With most employees working from home, for employers this can bring advantages and disadvantages. One of the key disadvantages is that employers may feel that they are not getting as much out of their employees as they would if they were in the office.
With more tech companies providing products which help monitor your employees when WFH the question arises of whether employers can use these products to monitor employees lawfully in accordance with data protection laws?
There are a number of factors you will need to think through if you are considering monitoring employees:
Lawfulness of processing: all processing needs to have a lawful basis under the GDPR. If you are looking at monitoring, there is potentially only one lawful basis which is legitimate interests. Legitimate interests can only be relied on if your interests in carrying out the processing override the rights, interests and freedoms of the individuals affected by the processing. To establish this, a legitimate interests assessment should be carried out. However, the more intrusive the monitoring, the more difficult it will be to rely on legitimate interests.
Transparency: If you are planning on implementing a new monitoring technology, your employees should be made aware of it. Details will need to be added to your staff privacy notice and this will need to be specifically drawn to the attention of your employees.
Data Protection Impact Assessment (“DPIA”): the GDPR requires controllers proposing to carry out higher risk processing, to carry out a DPIA before doing so, particularly where the processing involves the use of new technologies. DPIAs should focus on the risks involved with certain types of processing and the safeguards which can be put in place to minimise those risks. The use of employee monitoring technology is likely to trigger the need to conduct a DPIA, and even if it does not, you should carry out a DPIA before rolling out any new monitoring technology to mitigate the privacy risks associated with that technology.
Purpose limitation and data minimisation: Purpose limitation requires that you only collect data for clear, specified and legitimate purposes. Data minimisation provides that you shouldn’t collect more data than you need to achieve your intended purpose. Monitoring technologies can lead to more data than was originally envisaged being collected and that additional data being used for other purposes.
Right to privacy: employees in the UK have a right to privacy under the Human Rights Act 1998. Although there are limitations to this, particularly in a work context, it is likely that individuals’ right to privacy will be greater when working from home than it would be in an office environment. Employers which are considering acting on information they have obtained from the use of monitoring technologies will need to weigh up the risk of employees claiming violation of their rights in the event they do act.
If you need any further information on this, please do not hesitate to contact us.