By Jon Dunkley, Partner, data protection and employment specialist with Wollens Solicitors.
The ‘Big Brother’ surveillance scenario envisaged by George Orwell has long since become reality. The ability to watch citizens outlined in the futuristic novel Nineteen Eighty-Four, published in 1949, is now firmly fact not fiction.
Rolling back to 2013, the British Security Industry Association estimated that the number of CCTV surveillance cameras in the UK numbered some 4 to 6 million and recent estimates put London in the top three cities worldwide having the highest number of cameras by population. This race towards technological surveillance and monitoring saw a further boost during the summer lockdown when employees were forced to work from home, creating a perfect storm to inspire uptake of activity tracking software.
Products described as ‘workplace analytics’ or ‘time tracking’ may sound harmless enough, and appear an easy solution to manage productivity, or to protect against data breaches that could jeopardise a company’s intellectual property or their customer base. However, many of these software solutions will log every action by individual keystroke, and often go far beyond what is really necessary to manage a workforce, whether working remotely or not.
This level of information has the potential to step into dangerous territory when it comes to staying within the law, particularly when you add in the chance of recording private passwords and credentials, or even personal medical information.
Jon Dunkley, Partner and employment expert.
And while some may argue that such software is good for maintaining productivity, the Chartered Institute of Personnel and Development (CIPD) has published research which suggests that surveillance in the workplace can undermine trust and adversely affect employer/employee relationships.
As monitoring will include processing of personal data, you will need to comply with data protection law, as set out in the Data Protection Act 2018 and the European General Data Protection Regulation (EU) 2016/679 (“GDPR”). Failure to comply with data protection laws can have a serious impact for companies, both financially and reputationally, when it comes to monitoring and data collection. The fashion retailer H&M was fined €35 million recently for “flagrant disregard for data protection” when managers recorded anecdotal information about employees’ private lives, sharing this to make decisions around employee performance and ongoing employment at their customer service centre.
In weighing up the merits of monitoring, the interests of the employee must be balanced against the interests of the employer. No business case, such as keeping track of productivity to protect the business, can over-ride the employer’s obligations to comply with the Data Protection Act. Importantly, any proposed monitoring will first require a detailed assessment of the impact on the privacy of the employee.
Under Article 8 of the European Convention on Human Rights, which was incorporated into UK law by the Human Rights Act 1998, organisations must guarantee workers some degree of privacy in the workplace. The general principle is that it will usually be intrusive to monitor your workers, who are entitled to keep their personal lives private, and are also entitled to a degree of privacy in the work environment.
Beyond this, there is the legal consideration of the mutual duty of trust and confidence implied into the employment contract between employer and employee. If an employer were to breach this duty through monitoring practices which could be interpreted as destroying trust and confidence, it could open the door to claims such as constructive dismissal.
Another vital stage in the assessment process is to undertake due diligence with any proposed software provider, as you will be trusting them with your data as this is collected and processed from individual workers. It is likely you will need to carry out a data protection impact assessment (DPIA), which is required under GDPR where the processing of personal data presents a high risk to the rights and freedoms of individuals. Undertaking a DPIA involves a systematic approach to consider all aspects of how the processing will take place and identifying risks and how they may be mitigated. It is a useful tool to make sure you have covered all bases and the ICO has a template for organisations to follow.
If monitoring has been fully assessed and shown to be both justified and lawful, the next step will be to make sure everyone knows exactly how it will work in practice. Privacy notices and policies will need to be updated, but most important will be ensuring the whole issue is approached in an open and transparent way. That relates to both the logistics of how the monitoring itself will be conducted, but also how any resulting data might be used.
If you run a business and are concerned about the Data Protection impact that your monitoring activities have on your employee’s rights then contact Jon Dunkley.
For employment or business enquiries please email us [email protected]