• Leigh Payne

Monitoring Employees Working From Home - What You Can and Can't Do

As COVID-19 restrictions are lifted and life begins to return to normal – or, at the very least, the new normal – employers may be considering how to manage the return to the workplace.

For many employees, remote working will continue to play a part in their day-to-day lives. Whilst the majority have, and will continue to, work from home without giving their employers cause for concern, there may still be some who take advantage of the situation due to the lack of in-person supervision. This ‘advantage’ can often manifest by lower productivity and/or failure to communicate.

Naturally, it follows that employers may wish to turn to more rigorous monitoring to either catch or deter those employees who demonstrate unwanted conduct whilst remote working.

However, will data protection law allow employers to monitor employees? There is no one-size-fits-all answer to this; appropriate consideration must be given to different factors before implementing any monitoring plan, otherwise the employer will be exposing itself to risk of regulatory action and civil claims. Even if the processing itself is subsequently deemed lawful on assessment, if due diligence is not carried out before the processing, the employer is at risk.

Firstly, it is important to remember that under the General Data Processing Regulation (GDPR), all data processing needs to have a lawful basis. For monitoring employees, unless there is a specific monitoring clause contained in the employment contract between the employer and employee, the most appropriate basis is likely to be legitimate interests under Article 6(1)(f). To determine whether ‘legitimate interests’ can be relied upon as the lawful basis, a Legitimate Interests Assessment will have to be carried out and the results recorded.

It is important to remember that the legitimate interest of the employer may not always be sufficient to justify planned monitoring; the justification needed to be demonstrated by the employer will increase as the intrusiveness of the monitoring increases.

If an employer needs to carry out processing that is likely to result in a high risk to individual rights and freedoms (including the potential for putting an individual at any significant social or economic disadvantage), then it is required to carry out a Data Protection Impact Assessment (DPIA). DPIAs are designed to put the spotlight on the risks involved with certain types of processing, and are required in a variety of processing situations including (but not limited to) those processing activities which involve new technology. A DPIA will also identify what safeguards should be put in place to mitigate the risks associated with the proposed processing. It is worth mentioning that even if a DPIA is not strictly required, it is good practice to carry one out as it will assist in identifying any risks that might be present and establishing means of reducing or avoiding them entirely.

The Principles

As set out above, there must always be a lawful basis for processing personal data. Once that lawful basis has been established, processing must take place in accordance with the Principles set out in Article 5 of the GDPR. When carrying out new processing activities, the Principles must be kept central at all times. They are:

  • Lawfulness, fairness and transparency

  • Purpose limitation

  • Data minimisation

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality (security)

  • Accountability

It is Article 5(1)(a) of the GDPR which requires processing to be transparent. Implementing new technology to either process new data, or process the same data for a new or different purpose is something which must be brought to the attention of employees in a specific and active way – this could be by printed letter enclosing a copy of the updated privacy policy or by e-mail with a link to the updated privacy policy (ideally with the read-receipt function activated so that there is a record of when it was read).

The purpose limitation Principle at Article (1)(b) states that data processing is only lawful if collected for purposes which are clear, specified and legitimate. Once the affected individuals have been updated as to the new data to be collected and the new purpose for that collection, then the employer must limit that processing to the stated purpose, otherwise it will not be lawful processing.

Similarly, Article 5(1)(c) sets out the data minimisation Principle – the data collected must be limited to only that which is necessary to meet this new purpose. For example, the monitoring technology may inadvertently collect more than is needed to monitor employee productivity – such as monitoring use of the work computer in personal time or for pre-agreed personal reasons (especially if a personal use policy is in place) as employees’ privacy must be respected. A DPIA should identify and remove this inadvertent processing. If there is any processing beyond the scope of being necessary to meet the new purpose, and this processing is found to be intentional, then it will not be lawful and must be avoided.

Human Rights

Under the Human Rights Act 1998, employees have a right to privacy even in the workplace.

It is also worth taking into account Article 8 of the European Convention on Human Rights, as this sets out the right to respect for private and family life, home and correspondence. The European Court of Human Rights has previously determined that ‘correspondence’ in this sense is to include work-related letters, emails and telephone conversations.

It is therefore important that employers are mindful of the privacy rights of their employees as using or disclosing information which is (or may be) protected by these rights could give rise to claims for damages from the affected employee(s). Some examples of ECHR privacy breaches:

  • Halford v UK. A police inspector’s phone calls were tapped after she had been assured there would be no tapping of her calls.

  • Copland v UK. There was no IT policy in the workplace and the employee had not been told that they might be monitored, but the employer was conducting monitoring via IT systems.

What steps should employers take?

Monitoring covers all manner of data processing, including but not limited to:

  • Spot checking emails

  • Keeping logs of telephone calls and/or call recording

  • Using automated software, e.g. to flag inappropriate words in emails

  • Using CCTV to monitor employee conduct (though this would be on-site rather than for home-workers)

Before carrying out any of the above – or indeed any variety of monitoring – employers must carry out the following steps:

  1. Identify a lawful basis for the monitoring (including carrying out Legitimate Assessment where necessary)

  2. Carry out a Data Protection Impact Assessment

  3. Update data processing policies and notices

  4. Notify affected employees of the variation to processing activities; and

  5. Ensure that all processing is implemented in line with the Principles.

If any of these steps yield results which suggest that monitoring may be unlawful, the monitoring should not take place. It may be possible to make adjustments so as ensure lawful monitoring, but if there is any doubt then monitoring should be avoided.

If an employer can demonstrate that these steps have been taken – and appropriately satisfactory assessments have been completed to show that monitoring would be lawful - it will afford them best protection from risk of regulatory action or civil claims for damages from affected employees.

There should be a regular review of the monitoring to ensure it remains necessary. Additional reviews will be required each time there is any change to the factors in consideration, such as the productivity situation, work location, technology etc.