EU Data protection and new technology
The EU’s Article 29 Data Protection Working Party (which provides independent advice to the European Commission on data protection issues and helps develop harmonised policies for EU Member States) recently published a further Opinion, which brings its data protection (DP) thinking up to date with the technological developments that have occurred in the processing of employee data at work.
In light of this technology, the Opinion re-assesses the challenge of balancing the legitimate interests of the employer and the reasonable privacy expectations of the employee.
The Opinion sits primarily under the EU Data Protection Directive (DPD) but also looks ahead to the General Data Protection Regulation which comes into force for all EU Member States (including the UK) on May 25th, 2018.
The Processing Technology
The technological developments considered include:
- The substantial reduction in the cost to the employer of data processing alongside the very substantial increase in data processing capacity and power.
- The availability of new forms of covert employee monitoring such as smart phone tracking or social media monitoring, as well as much less visible CCTV cameras.
- The ability to monitor closely greater numbers of employees who now work away from the workplace (e.g. from home or elsewhere), which can spill over into monitoring in a private context.
The Opinion highlights the risk that technology permits employees to be tracked over time, across workplaces and homes and by many different devices (smart phones, tablets, wearables etc.) at very low cost. Without a limit on processing, the employers’ interests in improving efficiency and protecting assets might lead to unjustified monitoring.
The Data Privacy Risks
The Opinion considers risk areas where unjustified and possibly illegal monitoring may occur:
- Social media screening both in recruitment and while in employment.
- Monitoring IT usage in the workplace: such as data loss prevention tools, Unified Threat Management and Mobile Device Management technology.
- Monitoring operations to support working outside the workplace: such as homework monitoring, wearables (for health tracking), bring your own device (BYOD) and mobile device management.
- Employee time and attendance monitoring used for unjustified reasons. For instance, security access information used for performance evaluation.
- Unjustified use of video monitoring systems to capture and analyse employee behaviours.
- Unjustified monitoring/tracking of vehicles used by employees.
- The transfers of personal data to third parties (such as customers).
- The international transfer of HR and employee information.
The Working Party Recommendations
- The move from analogue data processing to digital does not change the employee’s fundamental right to privacy.
- Employers can only collect and process data for a legitimate purpose and under appropriate conditions.
- Who owns the devices that collect employee data does not change the fundamental position.
- Employee consent to data processing can almost never be freely given because of the imbalance of power between an employer and an employee.
- An employer’s legal right to processing can only be invoked if the processing is strictly necessary and meets the principles of proportionality and subsidiarity. A data protection impact assessment should be carried out before any new monitoring device is deployed to test both necessity and proportionality.
- Employers must tell employees clearly and effectively what monitoring is taking place, the reason for it and the possibilities for employees to prevent their data being captured. The Opinion recommends consultation with employee representatives as most monitoring has the possibility of infringing private lives.
- Proportionality means taking no more data than is strictly necessary. For instance, if employee misuse of the internet while at work can be blocked by filters, the employer has no general right to monitor. Employees should have the possibility to switch off tracking devices in certain circumstances.
- Data that is no longer needed must be deleted.
- Employees using the employer’s online work applications must have private online spaces available to them within those applications, which cannot be accessed by the employer.
General Data Protection Regulation
Businesses preparing for the General Data Protection Regulation should take all Working Party recommendations into account as they review their policies and processes.