One of the key challenges for businesses today is balancing legitimate business interests with the privacy rights of individuals including their employees. This can be a big risk when it comes to monitoring devices such as CCTV, GPS and other digital tracking systems that detect or monitor computer, e-mail and internet usage. Businesses use these systems to protect their physical and digital assets from external and internal threats.
The challenge is that these same systems can monitor employees in the workplace in an overly intrusive manner and this could pose significant challenges to the privacy rights of employees. In light of enhanced privacy rights under GDPR, businesses need to strike the balance between protecting their assets and customer data and minimising excessive or intrusive monitoring of employees.
A publication earlier this summer from the Article 29 Working Group (WP29), who consist of data protection regulators across the EU and the Irish Data Protection Commissioner, provide a number of scenarios that business might want to consider when using new technologies and how these could potentially infringe on the privacy rights of their employees.
We share a few of these scenarios below:
1.Processing operations during the recruitment process
The scenario: During the recruitment of new staff, an employer checks the social media profiles of potential candidates. The employer views, collects and stores that information from the various social networks and uses that personal data as part of the screening process.
The risks: Whilst many people have social media accounts that are publicly available this does not give an automatic entitlement to employers to process that personal data. The employer must have a strong legitimate reason to collect this personal data, a legal basis to do this and the business must inform potential candidates in advance of them applying for the role that they are collecting personal data from their social networks. The best method of being transparent about the collection of personal data from social networks is to detail this in the job advert.
Other points to note:
1.Employers should factor in whether the social media profile of the potential candidate is for business or private purposes.
2.If you are collecting personal data from the social media profile it should only relate to the role the potential candidate has applied for.
3.Any social media personal data collected during the recruitment process should be deleted once the candidates have been informed that they were unsuccessful.
4.There is no legal ground for an employer to “friend” a potential employee or covertly gain access to their social media profile.
2.Processing operations during the employment cycle
The scenario: Employers could have the potential technical ability to screen employee social media profiles on an on-going basis. This can give them access to personal and sensitive data on their employees. In general, employers should not screen social media profiles unless there is a very strong business case for this. For example, an employer may decide to monitor the LinkedIn profiles of former employees to ensure that the employee does not breach a non-compete clause that the employee has signed in their contract of employment.
The risks: This activity has a high risk of invading an employee’s privacy rights and in general is difficult to justify. The employer needs to be able to prove that this type of monitoring is necessary to protect their legitimate interests and they should use more traditional and less invasive methods first. They also need to inform employees in advance that once they leave the business will monitor their LinkedIn profile for the duration of the non-compete clause for this specific purpose. If this is abused, there is a very strong likelihood that the former employee could raise a complaint with the Data Protection Commission.
Other points to note:
1.The screening of employee social media profiles should not be carried out especially in the case of an investigation or disciplinary issue as it could undermine the validity of the disciplinary process.
Other new technologies and risks to consider
Businesses should think of privacy by design when they are using new technologies in their business and the workplace. The guidance from the WP29 group also includes scenarios for:
•Data Loss Prevention tools that monitor outgoing communications from the business so that they can minimise the risk of data breaches
•The latest version firewalls and other monitoring technologies
•Cloud based tracking systems
•Monitoring devices for mobile phones, tablets and laptops
•Mobile Device Management technology
•Monitoring of the home and remote working
•Devices that record and monitor time and attendance
•Video monitoring systems
•Tracking systems for employees who drive vehicles
Businesses use this these devices as the number of threats are increasing from all angles such as cyber attacks and data breaches, road safety risks for roles that involve driving and / or delivery services or security risks within the business premises. In some instances the legitimate interest will override the privacy rights of the employees but it is essential that employees are informed in a clear and transparent manner that these are in place, that they are not excessively monitored and there is a clear legal basis and justification for implementing these systems.
You can download the WP29 opinion document on data processing here or if you would like to discuss the matter further please contact Helen at SFA on 01 605 1668 or at firstname.lastname@example.org or visit our GDPR section on http://www.sfa.ie/advice