Remote work and the risks of employee surveillance

There has been a gradual shift towards increased flexible and remote work patterns in the last few years. The COVID-19 pandemic has created the perfect storm to force organisations to further consider their working practices, with all but essential physical roles usually involving an element of homeworking – nearly half of people in employment in the UK did some work at home in April 2020, according to the ONS. Many businesses are expecting to operate a largely remote workforce for the foreseeable future. The fear of declining productivity and concerns for people wellbeing has encouraged many employers to increase their employee monitoring arrangements.

Employers have been checking the activity of their employees for years. New technologies for ‘Big Brother’ style digital surveillance have emerged, allowing employers to access live webcam feeds, mouse and keyboard tracking, face tracking, and even emotion recognition. US-based software provider, Hubstaff, for instance, takes screenshots up to three times every ten-minute interval to build an effective picture of employee productivity for managers. They have reportedly quadrupled their UK customer base since February.

Employers must consider employee relations and the legal ramifications of implementing such intrusive programs. To continue to attract and retain talent, and enhance productivity, many employers are conscious of a need to prioritise delivering a compelling employee experience. Surveillance threatens the trust between employers and employees. Technology which helps to monitor and enhance workers’ efficiency and wellbeing may play an important role in improving employee satisfaction. This expanded use of technology, and the shift in the rationale behind it, has led to an increase in the personal data collected and processed by employers. Ensuring correct processes and policies are in place to safeguard employees and the employer is vital.


Where are we legally?

A number of domestic and European laws impact on the use and safe practice of surveillance technologies. Article 8 of the European Convention on Human Rights requires states to provide individuals with the right to a private life. There are significant data protection compliance risks to employers if surveillance policies are implemented without following the correct procedures in place to deliver this.

[perfectpullquote align=”right” bordertop=”false” cite=”” link=”” color=”” class=”” size=””]Organisations risk breaching their employees’ rights to privacy and may open themselves to potential enforcement[/perfectpullquote]

Organisations risk breaching their employees’ rights to privacy and may open themselves to potential enforcement actions by the Information Commissioner’s Office (ICO). Recently, the clothing chain H&M in Germany were fined over £32 million by their data regulator for breaches of European data protection law and keeping excessive records on their employees.

Under relevant data legislation, personal data gathered through employee surveillance must be processed lawfully, fairly and transparently, collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.

The data must also be adequate, relevant and limited to what is necessary for those purposes.

In the UK, the ICO and the Article 29 Working Party (WP29) provide key principles to consider regarding employee monitoring, including in a homeworking scenario. These include a base expectation of privacy in the workplace, ensuring a data protection assessment is conducted when implementing employee monitoring, ensuring there is a legal and proportional basis for collecting data via employee monitoring.

There must also be the provision of fair and detailed information regarding intended future monitoring and the implementation of safeguards to ensure that the data obtained through monitoring is only used in the way it has been explained to employees. In essence, this means that employee monitoring is subject to strict controls.

Non-compliance with its recommendations is something the ICO takes seriously, especially when determining the extent of any enforcement.


Striking a balance

Implementing employee surveillance tools should be undertaken with caution. An employer’s legitimate interests can be a legal basis for processing employee data through enhanced surveillance. This will only be permissible if the processing is necessary and serves a legitimate purpose that can be shown to bring tangible and justifiable benefits. Particularly intrusive forms of monitoring, such as live webcam feeds and keystroke recording, should in most cases be avoided entirely.

[perfectpullquote align=”right” bordertop=”false” cite=”” link=”” color=”” class=”” size=””]Employers should be aware that relying on an employee’s consent to the processing of personal data is no longer sufficient[/perfectpullquote]

Employers should be aware that simply relying on an employee’s consent to the processing of their personal data is, in most cases, no longer sufficient. As a matter of good practice, businesses should implement relevant guidance and continue to monitor new developments.

Employee monitoring and collection of personal data has the potential to affect employee satisfaction and trust in their employer and impacts employee attrition and talent attraction. Many businesses in the UK have committed significant investment in employee engagement with a focus on diversity, inclusion and mental wellbeing. There are strong ethical reasons for this. But with an increasingly ideological generation of workers entering the workforce, and the costs associated with hiring and training employees, businesses should remain attractive and supportive places to work.

Individuals may also seek to rely on inappropriate surveillance as being in breach of their contractual rights, including the mutual duty of trust and confidence between employer and employee. They could pursue a claim for constructive dismissal if they choose to resign in response to such alleged breach.

Germany and Spain are already looking to implement restrictions on surveillance measures in the context of remote working. As the issue becomes ever more prevalent with no likely return to mass office working any time soon, other jurisdictions will surely follow suit.

Main image: Inside the panopticon at Presidio Modelo, Isla de la Juventud, Cuba.  By I, Friman, published under a creative commons licence