Work Place Monitoring and Data Protection
Workplace Monitoring
Employers do have the right to know of their employee’s activities. Under this right, employers can monitor performance, which aids productivity and also helps them to make reasonable adjustments in term. This will mean employees can carry out their job to a higher standard.
The Benefits of Performance Monitoring include:
· Makes it clear to an employer which employees require additional training.
· Acts as a prevention of crime.
· Increases employee’s performance.
Although employers have this right to performance monitoring, Article 8 of the European Convention on Human Rights states that employees have a reasonable right to privacy, family life and correspondence. Therefore, laws and guidelines around monitoring and data protection must seek to balance the advantages monitoring offers employers with potential harm incurred by employees.
It is legal for an employer to monitor their employees in a variety of ways:
· CCTV to watch and listen to employees.
· Keep records of their phone calls and listen the employees’ voicemails to ensure company resources are not being abused.
· Check their bags and personal belongings to ensure they have not removed company property or brough illicit items into the workplace.
· Ask employees to take part in drug testing.
· Search staff areas.
· Check an employee’s internet history, these include websites that they have used whilst at work and the content of any emails they have sent.
Contracts and staff handbooks should set out in clear terms how employees will be monitored.
The Importance of Impact Assessments
It is recommended that when deciding whether and how to monitor employees’, The
Information Commissioner’s Office (ICO) ensures an employer engages in an Impact Assessment. The key aim is to ascertain whether monitoring is a reasonable option.
The initial step is to clarify the purpose of the monitoring and set out how it will be of benefit. Next, an employer should determine to what extent any proposed monitoring will have an adverse impact on employees’, the business or both. They should then devise a list of possible alternatives or think of a means of monitoring staff that may be less intrusive or harmful. Overall, the employer must consider whether their proposed plan of action is justified.
An employer cannot legally monitor staff without informing them in advance. This should be in writing, as a printed document of in the form of an email. However, there is one exception to this rule: if an employer sincerely believes that a member of staff is breaking the law and that by letting them know that they are being monitored would jeopardise the outcome of the investigation. It is rarely acceptable to monitor areas in which employees would expect a high level of privacy, such as individual offices or staff toilets.
Electronic Monitoring:
It is widely agreed that it is reasonable to keep records of all communications sent and accessed by employees who routinely access highly confidential and sensitive information, such as government employees with security clearance. Even in these instances, an employer still has a legal obligation to let their employees know that they are being watched.
Should a business wish to monitor its employees via the use of CCTV, clear and visible signs must be placed around the premises. There should also be strict protocols regarding who is allowed to process and view the footage. The system must only be used for its original purpose.
Searching an Employee:
If an employee is to be searched, it must be carried out in accordance with the company’s written policy. Searches should be carried out in a private location, and not in front of other colleagues. They should be undertaken by a person of the same sex, carried out in a respectful manner and only be conducted with a suitable witness present. Otherwise, an employee may have grounds for a claim of assault, discrimination or even false imprisonment, if they felt as though they could not reasonably escape.
Drug Testing:
Should an employer wish to test their employees for signs of drug use, they must first secure the consent of the employee(s) in question. The employer’s policy on drug testing must be outlined in staff contracts or the staff handbook.
Drug testing should not be implemented without warning. Only employees that need to be tested should be included in a drug testing programme, and the tests should be carried out at random.
Data Protection Regulations
Data protection regulation covers any kind of monitoring activities that examine or collect information relating to images, drug tests or data.
Employers hold personal information on members of staff, customers and account holders. These records include names, addresses, age, gender, salary, job responsibilities, tax information, disciplinary records and more. Some of this information may be of a highly sensitive nature. Whenever a business uses CCTV, collects information for an employment-related process, such as recruitment, or does business with clients, they are gathering personal data.
Under the Data Protection Act 2018 and the GDPR, it is an employer’s responsibility to ensure that all information is kept up to date, secure and accurate.
When collecting personal information, it is important to let the individual know exactly how their data will be kept, processed and shared with other agencies, where applicable.
The Role of the Information Commissioner’s Office
The information Commissioner’s Office (ICO) is an independent body that serves to clarify and promote information rights that serve the public’s interest.
It seeks to maintain high levels of data security and privacy for individuals and acts to encourage public bodies to be open about the information they collect and how they use it.
The ICO website contains guidance as to how personal data must be processed, according to the Data Protection Regulations. According to the ICO, the ‘data protection principles’ are as follows:
· Lawfulness, Fairness and Transparency: Personal data shall be processed fairly and lawfully and in a transparent manner in relation to individuals.
· Purpose Limitation: Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
· Data Minimisation: Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.
· Accuracy: Personal data shall be accurate and, where necessary, kept up to date.
· Storage Limitation: Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose of those purposes.
· Integrity and Confidentiality: Appropriate technical and organisational measure shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data.
· Accountability: Article 5(2) adds that: The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1.
What do these Laws Mean for Employers in Practice
The ICO published a guide for employers, based on the legislation above. It ensures that employees rights to privacy and security are upheld in the workplace at all times, accounting for all stages in an employee’s journey with the company.
At the recruitment stage, an employer will typically collect personally identifying information, such as that contained in CV’s and application forms. At this stage, it is important that applicants understand the kind of data collected by their prospective employer, and why it is collected. It should be made clear to an applicant who will be handling this data.
Considerations to Bear in Mind when Outsourcing Data Processing
Medium and large businesses may not store and process data ‘in house’, but engage the services of other companies, to undertake these tasks. Such companies are known as “data processors”.
Employers should take every reasonable measure to ensure that their data processor of choice takes their responsibilities seriously. In particular, a data processor should be able to prove that their operation is sufficiently secure, by having been awarded the “BSS7799” certification. An employer should research the data processor’s reputation within the industry, and, if possible, ask to speak with satisfied customers.
An employer should draw up a legally binding, written contract with their chosen data processor. The contract should specify that data is to be processed in accordance with the employer’s instructions, and that the highest possible standards of security will always be upheld.
Sometimes, a data processor may want or need to transfer data outside the European Economic Area (EEA). If such a transfer is to take place, the data processor must be able to provide a good reason for the transfer and, if required, be able to prove that the data will be processed to at least the minimum standard expectation in the EEA.
What situations are Exempt from the Data Protection Act?
The above legislation and guidelines are guiding principles that will cover most situations, however there are a few exemptions.
One such exemption concerns disclosure that is mandated by law, such as the sending of tax-related information to HMRC, if disclosure is necessary, in order to facilitate a criminal investigation or prevent harm to individuals or the public at large.
The laws around exemptions are complex and may vary on a case-by-case basis. An employer facing a situation not covered by the above codes should contact a solicitor, for tailored advice.