A recent fine in excess of €30 million directed at an international clothing retailer was a very real reminder to employers about the risks involved in encroaching into the private lives of employees, and the collection of excessive employee data. The action was a result of an investigation by the Hamburg Data Protection Authority which uncovered questionable data handling practices at one of its service centres in Germany.

The investigation unearthed practices by managers and supervisors who, after employee absences such as vacations or illnesses, would hold meetings upon their return to obtain detailed information about their private lives. Highly sensitive information about medical diagnoses, family issues and religious beliefs, was permanently stored on a network drive and partly accessible by other managers.

Adoption of IT surveillance technologies and subsequent regulatory scrutiny

This decision is timely, with many employers having to embrace remote working as a result of the pandemic, employee productivity is under greater scrutiny. Some companies have deployed the use of IT surveillance technologies to monitor employee usage of company devices, and systems, for performance management, regulatory and information security purposes. A recent example of this is a large Swiss pharmaceutical company, using "workplace analytics" to monitor whether employees were on calls, writing e-mails or participating in digital meetings.

Regulatory scrutiny of employee monitoring or similarly invasive practices by employers is not new. Fines were imposed even before the establishment of the EU General Data Protection Regulation (“GDPR”). In 2008, a large German food discounter was fined over €1.4 million for illegally spying on employees. The result of unlawful surveillance like this can also lead to national scandals, affecting management positions, as witnessed the case of a major Swiss bank in 2019, where senior managers were allegedly covertly monitoring for several weeks, whereupon the Swiss Financial Market Supervisory Authority “FINMA” initiated an enforcement procedure.

Employer responsibility

Companies encouraging employees to return to the office have a responsibility to provide a safe workplace and many are adopting their own track and trace procedures, COVID-19 tests, health declarations and temperature monitoring checks. Without proper planning, scrutiny and oversight these activities will result in employers amassing large amounts of sensitive personal data about their employees. If not appropriately managed and communicated, employers could face accusations of privacy infringements, which, in addition to the use of employee monitoring, will severely damage workforce morale and trust in management. Conversely, employees, faced with growing uncertainty due to corporate restructuring, furlough and redundancy, particularly as governments begin to taper-off job support schemes, could turn to data subject access requests as a means of obtaining information for use against their employer.

Key considerations

In this article we discuss five key issues for employers to consider before implementing new procedures and deploying new technologies to monitor and collect personal data about their employees.

1. Privacy Impact Assessments (“PIA”)

Employers should conduct documented privacy impact assessments at the earliest possible stage and before implementing new processing or monitoring techniques. A thorough PIA will help to identify and methodically work through the privacy and data protection compliance issues discussed above.

Employers in the UK and the EU must also consider whether they need to conduct a Data Protection Impact Assessment (“DPIA”) if the processing is likely to result in a high risk to the rights and freedoms of employees, which is likely to be required where large-scale processing of health-related data or systemic monitoring activities are envisaged. If there happens to be any doubt, employers would be wise to perform a DPIA.

2. Purpose limitation and transparency

Employers should think carefully about the purposes for undertaking a new activities that involve any form of personal data collection: what risk they are seeking to address and what outcome are they seeking. Any ambiguity at the outset as to the purposes of the processing will set the tone for serious compliance issues down the line. To avoid these issues, employers should clearly articulate and document the purposes for using these techniques, and the parameters which are to be adhered to by managers and supervisors. These purposes should be clearly communicated to managers and supervisors, and to impacted employee groups.

The rapid deployment of remote working solutions to ensure security and integrity of existing devices and data assets, and enabling the use of employee performance monitoring, may mean employers are not covered under their existing privacy notices, company policies and employment contracts. To ensure employees are adequately informed, employers should update privacy notices and contracts before commencing, and should also consider ad-hoc awareness campaigns to make sure employees understand the new practices and have an opportunity to practices.

3. Data Subject Access Requests

Existing procedures for responding to employee rights requests, in particular, requests for access to personal data, might need to be monitored and reviewed to address any exponential increase in both the nature and volume of personal data processed, but also the number of access requests received. It is now common for employees to make a Data Subject Access Request where they feel at risk of redundancy or disciplinary actions, or where they feel that they have a claim or dispute against their employer. As well as the limited timeframes, these requests pose multiple challenges for employers, including:

• timely identity verification of requesters;
• running searches for specific datasets across disparate systems;
• redaction of documents;
• managing data sets co-mingled with personal data of other employees or third parties in emails and instant messages.

All the above is with a view to ensuring that information about the individual is correct, stored securely and in a manner which is understandable to them.

4. Employment laws and works councils

Employers should be mindful that practices impacting on employee privacy are sometimes subject to more strict employment regulations, particularly in continental Europe. Implementing new activities that involve the processing personal data, which impacts an employee’s working environment or terms of employment contract, may require works council consultation, and even approval. To the extent that the processing involves, or could potentially involve, sensitive personal data, employers should pay close attention to the peculiarities of Member State law and regulatory guidance that may severely limit or prohibit processing of sensitive personal data such as health data. The main takeaway for employers is to include key stakeholders, such as Human Resources, in any planning for the deployment of new employee monitoring and proposed data collection activities.

5. Excessive data collection and improper use

There may be a temptation to collect a greater amount of personal data than is needed in an effort to inform future management decisions. Employers should exercise care to ensure any data collection is proportionate and justified, and to carefully think through the rationale and impact of any data collection to assess whether there is a sound legal basis for the processing, such as legitimate interests or necessity to comply with legal requirements. The principle, simply stated, is not to collect more data than you need. Generally, employee consent cannot be relied upon by an employer due to the imbalance in power between the parties. However, this can raise issues around the collection and use of data which potentially reveals health or other sensitive information. As such, employers are advised to review relevant local employment laws and data protection rules and guidelines as these can vary.

Similarly, personal data should be used only for the specific purposes and notified to employees, such as, in a privacy notice or employee handbook. There should be procedures to guard against improper uses and ensure any planned additional uses are assessed for compatibility.

The A&M Differentiator

A&M’s privacy and data compliance practice focuses on supporting clients to navigate the evolving and complex data protection regulatory landscape to develop and implement solutions to address these challenges. The A&M team is also highly experienced to conduct forensic investigations into alleged data privacy violations.

The practice brings specialist advisory and consulting services on international and cross-border privacy, data protection, secrecy and related laws and sectoral rules. Professionals within the practice include former consultants, regulators, data protection officers and certified information privacy professionals who are skilled at aligning and implementing complex regulatory requirements within operational processes and settings.