Monitoring Employees – A New Outlook

Audrey Williams
Audrey Williams

There has been a lot of commentary on the recent European Court of Human Rights (ECHR) case of Barbulescu. The issue in the case was whether the Employer’s investigation of Mr Barbulescu’s Yahoo Messenger account (which he had opened in order to respond to client enquiries) was in breach of his right to Privacy (Article 8 of the European Convention on Human Rights). See previous article on idatalaw (https://idatalaw.com/2016/01/14/european-court-of-human-rights-echr-finds-that-monitoring-an-employees-internet-use-was-justified/)

Key to the Court’s decision was the company’s internal regulations in that case which stated: “It is strictly forbidden ….to use computers, photocopiers, telephones, telex and fax machines for personal purposes”. Whether this was clearly communicated to Mr Barbulescu appears to have been disputed.

It would be wrong to read this case as giving employer’s carte blanche to monitor employees’ usage of equipment and technology and of much more interest are the observations made by the Court, particularly Judge Pinto de Albuquerque, who disagreed on some aspects with the majority of his fellow judges.

Judge Pinto made this interesting comment about the increasingly blurred division between work and home life…”Strict limits apply to an employer’s surveillance of Internet usage by employees during their worktime and, even more strictly, outside their working hours, be that communication conducted through their own computer facilities or those provided by the employer.” When organisations are encouraging employees to bring their own devices and expect greater accessibility, this becomes even more important. One of the key issues is the need to protect freedom of expression and not just privacy. An employer drafting (or updating) their Email/ Electronic Communication, Internet and Social Media Policy or undertaking related investigations, must bear this in mind. The acid question is why interfering with these rights is necessary for the business?

The blanket ban relied upon in the Barbaluscu case is increasingly impractical – even more so where that policy operates across borders and where, in many European jurisdictions, there are stronger privacy rights than the UK. A more expansive and comprehensive policy is recommended, dealing not just with usage but also rules around monitoring and investigations. These need to address emails, instant messaging, social networking, blogging and web surfing – or in the Court’s words “cyberslacking”.

  • When and why would checks i.e. monitoring and investigations be required in your business?
  • Who is authorised to conduct these?
  • The way in which any investigations are conducted must also be managed carefully. It is essential to balance each individual’s right to privacy against concerns which the business is looking to address:
  • If the concern is the amount of time spent cyberslacking, not much more is needed than to assess the time spent – without needing to access the content of messages;
  • By contrast, if the concern is abusive or offensive emails which are being sent to colleagues, there is no need to access what are clearly personal emails.In the UK the Information Commissioner has issued detailed guidance on such matters (see https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf) and recommends that before conducting any monitoring or investigation, an impact assessment is conducted; the Code also sets out some core principles:
  • In Barbalescu there was some criticism about the investigation into emails sent to the employee’s fiancé and brother but the employer was given credit for basing the decision on the evidence of use of the system for personal purposes during working hours, rather than on the content of the communications and had analysed usage over a short period, limiting the intrusion.
  • Workers have legitimate expectations that they can keep their personal lives private and are entitled to a degree of privacy in the work environment
  • It will usually be intrusive to monitor your workers
  • Employers who wish to monitor should be clear about the purpose and satisfied that the particular monitoring arrangement is justified by real benefits that will be delivered.
  • Workers should be made aware of the nature, extent and reasons for any monitoring,
  • Covert monitoring is justified only in exceptional cases.
  • Workers’ awareness and giving warnings about monitoring will influence their expectations.

Those undertaking the monitoring/investigation must be aware of the employer’s responsibilities under the Data Protection Act 1998 and rights to privacy attached to these provisions, particularly around personal and sensitive personal data.
Audrey Williams is a partner in the HR team at City law firm Fox Williams LLP and can be contacted at Amwilliams@foxwilliams.com

Advertisements

New ICO Guidance on GDPR

Daniel Geller
Daniel Geller

The General Data Protection Regulation (GDPR) is expected to be introduced into the UK in mid-2018.

Many of the principles in the new legislation are much the same as those in the current Data Protection Act. If you are complying properly with the current law, then you have a strong starting point to build from. But there are important new elements, and some things will need to be done differently.

The Information Commissioner’s Office (ICO) has produced their first data protection guidance in relation to the GDPR.  This is in the form of a 12 step guide to take now in preparation for the changes scheduled in 2018.  Below is a summary of the ICO’s 12 step preliminary advice.

Awareness

You should make sure that the decision makers and key people in your organisation are aware that the law is changing to GDPR. It would be useful to start by looking at your organisation’s risk register, if you have one.

The GDPR’s two year lead in period gives companies time as the GDPR may have significant resource implications especially for larger, more complex organisations.  Compliance may therefore be difficult if you leave your preparations until the last minute.

Information You Hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit, across the organisation, or within particular business areas.

It is good practice to start documenting the data you hold. Doing this will also help you to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place.

Communicating Privacy Information

You should review your current privacy policies and put a plan in place for making any necessary changes in time for GDPR implementation.

When you collect personal data you currently have to give people certain information (usually through your privacy policy), such as your identity and how you intend to use their information. Under the GDPR there are some additional things you will have to tell people. Such as, you will need to explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data.

Note that the GDPR requires the information to be provided in concise, easy to understand and clear language.  This should impact the content of your privacy policy.

Individuals’ Rights

On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant differences. The right to data portability is new. This is an enhanced form of subject access where you have to provide the data electronically and in a commonly used format.

If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively straightforward. This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion?  These questions should be considered in the lead up to GDPR implementation.

Subject Access Requests

The rules for dealing with subject access requests will change under the GDPR. In most cases you will not be able to charge for complying with a request and normally you will have just a month to comply, rather than the current 40 days.

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

If you want to refuse a request, you will need to have policies and procedures in place to demonstrate why the request meets these criteria.

Legal Basis for Processing Personal Data

Many organisations will not have thought about their legal basis for processing personal data. This will be different under the GDPR because some individuals’ rights will be modified depending on your legal basis for processing their personal data. One clear example is that people will have a stronger right to have their data deleted where you use consent as your legal basis for processing.

It should be possible to look at the various types of data processing you carry out and to identify your legal basis for doing so. Again, you should document this in order to help you comply with the GDPR’s ‘accountability’ requirements.

Consent

You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.

Consent has to be a positive indication of agreement to personal data being processed, it cannot be inferred from silence, pre-ticked boxes or inactivity. If you rely on individuals’ consent to process their data, you must make sure it will meet the standards required by the GDPR. If not, you should alter your consent mechanisms or find an alternative to consent. Note that consent has to be verifiable and that individuals generally have stronger rights where you rely on consent to process their data.

Children

You should start thinking about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.

For the first time, the GDPR will bring in special protection for children’s personal data.  If your organisation collects information about children (in the UK this will probably be defined as anyone under 13) then you will need a parent or guardian’s consent in order to process their personal data lawfully. This could have significant implications if your organisation aims services at children and collects their personal data.

Data Breaches

Some organisations are already required to notify the ICO (and possibly some other bodies) when they suffer a personal data breach. However, the GDPR will bring in a breach notification duty across the board. Not all breaches will have to be notified to the ICO, only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach.

You should start now to make sure you have the right procedures in place to detect, report and investigate a personal data breach. This could involve assessing the types of data you hold and documenting which ones would fall within the notification requirement if there was a breach.

Data Protection by Design and Data Protection Impact Assessments

You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments (PIAs) (or DPIA as the GDPR terms it) and work out how to implement them in your organisation. The ICO guidance shows how DPIAs can link to other organisational processes such as risk management and project management. You should start to assess the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally?

Note that you do not always have to carry out a DPIA.  A DPIA is required in high-risk situations, for example where a new technology is being deployed or where a profiling operation is likely to significantly affect individuals.

Data Protection Officers

The GDPR will require some organisations to designate a Data Protection Officer (DPO), for example public authorities or ones whose activities involve the regular and systematic monitoring of data subjects on a large scale. The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively. Therefore you should consider now whether you will be required to designate a DPO and, if so, to assess whether your current approach to data protection compliance will meet the GDPR’s requirements.

International

If your organisation operates internationally, you should determine which data protection supervisory authority you come under.

It would be helpful for you to map out where your organisation makes its most significant decisions about data processing.  This will help to determine your ‘main establishment’ and therefore your lead supervisory authority.

 

The GDPR leaves a lot for organisations to consider in the lead up to its implementation.  It is best to get ahead of the game here and leave yourself plenty of time to incorporate any new changes into your organisation’s current data protection compliance procedures.

 

For any further information on this please contact Daniel Geller at dgeller@foxwilliams.com.

Daniel is an associate lawyer in the commerce and technology department of law firm Fox Williams LLP, London