While both employers and employees adapted to this new way of working with admirable speed, it brought with it a new focus on the already contentious subject of employee monitoring. Employers concerned about tracking productivity, protecting confidential information and ensuring appropriate use of IT systems looked for answers - and technology companies responded by offering tools ranging from remote monitoring of their IT system usage to using work device webcams to check employees were actually working. Many employees meanwhile were concerned about breaches of privacy occurring in their own homes.
Longer term attitudes to flexible working have become exactly that - more flexible - as a result of the pandemic. Even as the vaccine roll out gives hope of a return to some normality, multiple surveys have found that many employees would prefer to continue working from home in some capacity, even when social distancing laws no longer require them to do so. In many cases employers are supportive of this.
This realisation that a full time return to the office post-pandemic is unlikely has led to concerns that current privacy protections for employees are inadequate. Those concerns led to a cross-party group of MPs, some of the country's leading academics and the union, Prospect writing to the Information Commissioner, Elizabeth Denham, in December 2020 asking her to update guidance to keep pace with advancements in software used to monitor home workers. The Labour party also called for the UK Government to introduce better regulatory oversight to ensure workers are not monitored without their consent.
Current legal framework
The General Data Protection Regulation ("GDPR") and the Data Protection Act 2018, along with the Investigatory Powers Act 2016 and the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018 are the primary pieces of legislation regulating the ability of an employer to monitor employees. Employees can look to Article 8 of the European Convention on Human Rights (implemented via the Human Rights Act 1998) which sets out the right to family and private life, as well as the Equality Act 2010, the Employment Rights Act 1996 and the implied duty of trust and confidence contained in all contracts of employment when seeking protection from breaches of privacy, or discrimination or unfair treatment related to monitoring in the workplace.
In addition, guidance on monitoring employees working from home can be found in the ICO's Employment Practices Code (published in 2011) and the Article 29 Working Party Opinion on data processing at work ("WP29") (published in 2017). It is noteworthy that both these documents pre-date the implementation of GDPR in May 2018, although WP29 does specifically consider its impact. The European Data Protection Board ("EDPB") has since replaced WP29. However, the WP29 Opinion did consider certain developments in technology which enable more intrusive monitoring and as such, for the time being, it is a helpful resource.
The Information Commissioner's Office ("ICO") issued guidance early on in the pandemic confirming their intention to take a pragmatic approach to enforcement of GDPR, acknowledging the many other difficulties businesses faced during this time. Guidance was issued on this basis in May 2020. This approach is though time limited to the pandemic and it remains important, nonetheless, for employers to comply with the regulatory requirements that are in place.
What steps need to be taken to comply with GDPR?
Monitoring of employees will amount, in most cases, to an employer processing personal data. Under the GDPR any such data must be processed lawfully, transparently and fairly. It must also be collected for specified, explicit and legitimate purposes and be limited to what is necessary for those purposes. That means minimising the data that is collected to no more than is required for the monitoring to achieve its purpose.
Employers must have a legal basis for processing data and, in most cases, this is likely to be the "legitimate interest" of the employer. Consent is generally not appropriate because of the imbalance of power between employer and employee, making it difficult to prove it has been given freely. In essence, for monitoring to be lawful, the employer has to find the right balance between its interests in monitoring employees and employees' rights to protection of data relating to them and their privacy.
Although not specifically required by the GDPR, the ICO recommends employers undertake a legitimate interests assessment ("LIA") - a type of light touch risk assessment based on the specific context and circumstances of the processing - which can be retained to evidence the decision-making process and justification for processing on the basis of legitimate interests. This encourages employers to question why the processing is needed and objectively consider what the reasonable expectations of their employees will be around monitoring - specifically what their reasonable expectation of privacy will be in the circumstances - and any impact it has on them. As a general rule, the more intrusive the monitoring, the harder it will be to demonstrate a balance with the employer's legitimate interest.
Unlike LIAs, Data Protection Impact Assessments ("DPIA") are a GDPR requirement where a type of processing is likely to result in a high risk to the rights and freedoms of individuals. Some types of processing automatically require a DPIA to be undertaken - systematic and extensive profiling with significant effects, large scale use of sensitive data and public monitoring. In other cases, the employer will need to assess whether the processing is higher risk. WP29 published guidelines with nine criteria which may act as indicators of likely high risk processing, with a combination of two of the criteria often indicating the need for a DPIA. A number of these factors may arise when an employer introduces technology to monitor employees, triggering the need for a DPIA, but even if a DPIA is not a requirement, it would still be good practice to carry one out.
Should an employer choose to continue with their chosen monitoring method, transparency is essential. In addition to updating the staff privacy notice and any related policies, in the normal course, employees should be specifically made aware of the monitoring, the reasons for it and how it is being carried out. Covert monitoring will only be lawful in exceptional circumstances. Employers also need to be aware that some monitoring technologies may gather more information than was originally intended risking an unintended breach of GDPR.
What can be distilled from case law?
While there is case law relating to employee monitoring from the European Court of Human Rights ("ECHR") - arising from alleged breaches of Article 8 - none has yet specifically addressed monitoring employees working from home. The cases before the ECHR have also tended to relate to disciplinary matters rather than monitoring for reasons such as checking productivity. In many cases monitoring for misconduct reasons will be limited in nature, whereas company-wide performance monitoring will be considerably broader in scope. This, together with it being likely that an individual's reasonable expectation of privacy will be greater when working from home than when in an office environment, should be borne in mind when considering the case law.
The need for transparency when undertaking monitoring was highlighted in Barbulescu v Romania [2017] ECHR 742, a case which revolved around monitoring email. The employer had a policy which made clear that its work computers could not be used for personal purposes but it did not specifically indicate the nature and extent of the monitoring or that the employer could access the content of the communications. Mr Barbulescu only became aware of this when the employer produced evidence of his personal use of a work Yahoo account during a disciplinary process that led to his dismissal. After unsuccessful claims in the Romanian courts, the case was referred to the ECHR where Mr Barbulescu argued his Article 8 right to respect for private and family life had been breached by virtue of the employer monitoring his emails. The ECHR initially decided by a majority that the employer was permitted to check whether or not Mr Barbulescu was performing his work, however this was overturned on appeal to the Grand Chamber, who held Article 8 had been breached. The employer's failure to expressly advise that this included monitoring the content of personal communications was key to the Court's judgment that the correct balance between the employer's interests and the employee's right to privacy had not been met.
In Lopez Ribalda and Others v Spain [2019] ECHR 752, a Chamber of the ECHR initially upheld a claim that an employer's use of covert surveillance when trying to catch employees involved in workplace theft was a breach of the right to privacy under Article 8 - the surveillance was a significant intrusion into the employees' private lives and a fair balance had not been struck between the employees' rights of privacy and the employer's interest in protecting its property from theft. However, on appeal to the Grand Chamber that decision was overturned. Key to this decision was the limited nature of the monitoring. It took place in an area open to the public as well as employees where the "expectation of privacy" would have been lower, it only continued until the culprits were identified and was then used for the limited purpose of disciplinary action. Crucially, the Court also found there was no other less intrusive way of fulfilling the aim pursued - advising the staff of the surveillance would have defeated its purpose.
Closer to home, transparency was once again important when the domestic courts considered whether monitoring breached the implied term of trust and confidence in Argus Media Ltd v Halim [2019] EWHC 42 (QB). When Argus sought to enforce post termination restrictions, Mr Halim argued he had been released from them via the employer repudiating his contract by reading his personal emails. The Court disagreed. Significant in its reasoning was the Court's finding that Argus had authority to monitor or review the use of their IT systems under their Electronic Information and Communications Policy which Mr Halim had signed. The actions of Argus in reviewing the emails was not an illegitimate interference with the Article 8 right to family and private life. Even if there had been a breach of privacy, the Court held that, in the particular circumstances, such a breach was not one that was calculated or likely to destroy the relationship of trust and confidence.
Is the current regulatory regime adequate to protect homeworkers?
The issue with the current regime is perhaps one of lack of understanding and a consequent failure by employers to take the necessary steps to properly balance justifiable protection of the employer's interests with their employees' rights to privacy. New challenges may be created (or at least become more common) as a consequence of higher numbers of home workers. There may be an increased risk of processing non-corporate information where employees are using personal devices for work during the week and for personal reasons in the evenings and at weekends. Other family members may also be caught up in the surveillance if the devices are shared. However, these are the types of issues that can and should be identified by employers, perhaps via DPIAs, at the planning stage.
The pragmatic approach to protecting employees' privacy, at least initially, may be to ensure that the current regime and its requirements are accessible and easily understood via a campaign of publicity and education rather than an overhaul of legislation. Employers looking to grapple with the existing fairness and data minimisation requirements of GDPR will be better supported in doing so once the ICO updates its guidance to employers to take account of both GDPR and the significant changes to how work is carried out. It was reported in January that the ICO was at the early stages of developing employer-focused guidance and that it would be engaging with organisations to seek their views.
The current practice of naming and shaming employers who breach rights may also have a place - highlighting the potentially significant fines that the ICO can make for GDPR breaches to deter employers, while concurrently letting employees know which businesses may not respect their privacy, should they consider working for them. Greater consultation with employees and unions could also be encouraged.
If employees' Article 8 rights continue to be breached, we can expect to see increasing numbers of claims being made in tribunals and courts. If these claims show an inadequacy in the current regulatory regime, rather than a failure on the part of employers to comply with it, it may transpire, in due course, that statutory correction needs to be considered.
Alternatives to monitoring
In some sectors monitoring will be a necessity - financial services firms were recently warned by the FCA that it expected them to put in place rigorous oversight on traders working from home. However, for many others, the first question that should be asked is not what type of monitoring is required, but if any is needed at all. In a recent CIPD report, 73% of employees who responded felt that introducing workplace monitoring would damage the trust between them and their employers. Arguably, maintaining trust is even more important when employees work from home than when they are in the office environment. Indeed, in some cases, the need to use tracking software may indicate bigger problems than productivity.
Choosing alternatives to employee monitoring software has a number of benefits. Encouraging managers to check in regularly with employees and build strong working relationships with them can increase employee loyalty. Motivating employees to engage with the aims of the business can be done via clear instruction and recognising and rewarding positive behaviours and performance. This approach - creating a desire to do well rather than a fear of failure - is more likely to have the added benefit of improved wellbeing as well as productivity.
Monitoring of employees, however, should not be demonised. Data that is collected can be used to enhance worker wellbeing as well as safeguard the employer's interests. The key is for the employer to assess the risk posed by home working and to respond in a proportionate manner that limits encroachment on their employees' right to a private life.
This article originally appeared in the March 2021 edition of the Employment Law Journal.