Blog

8 July 2020

Monitoring and Privacy – striking the balance

Image
Surveillance camera

Privacy is a basic human right which we all can enjoy, but there are instances when our privacy cannot be the overriding factor.

In the workplace, there’s a fine line between the privacy employees should be entitled to against the information organisations must hold, as well as monitoring that may be needed for security reasons. So how do you strike the right balance?

Organisations often fall foul of trying to tread this line. There are cases on both sides of the debate where monitoring and surveillance can be deemed acceptable or not, depending on the context.

Justifying surveillance at the highest court

An example of acceptable surveillance is the Spanish Supermarket case López Ribalda and Others v. Spain where the Grand chamber of the European Court of Human Rights (ECHR) determined that covert surveillance was not, in the circumstances, a violation of Article 8 of the Human Rights Act.

The Spanish case decision hinged on the activity that the employer had undertaken to establish that fraudulent activity was occurring and at what point in the sales process that this was happening.  The ECHR took into account that the employer had a right to protect its business and had taken steps to determine the likely area that surveillance would provide a definitive result ensuring that only the potential culprits were monitored.  The use of covert surveillance in this instance was proportional and the options for other methods were limited. The other factor taken into account was that CCTV was already in use in the environment in an open and advertised way and this was being circumvented.

However, the case of Bărbulescu v. Romania provides the opposite view point with the ECHR determining that the monitoring undertaken by an employer of an employee’s communications infringed Article 8 of the Human Rights Act.

The Romanian case focussed on the level of intrusion into the private life of the employee, the safeguards in place to safeguard against abuse and the proportionality of the measure employed. 

What needs to be taken into account when considering surveillance?

These cases highlighted the following tests that should be applied when making decisions around monitoring:

  1. Whether the employee has been notified that monitoring may be undertaken
  2. The extent of the monitoring
  3. Whether the employer has a legitimate reason for monitoring the activity
  4. Whether there are less intrusive options available
  5. Whether appropriate safeguards are in place for the employee especially where the monitoring is of an intrusive nature

When an organisation deals with significant personal data or money there is often a clause in the contract or Acceptable Use Policy that states that a level of monitoring is in place. In reality, there is often little in the way of clarity as to what this monitoring entails.  In some instances, every keystroke, transaction and search is recorded and monitored. In others this is only the case when there is a suspicion. To an extent it depends on the industry, but this has become more prevalent in the shift to more remote working through the Covid-19 pandemic and the need to manage performance.

So how do you balance the right of the individual to privacy in the workplace against the very real concerns of an organisation in relation to theft, whether this be data, intellectual property or cash.

Tips for balancing employee privacy against necessary monitoring

  • Be absolutely clear about what is monitored, when and why.

Vague statements that intimate that activity might be monitored at some point are not helpful and will lead to challenges down the line.

  • Consider why the particular level of monitoring is appropriate

Has there been reason to suspect that something is amiss as in the Spanish case or is the risk attached to the activity such that constant monitoring is needed to protect not only the employer but also the employee?

  • A balancing test should be undertaken

In the majority of these cases, the legal basis for the processing of the data is the legitimate interest of the employer. A balancing test will document the reasons, the methods, and the options considered as well as the risk which is being mitigated by the monitoring. This then helps to draw out the basis on which the decision for the action has been made.

  • Restrict the analysis of monitoring

Monitoring analysis and review should be limited to a particular set of employees who have a duty of confidentiality so that the risk to the individual is reduced to the absolute minimum where intrusive monitoring is undertaken.

If you need a handy checklist of the steps you need to take when considering privacy and monitoring, make sure you’ve taken into account the following:

  1. What events have occurred to suggest that monitoring is necessary?
  2. What is the risk that is being mitigated?
  3. What options have you considered? Is there a less intrusive method that you can use?
  4. What is done with the reports? How long are they kept for?
  5. How have you notified your employees about the monitoring that is undertaken?
  6. Who has access to the reports and what can they do with them?
  7. What are your HR policies in relation to performance management and conduct and what support is available to the manager and employee?

If you’ve got all these steps covered, you’ll ensure your organisation has taken the necessary steps to be transparent with your employees, and that you have a policy in place to protect your organisation.

Blog tags

Lesley Holmes

Lesley is an experienced Data Protection Officer (DPO) and former Senior Information Management and Governance Consultant with a sustained record of delivering success in Information governance (IG) and front line services, Lesley is extremely experienced in data protection law.

Back to previous