The last few months have seen a surge in regulatory action around employee monitoring. While employee monitoring can be beneficial for organizations, recent enforcement decisions reflect the challenges that organizations face when it comes to implementing these practices.
Workplace monitoring is prevalent across all industries and sectors and is by no means a new concept. However, methods used by employers are becoming increasingly sophisticated, particularly due to the emergence of AI-based monitoring tools and the shift to flexible and remote working. It is therefore unsurprising that regulators across the U.K. and EU are interested in how organizations monitor their employees—which is a particularly tricky area to regulate.
The EU Approach
In December 2023, the French Data Protection Authority (CNIL) fined Amazon France Logistique (AFL) a whopping 32 million euros for excessive monitoring practices. AFL captured data from scanners used by its employees and produced statistics and performance indicators from that dataset. The CNIL deemed that AFL’s monitoring practices were “excessive” for the following reasons:
- Tracking inactivity time: The granularity with which AFL scanners recorded work interruptions was illegal and could result in employees needing to justify every break.
- Measuring scanning speed: Measuring the speed at which items were scanned and having tight constraints around these was excessive.
- Retention: AFL retained all data collected by the system, including statistical indicators, for all workers for a period of 31 days.
Although this is a decision by the French regulator, organizations with employees based in the U.K. and EU should take note of this decision and remind themselves of local data protection guidance.
Employee Monitoring in the UK
There are similar concerns around employee monitoring in the U.K. The Information Commissioner’s Office (ICO) conducted a study in October last year that reflected that 70 percent of the public would find it intrusive to be monitored by their employer. In response to these concerns, the ICO issued guidance on employee monitoring, making it clear that this must be done in a lawful and fair way. The guidance aims not only to protect workers’ data protection rights but also to build trust among the workforce.
More recently, we have seen the ICO taking a particularly strict approach to regulating employee monitoring that involves biometric data. The ICO issued an enforcement notice to Serco Leisure for its use of facial recognition technologies to monitor employee attendance. The ICO’s decision highlighted that organizations must evidence the necessity of the proposed monitoring (including by clearly demonstrating why other, less intrusive mechanisms are not appropriate) and ensure that appropriate policy documentation is in place.
While the ICO’s approach does not prohibit or hinder the deployment of employee monitoring technologies, the recent action and guidance from the regulator highlights the importance of ensuring that organizations identify the risks and sufficiently mitigate these. The timely publication of the ICO’s guidance on biometric data, released the same day as the Serco enforcement notice, reflects the regulator’s intention to provide organizations with adequate guidance on how to protect individuals’ personal data.
Key Recommendations
Employee monitoring is undoubtedly a valuable tool for business. However, to ensure compliance with data protection law, organizations should conduct thorough and detailed data protection impact assessments (DPIAs) to make sure that they consider and mitigate all relevant data protection risks. In particular, DPIAs for employee monitoring processes should cover three key questions:
1. Is the purpose for processing clear?
Consider why monitoring is necessary and what the intention is for the information collected. Being clear on the purpose for processing and establishing a lawful basis for processing is vital to ensuring compliance with data protection laws. Avoid monitoring workers “just in case” the information might be useful at a later date.
2. Is the monitoring proportionate for the purpose?
Ask whether there are any other, less intrusive methods of achieving the intended objective. If the answer to this question is no, this might indicate that the method is proportionate. If the answer to this question is yes, it is unlikely that the monitoring is a proportionate way of meeting those purposes and alternative methods should be explored.
3. Are employees aware?
Internal documentation (including policies and guidance notes), employee communications and privacy notices are useful methods of communicating to employees how and why their personal data is processed when monitoring is carried out. Employees should be informed of the nature, extent and reasons for monitoring, in a way that is easy to understand. DPIAs should consider whether opt-out rights are required, and ensure that there are clear and valid ways for employees to exercise those rights if so. Although there are certain circumstances where it is possible to justify covert monitoring, these are exceptional (for example, in order to prevent suspected criminal activity). Review the ICO’s detailed guidance before implementing such practices.
Emma Erskine-Fox is an attorney with TLT LLP in Bristol, U.K. Georgia Philippou is an attorney with TLT LLP in London. Jennifer Cleaver is a paralegal with TLT LLP in London. © 2024 TLT LLP. All rights reserved. Reposted with permission of Lexology.
An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.