The Article 29 Working Party has produced new guidance on data processing in the workplace, to account for the very significant changes that have occurred since their previous guidance in 2001. Although the focus is on “employee monitoring”, it is likely to be relevant to other situations where an organisation has significant power over those who use its premises and equipment. The guidance considers the requirements under both the Data Protection Directive and, from next year, the GDPR.
The Working Party confirm that the same basic principles continue to apply, indeed they are now even more important because modern workplace systems are both more capable of intruding into privacy and much less obvious when they do so (compare a 2017 wifi monitoring system with a 2002 CCTV camera). Also, for many people, the boundary between workplace and home has blurred, so employers must take additional care not to intrude into private contexts. So, especially:
- Proportionality: the benefits of monitoring must clearly justify the privacy intrusion;
- Transparency: monitoring must be clearly explained and justified to those being monitored.
Legally, the guidance suggests that most activities will need to be done on the basis that they are necessary for a contract, necessary for a legal duty (e.g. to pay tax and national insurance), or necessary in the employer’s legitimate interests. Consent is considered “highly unlikely to be a legal basis for processing at work, unless employees can refuse without adverse consequence”. Page 6 has a helpful summary of the circumstances when each of these may apply, and the associated obligations on the employer.
The guidance stresses that technologies do not know why they are being used, so may well collect more data than is actually required. It is the employer’s responsibility to ensure that they have a clear, transparent and legitimate purpose for any collection of data, that collection and processing are the minimum necessary to achieve that purpose, and that appropriate measures are taken to prevent the reuse of data for other purposes. Whatever legal basis is being used, an analysis should confirm that processing is necessary and proportionate and that any interference with rights is minimised: this might well be formalised under the GDPR as a Data Protection Impact Analysis (DPIA).
A basic checklist: Is it necessary? Is it fair? Is it proportionate? Is it transparent?
Finally, chapter 5 provides helpful discussions of a number of specific scenarios that frequently arise: social media profiles of recruitment candidates; social media profiles of employees; ICT monitoring (both via security tools and general usage); monitoring of home/remote/BYOD working; physical access control; video monitoring; vehicle monitoring; third-party disclosure; international transfers.