Employee monitoring: navigating the fine line between surveillance and trust

July 17, 2024

Background

The news of Wells Fargo dismissing employees for using "mouse jiggling" devices to simulate activity at their workstations has brought the issue of employee monitoring back into sharp focus. This incident is a stark reminder of the complexities surrounding employee surveillance in an era where remote and hybrid working arrangements are becoming the norm for many.

Since the pandemic and the rise of remote working, companies are increasingly turning to staff monitoring technology to ensure productivity and compliance. Employers argue that these systems are necessary to manage a dispersed workforce effectively. For instance, EY has been reported to use turnstile data to monitor the office attendance of its employees, while other companies have implemented more intrusive measures such as biometric attendance monitoring. However, the use of such monitoring tools raises important questions about privacy and trust in the workplace.

Employer's right to monitor

Employee monitoring can take various forms from tracking timekeeping and keyboard activity to accessing webcams, taking screenshots and monitoring internet usage. As already mentioned, there is an increasing trend to use security gate data as a means of monitoring the frequency of individual employees' office attendance in comparison to their remote working days, which could be perceived as excessive surveillance. In October 2023, the Information Commissioner's Office (ICO) released guidance in respect of employee monitoring, discussing how it can work alongside data protection regulations and how to ensure any monitoring is lawful.

Employers have the right to monitor their workers as long as they do so consistently with data protection law and Article 8 of the Human Rights Act which concerns the right to respect for a private and family life.

To lawfully collect and process information obtained from monitoring employees, an employer must identify one of the following lawful bases:

• Consent: The employee has agreed to the monitoring.
• Contract: The monitoring is essential for fulfilling the terms of a contract with the employee.
• Legal obligation: The monitoring is required to fulfil a legal obligation.
• Vital interests: The monitoring is required to protect someone's life.
• Public tasks: The monitoring is required to carry out a task that serves the public interest.
• Legitimate interests: The monitoring is necessary for the legitimate interests of the employer or a third party, provided it does not unduly infringe on the rights of the employees.

Whilst the "legitimate interests" ground is the widest category, the ICO does emphasise that the ground cannot be relied upon for employee monitoring "if you can reasonably achieve the same result in a less intrusive way". This means that employers must always seek the least invasive methods to accomplish their monitoring objectives, ensuring that employee privacy is respected as much as possible.

The ICO has also set up an interactive guidance tool that employers can use to determine which lawful basis best fits the circumstances. It may be that more than one basis applies - in such an instance, all applicable bases should be noted.

Furthermore, when the monitoring process involves "special category data", employers must not only identify a lawful basis but also a special category processing condition as outlined in Article 9 of the UK GDPR. This is because such data requires greater protection due to its sensitivity and the increased potential for harm to individuals if it is misused. Special category data pertains to sensitive information such as racial or ethnic origins, political opinions or health conditions.

Best practices for lawful monitoring

When considering employee monitoring, it is advisable for employers to:

• update their privacy notices to clearly explain to employees the data that will be monitored, the rationale for this, and the duration of any monitoring period and data retention;
• ensure secure deletion of data when no longer needed;
• have a clearly defined policy on employee monitoring, perhaps developed in consultation with employees and their representatives, that is compliant with legal requirements;
• evaluate the need for Data Protection Impact Assessments (DPIAs). Conducting a DPIA is a prudent step to assess the fairness of proposed monitoring. DPIAs are a useful tool for accountability, helping to pinpoint potential risks and facilitating open dialogue about monitoring plans with employees; and
• avoid excessive monitoring. Excessive monitoring can have adverse effects, especially in remote work settings where the line between work and personal life can blur. Monitoring beyond what is necessary for legitimate business purposes may also collect sensitive personal information unintentionally, which raises data protection concerns.

Conclusion

It is clear that navigating the fine line between surveillance and trust in employee monitoring is crucial. While employers have a right to monitor their employees and use various technologies to ensure productivity and compliance, there is a need for transparency with employees and compliance with data protection laws.

Employers should communicate openly with their employees about the purposes and benefits of monitoring, while also conducting thorough DPIAs to identify any potential negative impacts. Transparency from the outset helps manage expectations and alleviates concerns regarding privacy infringement. By adopting a balanced approach that considers both employee privacy and organisational needs, employers can create an environment built on mutual trust and productivity. This ensures that monitoring practices not only optimise operational efficiency but simultaneously uphold the rights and privacy of employees.