News

We provide tailored and innovative solutions.

Miller Samuel Hill Brown Solicitors Blog

From time to time we will post news articles and announcements relating to the firm and to various legal issues that may be of interest to you.

Data Protection and Employee Monitoring: what are the risks?

mshb nov blog 500x333

Developments in technology have resulted in an increase in available programs and software which employers can use to electronically monitor the activities of their employees. It is not uncommon to have trackers in company vehicles for legitimate purposes such as in order to protect employees who are lone working while driving or have a record in case of road accidents. However, software can also allow for monitoring of employees using computers, and with the rise this year of working at home it can be tempting for employers to want to keep a close eye on employees working remotely – but it is legal for them to do so and what are the risks involved?

Research from Cardiff University found that during lockdown homeworking increased significantly from around 5.7% of the workforce to 43.1%, a huge shift in working practices. A common fear cited by employers was that without physical oversight, employees would not be as productive and ‘slack off’. Such fears can lead employers to sign up for software monitoring solutions. However, the research indicates these fears were not well founded, with only around 30% of workers feeling that their productivity was less then when they were in the workplace. It should also be remembered that during lockdown, those working at home were doing so during a period of significant uncertainty and anxiety and not in the circumstances they otherwise would be, and may have had to adapt to working from home full time very suddenly, or be looking after children at home or other vulnerable relatives.

The type of software which can be used to monitor employees can record which applications and websites have been used, level of keyboard or mouse activity or recipient and subject lines of individual emails. Some can take regular screenshots from the device, log every individual keystroke or even provide live video of the employee’s screen.

This level of monitoring poses risks to employers in terms of data protection legislation and may breach their obligations as data controllers. If such software has been implemented without any risk assessment and particularly without the knowledge of the employees, its use is very likely to be in breach of the GDPR. Such monitoring is very intrusive and introducing it should be considered very carefully, particularly given research seems to suggest fears around productivity are broadly not well founded.

In addition, this type of monitoring can also undermine employee trust and relationships. Research from the Chartered Institute of Personnel and Development (CIPD) found that 73% of respondents felt monitoring and surveillance of employees would undermine trust and adversely affect relationships between employers and their employees.

This would suggest that seeking to find other ways of maintaining productively in the first instance is likely to be a more beneficial route. Building mutual trust in the workplace and showing that employees are trusted to get on with their work and deliver as intended is likely to be better for employee relationships. There are likely to be other ways of monitoring productivity, such as where the amount of work done can actively be seen or measured through output, the meeting of targets, amount of sales, submission of invoices or timesheets, levels of communication and participation in meetings and so on. If technology is to be used, it is advisable to consult staff and identify any reasons for it and any benefits for them to assist in maintaining trust.

Consultation is also likely to help remain compliant in terms of the GDPR and Data Protection Act 2018. The Information Commissioner (ICO) has guidance on this issue in their employment practice code (which has not been updated to reflect the 2018 Act but the guidance remains relevant)

A key issue where an employer proposes to process any personal data of its employees is whether there is a lawful basis for doing so. Any monitoring software will process personal data and, depending on the software the employer is proposing to use, may pick up data beyond that required to monitor performance, such as medical information, personal emails, or bank details if the employee uses the computer to check their online banking during their lunch break, for example.

Generally, in the absence of a legal obligation to do so, the only lawful basis which can reasonably apply to electronic monitoring of employees is the legitimate interests of the employer. If using this as a legal basis, there are some key things which must be considered and in place:

  • Proportionality: using electronic monitoring software must be a proportionate way of achieving the interests of the employer and must not be outweighed by the privacy rights of the employee. If there is a less intrusive way of monitoring performance, the use of electronic monitoring is unlikely to be justified. Using software which monitors every keystroke or takes screenshots or video is likely to go far beyond what would be considered necessary or proportionate in most cases.
  • Risk assessment: the ICO would expect a Data Protection Impact Assessment to have been carried out to consider not only the proportionality or necessity of the processing, but also any risks which arise from it and how to mitigate these. This would also involve carrying out due diligence in terms of the proposed software provider, who will potentially have access to employee data, and consider how this data is stored.
  • Transparency: employees have the right to be informed about processing of their data, the purposes of it, the use made of it, how long it is retained and so on. If electronic monitoring is being used, employees must have been informed of this and what this means for their data, such as what information will be processed and why. This will require updating of privacy notices, or issuing a new privacy notice specific to this issue. If data from monitoring could be used to discipline an employee, they must have been informed of this, otherwise this could have implications for the fairness of any disciplinary process.

Carrying out electronic monitoring of employees without proper impact assessment or transparency creates the risk of not only a fine from the ICO, but also civil proceedings for damages by employees and could also increase the risk of employment tribunal claims. At the heart of the employment contract is the implied duty of mutual trust and confidence, which may be broken by monitoring employees in breach of their privacy and without their knowledge. This could open the door to claims of constructive dismissal. It is also foreseeable that there could be allegations of discrimination if employees with a particular protected characteristic are disproportionately impacted.

A final consideration is employee health and wellbeing. Employers have a duty to safeguard the health and safety of employees in the workplace, which includes mental health and ensuring an environment which is not unsafe in terms of stress levels. Given the trust issues which electronic monitoring can create and the pressure employees may feel under, issues could arise with stress and anxiety. Employers proposing to introduce monitoring software should think carefully about whether it is necessary or justified, and where it is introduced ensure it is done so transparently and in accordance with data protection legislation.

Miller Samuel Hill Brown can provide further advice and guidance on such issues. To get in touch please use our online contact form.

Separating in uncertain times
When Insolvency Law and Licensing Law Intertwine: ...