Every move you make, every step you take… I’ll be watching you

Employment relationships are all about mutual trust, confidence and loyalty. Sometimes though, you may want to back instinct with evidence.

Monitoring staff is nothing new. However, with increasing home/hybrid working, business use of social media, and readily available monitoring devices and systems, more organisations than ever are considering it.

Here’s some aspects we frequently encounter.

CCTV

CCTV can reassure staff about security and safety. But using it to monitor work can cause problems. You can, but staff normally need to be aware of its use and purpose.

Covert recording is highly inadvisable. However, it may be possible short term. For instance, temporary surveillance to investigate till shortages or stock deficiencies.

Routine observation via covert CCTV almost certainly isn’t. If no record is retained, it may not infringe data protection law. However, footage that’s retained, potentially will. It may also trigger hostility or legal challenge.

Sickness Triggers

Sickness triggers can be helpful welfare mechanisms to monitor short term absence. After a set period or number of absences, employee and manager review the situation.

If a disciplinary penalty is a potential outcome, don’t let the system itself fire off automatic warnings. The process must be fair and include human intervention. In any discussion – particularly where disability is possible – managers must be trained, and mindful of discrimination.

Vehicle Trackers

With company vehicles you may utilise trackers as a security or safety measure. But, if staff use their work vehicles domestically, don’t infringe their privacy by monitoring such periods. Switch the tracker off.

Machine Logs

Lots of equipment logs its own usage. This helps determine costs, levels of or peaks in usage. Data protection legislation only applies to humans. Monitoring a machine’s efficiency doesn’t. However, if you then apply such data to individual staff usage, GDPR immediately engages.

Telephones

We’re all familiar with those stock announcements when you call an organisation – “your call is important and may be recorded for quality and training purposes”. The fact that calls are recorded and stored means data protection applies – to both caller and staff.

Monitoring and intercepting communications is strictly regulated in law. Any monitoring must be lawful, necessary and objectively justifiable. Make staff aware what monitoring is intended and why it’s necessary. Although there are currently no explicit rules, you must monitor staff to no greater degree than is necessary to achieve a legitimate purpose.

You determine whether to allow personal use of telephones (and other electronic communication devices). Identify that you may monitor all communications made utilising your equipment. And that personal calls made or received (with or without your approval) aren’t considered private or confidential.

Increased home working and adoption of ‘BYOD’ (bring your own device) can bring issues. With BYOD, an organisation may own corporate resources and data stored on a device. However the device itself belongs to the user, giving no right of access or management.

Even if it’s your equipment, there’s still a security risk if calls are made from insecure locations (potentially including staffs’ homes). You need clear, well understood procedures.

Internet Use

Some employers allow unfettered access to the internet. Others forbid it or restrict access to rest breaks. There are plenty of programmes allowing you to monitor – and indeed block – content. You may want to monitor appropriate usage. Accessing pornography or offensive material, for instance, may be gross misconduct.

Of course, what people do in their own time on their own equipment is normally their own business and can’t be monitored. However, you may become aware of behaviour or action potentially bringing your organisation into serious disrepute. This may undermine your trust and confidence in the individual and damage your organisation’s reputation. Staff need to know that disciplinary action can follow in such circumstances.

Social Media

With a plethora of social media now available, many organisations turn to it for business purposes. You need clear rules and procedures. An employer can be held ‘vicariously liable’ for defamatory postings made in the course of employment. So, if you encourage your staff to submit reviews, comments, blog contributions, chats etc. you may be responsible for what they say.

When personal data is processed by an individual for their own personal purposes, data protection principles do not apply. However, if you encourage your staff to post content on your behalf, this protection ceases. Where content is posted for corporate, business or non-domestic purposes, GDPR applies, and the ‘vicarious liability’ gremlins emerge. Even if the contribution is someone’s personal view, it’s no longer for a ‘domestic or recreational’ purpose and you’re at risk.

Naturally, with the possibility of attracting liability, employers may want to monitor staff social media activity. This is far from straightforward. You must balance an individual’s work role with their right to both a private family life and freedom of expression. Unjustified or excessive monitoring may breach the duty of ‘trust and confidence’, sometimes ending in constructive or unfair dismissal claims.

This article only scratches the surface of monitoring considerations. Moorepay offers GDPR audits and HR consultancy to help you develop appropriate protections.