FAQs: Can you spy on your employees?
Working from home has been the new norm for many, thanks to lockdown. This shift to remote – and unwatched – working, may have heightened the business desire to keep track of staff.
So, what’s allowed and what’s not, when it comes to monitoring what your employees get up to?
Keep reading to find out what kinds of of employee monitoring takes place, what the reasons might be, what lawful and unlawful monitoring looks like, and what are the rights of employees. Plus, we answer whether covert – i.e. ‘secret’ – surveillance can be lawful…
What Monitoring Typically Takes Place?
Monitoring staff includes:
- the use of software to monitor activity of staff through keyboard strokes or mouse movements
- use of CCTV
- monitoring entry and exit data
- reading emails and other written communications using automatic word finding software
- voice recording
- still images of staff
- speed and distance travelled for a company’s drivers
- locations visited
- websites visited
What Reasons Are Used to Monitor Staff?
Monitoring of staff for the above reasons will invariably involve the processing of personal data.
The processing of such data can be used to monitor the health and safety of staff, assess staff performance against KPIs, identify any required training, detect theft, and to enforce a computer usage policy.
Can Such Monitoring be Carried out Legitimately?
The starting point will traditionally be the employment contract or employee handbook. Does it contain some provision or term that states that an employee may be monitored? As well as how this will take place and the purpose of such monitoring?
Of course, it will almost always be the data protection legislation that will determine the legitimacy of staff monitoring. If carried out in breach of the legislation, an employee may be able to successfully argue that their employer has violated the term of mutual trust and confidence and recover compensation for a claim of constructive unfair or wrongful dismissal.
What Steps Should an Employer Take to Ensure They’re Lawfully Monitoring Staff?
There are six bases for processing personal data. The three commonly used for most employers are where the monitoring is necessary:
(i) to ensure compliance with a legal obligation;
(ii) for the performance of an employment contract; and/or
(iii) for the fulfilment of a legitimate interest.
The passage of the General Data Protection Regulation has diluted the impact of an employee giving consent because such consent must be informed and specific to the purpose of the processing taking place. For this reason, reliance on consent alone can be dangerous as it will often lack the specificity required.
After having established the purpose of the processing data (for e.g., monitoring keyboard strokes and mouse movements to determine whether an employee is taking adequate breaks away from the PC), the next step will be to undertake an impact assessment.
What Does an Impact Assessment Require an Employer to do?
The impact assessment enables a business to consider whether processing personal data is necessary for its stated lawful purpose.
The health and safety of an employee may straddle across various lawful GDPR bases for the processing of personal data, including compliance with the law and the employer’s legitimate interest. However, the question remains as to whether the monitoring is a proportionate response to the furtherance of the employee’s health and safety.
This will entail identifying the benefits of the data gathered and weighing them against the level of intrusion to which the employee is being subjected. Can steps be taken to limit the intrusion? Who will see the data? Will monitoring be oppressive or demeaning to the data subject?
What Rights do Employees Have?
If the measures are proportionate to the lawful purpose, then the employer must issue or update its privacy notices to the employee(s).
Issuing privacy notices to employees is the default position as it aligns with the principle of processing personal data lawfully, fairly and transparently. There are exceptions whereby issuing the privacy notice to employees can, for example, “render impossible or seriously impair the achievement of the objectives of the processing”. This is most likely to engage in an investigatory context where the disclosure of information is likely to impair the progress of an investigation into misconduct.
When Can Covert Surveillance be Lawful?
This will engage an employer’s right to private life under article 8 of the European Convention of Human Rights. However, a compelling legitimate interest can justify covert surveillance in the face of reasonably suspected criminal activity in the workplace.
A cash business that’s routinely experiencing cash till discrepancies on a certain day of the week, may justify the need to covertly surveil their staff on the day in question.
To Sum Things Up
Monitoring your employees can appear Orwellian. But with the right processes in place, the dystopian feel of surveillance should be no deterrent for the legally compliant employer.