Why Big Brother needs to watch out when it comes to employee monitoring
- AuthorGrant Shackleston
Many employers are using software solutions to track employee activity, particularly where home working is taking place during the Covid-19 pandemic, but using such software can take companies into dangerous territory which may result in breaches of data protection, human rights and employment law.
The ‘Big Brother’ surveillance scenario envisaged by George Orwell has long since become reality. The ability to watch citizens outlined in the futuristic novel Nineteen Eighty-Four, published in 1949, is now firmly fact not fiction.
Rolling back to 2013, the British Security Industry Association estimated that the number of CCTV surveillance cameras in the UK numbered some 4 to 6 million and recent estimates put London in the top three cities worldwide having the highest number of cameras by population. This race towards technological surveillance and monitoring saw a further boost during the summer lockdown when employees were forced to work from home, creating a perfect storm to inspire uptake of activity tracking software.
Research by academics at Cardiff University found that employers were worried that workers might shirk while they were away from the workplace, even though output did not seem to be affected. These concerns saw unprecedented numbers signing up for software monitoring solutions, with companies such as Hubstaff and Sneek reporting huge increases in the number of users during lockdown.
Products described as ‘workplace analytics’ or ‘time tracking’ may sound harmless enough, and appear an easy solution to manage productivity, or to protect against data breaches that could jeopardise a company’s intellectual property or their customer base. However, many of these software solutions will log every action by individual keystroke, and often go far beyond what is really necessary to manage a workforce, whether working remotely or not.
The sort of data collected would typically record which applications and websites have been used, the level of activity by keyboard or mouse, and may even drill down to list the recipient and subject lines of individual emails or messages. Many will take regular screenshots from the device and some can provide live video feed of the screen.
This level of information has the potential to step into dangerous territory when it comes to staying within the law, particularly when you add in the chance of recording private passwords and credentials, or even personal medical information.
And while some may argue that such software is good for maintaining productivity, the Chartered Institute of Personnel and Development (CIPD) has published research which suggests that surveillance in the workplace can undermine trust and adversely affect employer/employee relationships.
That finding is backed up by figures from trade union Prospect, who commissioned a poll to look at employee attitudes to workplace monitoring. This showed 80% of workers were uncomfortable with camera monitoring and 66% of workers with keystroke monitoring, while 48% believed any monitoring software would damage their working relationship, and this figure rose to 62% among younger workers.
These figures provide a strong argument for canvassing employees as the first option and looking for mutual trust in the working environment. Encouraging staff to be involved and to identify benefits from their side, will help companies work towards technology usage that feels good for everyone, as well as staying the right side of the law.
As monitoring will include processing of personal data, you will need to comply with data protection law, as set out in the Data Protection Act 2018 and the European General Data Protection Regulation (EU) 2016/679, known as GDPR. Failure to comply with data protection laws can have a serious impact for companies, both financially and reputationally, when it comes to monitoring and data collection. The fashion retailer H&M was fined €35 million recently for "flagrant disregard for data protection" when managers recorded anecdotal information about employees’ private lives, sharing this to make decisions around employee performance and ongoing employment at their customer service centre.
The regulator for data protection in the UK is the Information Commissioner’s Office (ICO) and they have some very useful guidance on this topic within their code of employment practice, but the key issues to consider are transparency, proportionality, and legality.
In weighing up the merits of monitoring, the interests of the employee must be balanced against the interests of the employer. No business case, such as keeping track of productivity to protect the business, can over-ride the employer’s obligations to comply with the Data Protection Act. Importantly, any proposed monitoring will first require a detailed assessment of the impact on the privacy of the employee.
Under Article 8 of the European Convention on Human Rights, which was incorporated into UK law by the Human Rights Act 1998, organisations must guarantee workers some degree of privacy in the workplace. The general principle is that it will usually be intrusive to monitor your workers, who are entitled to keep their personal lives private, and are also entitled to a degree of privacy in the work environment.
Beyond this, there is the legal consideration of the mutual duty of trust and confidence implied into the employment contract between employer and employee. If an employer were to breach this duty through monitoring practices which could be interpreted as destroying trust and confidence, it could open the door to claims such as constructive dismissal.
Another vital stage in the assessment process is to undertake due diligence with any proposed software provider, as you will be trusting them with your data as this is collected and processed from individual workers. It is likely you will need to carry out a data protection impact assessment (DPIA), which is required under GDPR where the processing of personal data presents a high risk to the rights and freedoms of individuals. Undertaking a DPIA involves a systematic approach to consider all aspects of how the processing will take place and identifying risks and how they may be mitigated. It is a useful tool to make sure you have covered all bases and the ICO has a template for organisations to follow.
If monitoring has been fully assessed and shown to be both justified and lawful, the next step will be to make sure everyone knows exactly how it will work in practice. Privacy notices and policies will need to be updated, but most important will be ensuring the whole issue is approached in an open and transparent way. That relates to both the logistics of how the monitoring itself will be conducted, but also how any resulting data might be used.
Drivers for the app-based taxi service Uber have started a class action in the Dutch courts, alleging that the company relied solely on automated algorithms to make employment-related decisions in breach of Article 22 of GDPR. Any automatic processing which produces a negative effect for the individual should be open to challenge under Article 22 and this case is likely to become the biggest ever to tackle this issue, and the use of artificial intelligence.
As we continue through the pandemic, we are setting the scene for the future. Developments such as employee monitoring should be considered with care before rushing to adopt them, as while there may be the expectation that workers will remain working from home for at least the foreseeable future, any software solution should be in pursuit of a better working environment.
- Start with privacy. Undertake an impact assessment setting out what the monitoring will collect, the justification for it, any adverse impacts and how this will be resolved.
- Be transparent. Encourage discussion with employees over how it will work and where there may be benefits for both sides.
- Undertake due diligence on the supplier. Do they have robust practices in place, can you trust them with this valuable data?
- Stay within the law. When sensitive data is being processed, this must comply with legal requirements for data protection, human rights, and employment contracts.
- Keep things confidential. Ensure ongoing use of any software is limited to those who know to follow strict rules of confidentiality and data security.