What are the rules around employee surveillance?
This blog is limited to overt (that is employees know it is happening) surveillance.
If an employer collects or generates any personal data (‘information’) about an employee then they have to do so in accordance with data protection law. This means complying with the six (seven if you include accountability) principles of data protection.
- Ensure they have a legal ground to collect, store, consider, share, and generally make use of the information
- Ensure that what is done with the information is within the reasonable expectation of the employees
- Ensure employees know what is happening with their information
- Use the information for legitimate purposes
- Ensure that they collect the right information and enough of it- but not too much
- Ensure that what they collect and deal with is accurate – and kept up to date
- Ensure they do not keep it for longer than needed
- Ensure that it is kept confidential and steps taken to prevent loss/damage and to ensure it is available for use when needed.
I’ll now expand upon the key points.
How can we do it legally?
Employees cannot consent to surveillance as consent requires a free take it or leave it choice. I would imagine that most employees would feel obliged to agree to surveillance – which isn’t consent.
As such the legal ground is likely to be that the surveillance is necessary to perform the employment contract or it is necessary in the legitimate interests of the employer to know what their employees are doing.
Whatever ground is relied upon it is good practice and indeed may be a legal requirement, to undertake a Data Protection Impact Assessment before any surveillance takes place. This will oblige an employer to set out what they are trying to achieve by the surveillance, if the type of surveillance proposed is, in fact, necessary and is also, what the law refers to as, “proportionate”. It will also address risks to the privacy of the employees and inform the employer as to whether the surveillance ought to go ahead and, if so, what should be done to minimise the risk of any privacy harms.
How do we tell employees we are conducting surveillance?
With a Privacy Notice- all of the purpose(s) [including any potential disciplinary action] of processing personal data should be clear – and the lawful ground for doing what the employer proposes to do set out. If information is to be shared with anyone this should also be set out. This notice should be given before any processing takes place.
What should we collect and how much?
Employers need to think about what they are trying to achieve by surveillance. They need to think about what information they need to achieve the purpose and collect no more than is needed.
How long can an employer keep the information?
It depends on what the information is collected/ generated for. As soon as an employer has achieved the purpose and no longer need it then it should be erased/ destroyed.
What about security?
An employer should look at what information they are processing and how they do so. How is it being stored or shared? An employer should look at what threats to confidentiality or integrity there might be [only those who need to see personal data should do so], how it might be lost or damaged or availability affected. They should also consider how likely that is to occur and, if it does, what the consequences for the employee might be. Weighing this up then appropriate organisational and technical measures to address the risk should be taken.
Can employees see what an employer collects?
Yes – unless an exemption applies (for which see the Data Protection Act 2018) an employee is entitled to a copy of any information that relates to them as well as other information such as why it has been processed, who it has been shared with etc. This is known as the right of access.