Some larger firms have recently suggested implementing surveillance technologies to more closely monitor employees, particularly as so many are still working from home. Paul Hastings’ Sarah Pearce discusses the legal issues that can arise.
Workplace surveillance has been a topic on the data privacy agenda for some time now, with it being commonplace to monitor staff phone calls and emails – provided it is in compliance with legal requirements. There have been recent developments, however, that suggest a shift toward more intrusive methods of surveillance, including the use of employee webcams and facial recognition software to track when employees are not at their computers.
Research has revealed an increase in such monitoring methods recently, or at least organizations considering their implementation. This trend is seemingly in line with the pandemic forcing more employees to work from home. In the remote-working climate, many firms reportedly feel they no longer have the oversight of employees that they are accustomed to. So far, speculation around the use of such surveillance methods has been confined to traders and front-office staff in certain banks, but it now seems likely that it could be rolled out more extensively. Many may question the legality of such surveillance, but let’s consider the existing rules governing the area.
Untangling Privacy Regulations
From a data-protection perspective alone, there are multiple complex issues. Firstly, such employee surveillance involves the collection of personal data and, notably, biometric data, which falls within sensitive or “special category data,” the processing of which requires an article 9 exemption plus a lawful basis (article 6) in order to be in compliance with General Data Protection Regulation (GDPR).
Of the article 9 exemptions, consent, field of employment and public health necessity appear the most obvious here. Consent is generally not recommended in the employment context given the imbalance of power, so it cannot be seen to be “freely given.” If relied upon as a ground in such context, another option needs to be offered that inherently aims to provide balance. The biggest issue with relying on consent is that it might not be given and, if given, it can be revoked. While not without risk of challenge, the alternative grounds would seem to apply and would indeed be preferable to rely on here.
Moving on to the requirement for a lawful basis for the processing under article 6, two are possible, although we shall discard consent here for the reasons discussed. Legitimate interest is the obvious ground here; organizations will likely be able to identify justifications for conducting such surveillance of its employees. Nevertheless, it would be worth businesses performing and documenting a legitimate interests assessment (LIA), to support any reliance on this ground.
Additionally, a data protection impact assessment (DPIA) would also likely be required, particularly if new technologies are rolled out in order to perform the surveillance of large volumes of special category data.
Businesses deploying such surveillance methods would also need to think about other GDPR principles, such as data minimization – ensuring they only collect and store the data that is necessary – as well as data retention, with considerations around how long the data would be held.
Moving away from the immediate risks of handling sensitive data, use of technology itself may prompt additional considerations or issues. For example, if the technology is provided by a third party, thorough diligence would not only be advised on the technology and its provider, but would also be a legal requirement under GDPR. Security is a key consideration, particularly in view of the data types at play here. The contractual documentation with any such third-party provider would need to include appropriate GDPR provisions and robust warranties with associated liability provisions.
The rollout of any such surveillance technology in the workplace goes beyond data-privacy requirements, however; organizations need to consider employment and health and safety issues too.
Just touching the surface, the rollout of this level of surveillance technology in the workplace is fraught with issues. That is not to say it can’t be done, just that careful consideration needs to be given to ensure it is implemented in a manner that is compliant with legal and regulatory requirements. Some businesses may consider the challenges too difficult and look to other, less intrusive methods to obtain the information they are after. An alternative would be to just stick to old-fashioned methods of trusting employees to do their jobs.