about the logic involved’ to the employees being monitored. (Again, this should be provided through the relevant privacy notice or other awareness material.)

There is a strong argument that intrusive monitoring techniques breach data protection laws' basic principles, and it may sit uneasily with human rights laws. But, so far, there has been little activity by regulators in this field and perhaps they are unwilling to 'grasp the nettle' in terms of intervening in the sensitive realm of the employer-employee relationship.

I worked on the last significant piece of Information Commissioner's Office (ICO) guidance on this, back in 2005, and producing the Employment Practices Code was certainly a politically charged and difficult mission. I wouldn't be surprised if the ICO and other data protection agencies revisit this subject soon, in response to complaints from employees, possible case-law and the use of more advanced tools to monitor employee computer activity.

Need to know

The whole issue of employee monitoring has come to the fore because of the rise of home working due to the COVID-19 lockdown. Many people may expect to be monitored if working in highly regulated or other high-risk industries. But in the home environment, there may be higher expectations of privacy than when working from an office. This means monitoring can become much more of an issue, and I believe, this would more likely to result in complaints to regulators with a potential impact on the privacy aspects of the employee-employer relationship. That is why monitoring must be as transparent and carefully targeted as possible. The adage that this is about ‘need to know’ not ‘nice to have’ is more relevant than ever.

This means monitoring can become much more of an issue, and I believe, this will result in complaints to regulators with a potential impact on the employee-employer relationship. That is why monitoring should be as transparent and carefully targeted as possible.

To discuss employee monitoring further, contact Iain Bourne.

Article
Data protection – tips for working from home Find out more