Employee monitoring has been a contentious issue for years, and things have got murkier still with the widespread adoption of remote working amid COVID-19.
Many people are sceptical of the prospect of being monitored, but organisations often have a justifiable reason to keep an eye on their staff.
Indeed, the GDPR (General Data Protection Regulation) permits workplace monitoring – but it sets very clear guidelines on the extent to how and when monitoring is allowed and organisations’ requirements for doing so.
Before any surveillance can take place, organisations must create a policy that lets employees know the circumstances of monitoring and their expectations of fair use.
As private communication meets the definition of personal data (as described in Article 4 of the GDPR), organisations must prove that they have a lawful ground to collect and monitor this information.
Many people have mistakenly thought this means getting consent, but not only is consent hard to get and keep, the GDPR says an employee cannot give consent to an employer because of the inherent imbalance of power.
In other words, consent can’t be “freely given” if the data subject faces a potential negative effect from not consenting. It’s reasonable to expect that an employee might fear for their job (or at least fear losing favour among their bosses) if they don’t consent to being monitored.
Organisations should therefore seek one of five other lawful grounds for processing data. The most appropriate ground will probably be legitimate interests, although the rules for this are still murky.
One thing that the GDPR makes clear is that organisations should be as deliberate and as unobtrusive as possible in their monitoring.
Under no circumstances are employers justified in using exhaustive or automated monitoring methods (such as spyware) to look through an employee’s browser history and workplace communications on the off-chance that they’ll find evidence of misuse.
Employers should also refrain from methods that leave no trace of their monitoring, such as physically sitting at the employee’s computer and looking through their private communications.
The bottom line is that, should employees overstep their right to a social life at work, organisations shouldn’t have to dig too deep to find evidence of that.
Learn more about the GDPR’s requirements by downloading our free green paper.
General Data Protection Regulation – A compliance guide contains a comprehensive overview of the steps you must take to ensure ongoing compliance.
It also includes tips to make sure you understand how the GDPR differs from previous data protection regiments and when processing activities are within scope.
Finally, you’ll receive tips to ensure that you achieve GDPR compliance as efficiently as possible.
Keeping it legal
Organisations’ monitoring policies should form part of their ISMS (information security management system, the best practice for which is described in ISO 27001.
That documentation should cover why monitoring is needed – such as to prevent theft or improper use of data. It should also differentiate between the use of personal and work communications.
Organisations will probably have more leeway in monitoring work correspondence, but they also have an obligation to make sure employees aren’t using personal accounts excessively or with disregard to security policies (by downloading suspicious attachments, for instance).
Similarly, organisations have an obligation to make sure employees aren’t emailing confidential work documents via personal email accounts.
Work-sanctioned instant messaging proves a tricky middle-ground between private and personal communications.
Even if employees primarily use the app for work, communication will almost certainly spill over into personal conversation at times – just as inevitably happens in face-to-face communications.
Organisations are entitled to conduct some level of monitoring, but the nature of the tech creates a dangerous temptation to store excessive and unnecessary personal information.
Achieve compliance with GDPR training
The best way to ensure that your organisation is keeping up with its compliance requirements is by taking a GDPR training course.
Our Certified GDPR Foundation Training Course provides comprehensive guidance delivered by a specialist consultant.
The one-day course helps you develop a practical understanding of the Regulation, covering topics such as:
- Data subjects’ rights, including DSARs (data subject access requests)
- Securing personal data;
- How to report data breaches;
- Transferring personal data outside the EU; and
- How to perform a DPIA (data protection impact assessment).
A version of this blog was originally published on 27 September 2017.