This blog explores the concept of monitoring employees, whilst taking a look at the legal and practical considerations for employers who choose to monitor their employees.

Given the current climate that faces us, an unprecedented number of employees have been actively encouraged by their employers and the government to work from home. After a few months of such a working arrangement, it is clear that employees can successfully work from home and, looking to the future, it is likely that more employees will want to do so post the Coronavirus pandemic and lockdown.

This presents a problem for employers who may, quite reasonably, feel they are less able to monitor their employees work and, as a result, have greater concerns surrounding the productivity levels of their employees. However, with the rise of technology in our modern digital age, there are ways that employers can (legally) monitor employees. 

What does monitoring employees involve?

Generally speaking there are two streams flowing from the concept of employee monitoring:

1. Active monitoring. This is associated with the physical recordings of employees’ telephone conversations or CCTV; and
2. Passive monitoring. This is a relatively new concept brought about by advances in technology and is associated with tracking software that records data such as the keystrokes of employees, the websites employees visit and even taking screenshots of an employee’s screen. 

It is the latter, passive monitoring, that employers should be more aware of as this type of monitoring poses greater privacy risks as they are able to collect, process and store significant volumes of data. Considering this, employers must strike a balance between their employees’ privacy and the monitoring of those employees to maintain productivity levels.

What is the legal position of monitoring employees?

There are three main legal considerations from an employer’s perspective in respect monitoring their employees:

1. The implied duty of trust and confidence

Employers owe a duty of trust and confidence to every employee. If an employer adopts inappropriate monitoring processes and activities, these could constitute a breach of the duty of trust and confidence leading to a possible grievance from an employee or a constructive dismissal claim (where an employee resigns due to a fundamental breach of contract).

2. Article 8 of the European Convention of Human Rights and covert investigations

Article 8 refers to the fundamental right of privacy. Employers need to ensure that their monitoring policies to not infringe their employees’ right to privacy, this right is often associated with the concept of covert monitoring.

In a recent case from Spain (Lopez Ribalda) involved a supermarket planting hidden CCTV cameras in their store to confirm suspicions that some of their employees were stealing products from the store. The case was eventually heard at the European Court of Human Rights who concluded, that whilst Article 8 was engaged by the use of covert video surveillance, there had been no violation of the right by monitoring the employees to confirm reasonable suspicions of theft.

Whilst the above case indicates that covert monitoring can be legal, they are particularly risky and should only be undertaken in exceptional circumstances. The civil courts and employment tribunals typically oppose the use of covert investigations or monitoring unless there are clear and sufficiently serious reasons for doing so, therefore, employers should tread very carefully before initiating such an investigation.

3. General Data Protection Regulation (GDPR)

This is the most important legal consideration for employers in respect of employee monitoring and the data they collect when doing so. Although, there is no legal obligation for employers to obtain the consent of their employees to collect data from their employee’s, there is an obligation on employers to be transparent with their employees as to why they are collecting the data, how they are collecting the data and what the data will be used for. Transparency is the key obligation on employers when complying with GDPR.

What should employers be doing to comply with GDPR?

There are two key initial questions an employer should be asking when they are considering implementing a policy of employee monitoring:

1. What is the interest the employer is trying to protect?

If an employer can accurately pinpoint what interest the monitoring is trying to protect, they will be in a better position to justify the measures from not only a legal, but also practical perspective, particularly if employees subsequently ask questions about the monitoring methods. The interest or reason is normally centred around productivity; especially if employees are working from home. The employer will want to be sure the employee is actually working whilst at home.

2. Is the monitoring method chosen proportionate to the risks the employer is trying to mitigate?

The employer will have to consider whether the monitoring method they have adopted is proportionate to the risks they are protecting and consider if there are any alternative ways of protecting the interest. For example, if the employer is wishing to mitigate the risks of productivity levels among staff falling whilst employees work from home, they may decide that monitoring an employee’s keystrokes is a proportionate way of doing this as they can monitor the employee’s screen time to confirm that an adequate amount of time is being spent working.

The more extreme and intrusive the method the harder it will be for an employer to argue proportionality, if there is a less intrusive method of achieving the desired purpose, the ICO (the agency that governs data protection regulations in the UK) would expect the employer to use this. For example, an employer is likely to struggle to argue recording an employee’s every move on their laptop webcam is a proportionate method of ensuring productivity as less intrusive methods such as having team calls to discuss work load and work done, or monitoring an employee’s key strokes, are less intrusive ways of achieving the desired aim. Employers need to have in mind the reasonable privacy expectations of their employees when having regard to this question.

Once an employer has established answers to the questions above, they should put in place the following to ensure GDPR compliance:

• a legitimate interests assessment or data protection impact assessment in respect of employee monitoring methods. Carrying out such assessments should effectively answer the two key initial questions set out above;
• a clear and transparent notice on monitoring to employees. This is usually the employer’s “privacy notice” and should detail specifically why the monitoring is taking place, the legitimate interest being pursued and the particular nature and extent of the monitoring;
• a written policy during the onboarding process which sets out how monitoring is conducted. This policy should be readily available within the workplace and be re-issued if any monitoring activities change. It is also advisable for employers to provide appropriate training for staff carrying out and using monitoring data; and
• an appropriate and secure system to store the data safely. Employers should restrict access to the data collected to a select few members of staff and ensure appropriate safeguards are in place, steering clear of any personal documents that are marked “private” or “personal” unless they have very good reasons for doing so. Personal devices should also be considered out of bounds.

Consequences for non-compliance

The ICO has the authority to investigate breaches of GDPR regulations and can impose significant sanctions which include, but are not limited to, prohibiting processing activities and imposing fines of up to 4% of global turnover or €20million. These sanctions can have a significant impact on a business’ finances and reputation (as data breaches tend to draw particularly damaging press) therefore employers should ensure that their monitoring processes are proportionate and transparent to all employees.

Finally, a flawed monitoring process or policy could lead to grievances from employees, and serious failures could expose and employer to constructive or unfair dismissal claims from employees.

If you would like to discuss the possiblity of employee monitoring please contact a member of the Employment team.

This blog was co-written by Fred Chandler, Trainee Solicitor and Claire Merritt, Partner.