December 11, 2020
Employee monitoring is an emotive topic. Businesses may wish to monitor their staff for a variety of reasons. For instance, they may wish to prevent the unauthorised disclosure of confidential or sensitive information, or detect attempts to steal valuable intellectual property. In the current conditions, dominated by the coronavirus pandemic, many businesses have opted to use automated means to monitor staff productivity. However, from an employee’s perspective, the use of monitoring software may be intrusive if not distressing. Further, if it has been implemented without regard to data protection law, it is potentially illegal.
Widespread homeworking has resulted in staff and managers working from separate physical locations, making traditional supervision a challenge, if not impossible. A recent report found that that 16 percent of large corporations and 12 percent of companies overall, already have employee monitoring software in place. A further 14 percent could soon be added to this total as they are currently considering, or in the process of implementing monitoring technology. Monitoring software provides a potential solution to an immediate problem. Nonetheless, employers that may be considering deploying this type of technology must consider the risks before they do so.
Fashion retailer H&M learned the hard way when it was fined €35 million for breaches of the GDPR in relation to its employees’ personal data
Businesses must ensure that if they do deploy employee monitoring software, it is in accordance with applicable data protection law. Organisations in Europe are subject to the General Data Protection Regulation (GDPR), which requires that they process information about individuals, including their employees, in accordance with a number of standards such as that processing is fair, lawful, and transparent. If an employer uses monitoring software to collect personal data about its staff, for instance, how long they have sat in front of their screen, or spent on the internet, they must comply with the GDPR. This protection extends to employees, who have a right to privacy in the workplace. Fashion retailer H&M learned this the hard way earlier in the year, when it was fined €35 million by the German data protection authority, for breaches of the GDPR in relation to its employees’ personal data.
A business that intends to carry out automated employee monitoring must establish a lawful basis for doing so. Relying on employees’ consent is problematic, so employers should find an alternative basis, which may require balancing the requirements of the business with the rights of the worker. Employers must also ensure that employees have been provided with appropriate transparency information, which explains why monitoring is taking place, and how any information collected will be used. The GDPR also requires that where high risk processing activities are carried out, organisations must carry out a data protection impact assessment, or DPIA. The purpose of the DPIA is to ensure that the principles of data protection by design and by default are incorporated into any new initiative.
Where employers rely on third party vendors to provide monitoring software, the GDPR imposes stringent rules. Organisations may only engage vendors that provide sufficient guarantees around data protection and they must be bound by a contract that includes a number of prescribed provisions. Nonetheless, the employer may still find themselves liable for breaches involving third party vendors. The largest fines to date issued by the Information Commissioner’s Office (ICO) were to British Airways (£20 million); Marriot Hotel Group (£18.4 million) and Ticketmaster (£1.25 million). In each case, the breach involved a third-party system. Larger organisations with stringent technical and organisational security measures should be mindful of the increase in ‘supply chain attacks’. This involves cyber criminals targeting suppliers whose defences may be less robust than the large clients they serve.
The risk of a cyber-attack adds an additional layer of risk for companies to consider. If a monitoring system were to be hacked, revealing employees’ personal data, this could potentially constitute a personal data breach. If the data protection authority were to investigate and find that the company had failed to implement appropriate security measures, this could result in enforcement action. The pandemic has made remote working more commonplace, however security vulnerabilities arising from homeworking provide a wealth of opportunities for cybercriminals. Therefore, businesses should be mindful of the increased likelihood of a cyberattack in the current conditions.
Businesses that fail to protect their employees’ personal data should be aware that enforcement action by the ICO is not the only legal risk they face. Under the common law, employees may claim compensation for financial damage and/or pure distress where their personal data has been misused. A business that deploys non-compliant monitoring software or fails to implement appropriate security measures to protect data potentially risks facing group litigation (or ‘class action’) claims from affected employees. This is more than a theoretical risk; supermarket chain Morrisons faced a group litigation claim following a data breach, involving a claim by approximately 9,000 affected Morrisons employees.
What then should companies do to ensure their deployment of employee monitoring software does not lead to enforcement action and group litigation claims? In simple terms, data protection should be a key consideration from the outset. Monitoring software must be thoroughly assessed from both a privacy and a security perspective. It should only be deployed if it incorporates the principles of privacy by design and privacy by default – and, reviewed on an ongoing basis to ensure its continued compliance. Employees have a right to privacy in the workplace, which their employers must recognise and balance with their interests.