Covid-19 and WFH – can you monitor your employees under GDPR? - Law Firm

28 Jan 2021

The pandemic has resulted in a seismic shift in the number of employees working from home. For employers, this can bring advantages and disadvantages. One of the key disadvantages is that some employees may feel more inclined to shirk their usual responsibilities due to the lack of facetime or supervision they would normally experience when working from the office.

As usual, technology has a solution for this with more and more tech companies providing products which help you monitor your employees when WFH. The question which therefore arises is: can employers use these products to monitor employees lawfully in accordance with data protection laws?

Unfortunately, there is no one size fits all answer and there are a number of factors you will need to consider before implementing such technology. We have set out some of the key data protection considerations below:

Lawfulness of processing: all processing needs to have a lawful basis under the GDPR. When it comes to employee monitoring tools, there is only really one option – legitimate interests (remember that consent is generally not appropriate in an employment situation due to the imbalance of power between employer and employee). Legitimate interests can only be relied on if your interests in carrying out the processing override the rights, interests and freedoms of the individuals affected by the processing. To establish this a legitimate interests assessment (“LIA”) should be carried out. Note that even though legitimate interest may be appropriate in some cases, it will not always be possible to justify remote employee monitoring on this basis. As a general rule, the more intrusive the monitoring, the more difficult it will be to rely on legitimate interests.

Data Protection Impact Assessment (“DPIA”): the GDPR requires controllers proposing to carry out higher risk processing, to carry out a DPIA before doing so, particularly where the processing involves the use of new technologies. DPIAs are intended to focus the mind on the risks involved with certain types of processing and the safeguards which can be put in place to minimise those risks. The use of employee monitoring technology will often trigger the need to conduct a DPIA, and even if it does not, it would still be prudent to carry out a DPIA before rolling out any new monitoring technology to mitigate the privacy risks associated with that technology.

Transparency: This is one of the key considerations. If you are planning on implementing a new monitoring technology, your employees should be made aware of it. Relevant details will need to be added to your staff privacy notice. However, simply updating your staff privacy notice on your intranet normally will not be enough. The use of monitoring technology will usually also need to be specifically drawn to the attention of your employees (e.g. by way of cover email accompanying your updated privacy notice) to adhere to the GDPR’s transparency requirements.

Purpose limitation and data minimisation: These are two of the GDPR’s overarching principles which tend to go hand in hand. Purpose limitation requires that you only collect data for clear, specified and legitimate purposes. Data minimisation provides that you shouldn’t collect more data than you need to achieve your intended purpose. This is relevant in the context of monitoring technologies as often they can lead to more data than was originally envisaged being collected and that additional data being used for novel purposes. Employers seeking to use monitoring technologies need to be aware of this potential scope creep – breach of the GDPR’s principles is serious and can result in heavy sanctions (as various regulators have reminded us recently).

Right to privacy: finally, it is important to remember that employees in the UK have a right to privacy under the Human Rights Act 1998. Although there are limitations to this, particularly in a work context, it is likely that individuals’ right to privacy will be greater when working from home than it would be in an office environment. Employers which are considering acting on information they have obtained from the use of monitoring technologies will need to weigh up the risk of employees claiming violation of their rights in the event they do act.

Contact us

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.

Follow us online

Related legal expertise

Related sectors

Technology

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.

Cookie	Duration	Description
foxwilliams.vuture.net_VxSessionId	session	No description available.
intEmailHistoryId	1 year	No description available.
VISITOR_PRIVACY_METADATA	6 months	Description is currently not available.

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Covid-19 and WFH – can you monitor your employees under GDPR?

Follow us online

Popular insights

Direct(or) responsibility: 10 ways a director could be held personally liable in 2022

Change of Control Provisions

How to successfully challenge witness statements

Related legal expertise

Related sectors