Is it permissible to track, monitor or have surveillance on your employees?Posted in : Business Legal on Data Security on 31 October 2017
David Fagan of Business Legal provides guidance on employee monitoring, citing an interesting case where the issue of monitoring came to the fore, highlighting the need for a legitimate reason as to why it is necessary and the issue of consent. David refers to Article 8 of the European Convention on Human Rights with regards personal information, privacy expectations and the use of surveillance, in particular GPS tracking systems. He discusses biometrics, for example, fingerprint identification, iris verification, hand, face and voice recognition systems; the concerns about personal information being compromised; and potential safeguards to combat and/or remedy a breach.
Employee Monitoring: When is it permissible to monitor your employees? The first thing to be said is that general monitoring is generally prohibited. There must be a reason before you can monitor or track employees. It must be a legitimate reason, that is to say, in the legitimate interest of the data controller without prejudice to the rights and freedoms of the data subject, that is to say, the employee.
So for instance, the issue of monitoring came to the fore in relation to a particular case back in 2008 where CCTV footage recorded attendance by the employees. But the employer later decided that he wanted to use that footage for disciplinary hearing purposes. And the Data Protection Commissioner's view was that in order to use that CCTV footage, in order to discipline employees for attendance purposes, the employer would have had to state that and the employees would have had to consent to that monitoring or been aware that that was a purpose for which that monitoring would be used. In the absence of that, the employer couldn't, in fact, proceed further with the use of the CCTV footage for that purpose.
Article 8 ECHR: The right to respect for private and family life
Under Article 8 of the European Convention on Human Rights, everyone has the right to respect for his private and family life, his home, and his correspondence, and case law has extended that effectively into the workplace. So, for instance, tracking systems such as GPS must take account of the privacy expectations of individuals. The staff must be informed of the existence of the surveillance and the purposes for which that personal data will be used.
The Data Protection Commissioner’s guidance on this point is that, for instance, drivers must be informed of the purpose for which personal data is being processed by tracking device, and it may not be used for any purpose other than the stated purpose, and that the company must have a policy on the use of such tracking systems. And in general, this may not be used on private vehicles, so it's generally impermissible to monitor the staff's use of their own private vehicle. Overriding all of this is the fact that there must be a legitimate reason why it is legitimate or necessary for the employer to use such tracking.
Similarly, in the case of biometrics, in general, the Data Protection Commissioner is not a fan of biometrics. But where there is a legitimate interest or a need on behalf of the employer, it will be permitted. So, what our biometrics? Well, things like fingerprint identification, iris verification, hand, face, voice recognition systems, effectively biological ID systems. And the use for the purposes of monitoring locations or habits and behaviour, they’re increasingly common in the workplace and can be used for identification, you know, who are you or authentication, you know, what are you entitled to do.
There are concerns obviously. What happens if stored biometric data is compromised? Will it facilitate identity theft? It is controversial when it comes to monitoring of children, for instance, in schools and such like. The Article 29 group, which is the group of all data protection authorities in Europe, has issued guidance on this. And in essence, their guidance boils down to is the data subject aware of this, and it recommends that in all cases the subject is aware of the biometric identification in place. Are there sufficient safeguards?
Safeguarding biometric information
One common safeguard is that the biometric system doesn't, in fact, record the biometrics directly, but records certain portions so that is not possible, for instance, to reconstruct a fingerprint from the biometric authentication that the system uses. In essence, it means that it's not directly possible to steal identities, or fingerprints, or so on and so forth. It is simply that it's able to verify someone's identity without necessarily having a snapshot of their identity, whether it's their iris or their fingerprint or their voiceprint, etc.
It's very important that the purpose of the biometrics be clearly stated and that it be limited to that purpose, which must be in the legitimate interest of the data controller without prejudice to the rights and freedoms of the data subject. In simple English, there must be good reason for this biometric system to be in place.
The Data Protection Commissioner recommended the following approach before biometrics will be lawful. The data controller should consider the particular need for that system, the most assessed privacy impact of various systems, and all of those needs must be fully considered before any biometric system will be introduced. It’s stated specifically, except in unusual circumstances, any employer or student who objects to using such a system should be allowed to use an alternative system, which does not involve processing of biometric information.
It is the use of a system by an employer that may be a data protection concern, not necessarily the production or sale of such a system. All situations must be judged on a case by case basis. So in essence, in order to introduce biometrics or indeed tracking or any other monitoring. There must be a demonstrable need for that system, and it must be proportionate, and the employees or the persons being tracked must be aware of it.
There is a difference where covert surveillance is used. In a covert surveillance situation, it is important that there be a demonstrable need for that surveillance. So, for instance, to protect against theft from a warehouse, generally it would not be possible to put in covert surveillance systems lawfully. However, if it is shown that currently items are being taken from the warehouse, such that there is a specific target of that covert surveillance, then the Data Protection Commissioner is often more comfortable with that covert surveillance for a limited period of time because of a specific situation, that has arisen. So for instance, the surveillance might last a day or two days or a week to try and catch the perpetrator of an ongoing theft.
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.