When is employee monitoring lawful under data protection legislation?

If you are considering employee monitoring, it will involve processing personal data, which means there will be legal obligations and requirements to consider under the Data Protection Act 2018/the European General Data Protection Regulation (GDPR).

That doesn’t mean monitoring isn’t lawful, it certainly can be, but there are a variety of factors you must consider in order to ensure you are not legally vulnerable as a result of monitoring you are conducting.

Finding a legal basis for processing the data

You must have one or more specific legal bases for processing personal data, so if you are monitoring, you need to identify what your legal basis will be. Your objective will be key to this – what are you actually trying to achieve? You should then be able to identify whether there is a justifiable legal basis for doing so. The most commonly used legal bases for data processing in the context of the employment relationship are performance of a contract, legal obligation, and legitimate interests.

Impact assessment

To process data lawfully it is not just a case of working out which of the listed lawful bases you can use. In order for processing to be justifiable under the legal basis you are using, you need to be sure it is absolutely necessary. Before you start monitoring, conduct an impact assessment.

How will the monitoring you are proposing impact the rights and freedoms of those being monitored? How can any potential adverse impact be minimised or eliminated? If impacts cannot be eliminated, on balance is the monitoring still justified because of the reasons you are doing it?

Based on your stated objective, are there any alternative ways of achieving the objective that would involve no monitoring, or less extensive monitoring?

Considering all these questions, and documenting everything considered and the reasons for steps you are taking, will all help support the legal basis for processing you are using.

Special category personal data

Even if you are not specifically monitoring special category personal data (such as in an equal opportunities monitoring form), it is possible that information about someone’s religion, sexual orientation, medical condition or other data coming under the ‘special category’ provisions might accidentally be recorded. Take account of this under the impact assessment and consider how you would avoid the chances of that happening.

Retention

Employees have the right not to have personal data retained for longer than absolutely necessary. Employee monitoring can be an area this happens easily, and again, this is where your objective for doing the monitoring in the first place can be vital.

If, for example, you are monitoring entry and exit data purely for the purposes of knowing who is in the building in case of a fire or other evacuation, you don’t need to keep the data for long at all. If, on the other hand, you intend to use the entry and exit information to monitor attendance at work for the purposes of pay, or potentially disciplinary purposes, you may be able to retain it longer.

Security

Personal data must be held securely and not accessed by anyone who doesn’t have the need to do so. Make sure data recorded as part of your monitoring activities is stored in a secure way, and that security provisions are made clear. Avoid the temptation to allow access to many people. Keep it as tight as you possibly can – it may be that later on additional people need to see specific data, but general access should be extremely limited.

Subject Access Requests

Employees have the right to see (and be provided with additional information about) data being held about them, and this includes data collected as part of monitoring, for example video footage or entry and exit records. Make sure this is taken into account when you receive a SAR from an employee.

Right to erasure and right to object

Employees can ask for their data to be erased (otherwise described as the ‘right to be forgotten’, and to object to their data being processed. You may be able to refuse either of these requests if you have justifiable reasons for doing so.

 

Data protection considerations in respect of employee monitoring can be significant, but can also be distilled down to a general principle of not doing any monitoring or doing anything with the data collected through monitoring unless it is absolutely and strictly necessary. Reduce it to a minimum in all senses – amount of information collected, what you do with it and how long you keep it.

Consulting employees about what you are proposing, and why, can really help in terms of identifying alternative methods, reducing any adverse impact, and reducing the likelihood of objections and complaints.

 

If you need further advice on employee monitoring and data protection legislation, do get in touch.