Employers monitoring their employees is not a new issue. Indeed, I have written about the surveillance of employees in the workplace, and their right to privacy pursuant to Article 8 of the European Convention on Human Rights, in a previous Inforrm post in the context of the European Court of Human Rights’ judgments in Bărbulescu v Romania  App. no. 61496/08 and Lopez Ribalda v Spain  ECHR.
In the former case, although the Strasbourg Court found in favour of Mr Bărbulescu, and in doing so made it clear that employees are subject to an irreducible minimum right to private social life whilst at work, the Court also made clear that the judgment did not make employee monitoring illegal in certain situations in which specific conditions are met. In doing so it recognised that employers have a qualified right to monitor their employees’ communications, and acknowledged on behalf of employers, a ‘…right to engage in monitoring, including the corresponding disciplinary powers, in order to ensure the smooth running of the company.’ Thus, the Court determined that in cases concerning a conflict between an employee’s right to privacy and the employer’s right to ensure the smooth running of the company (by monitoring employees communications and/or Internet use), a balance must be struck using the test of proportionality. Ultimately, it said that if monitoring measures are challenged, then the domestic court will need to consider the consequences of the monitoring process for the employee as against the consequences for the employer. Importantly, the Court set out criteria that should be considered by domestic courts when attempting to strike this balance, as follows:
- Employees should be told in advance that their employer may monitor their communications, and the way in which this will be done, including the ‘nature’ of the monitoring.
- Prior to monitoring their employees, employers should assess the extent of the monitoring they intend to carry out and its intrusion into employees’ privacy. In doing so, they should consider the following questions:
- Can they limit the monitoring to the flow of communications, or does content also need to be monitored?
- Do all communications need to be monitored, or will monitoring some communications suffice?
- Can the monitoring be subject to a time limit?
- Can physical limits to monitoring be imposed?
- Can the number of people who have access to the results of the monitoring be limited?
- Legitimate reasons must be established for monitoring of the flow of communications. Due to its invasiveness, the monitoring of content will require even clearer reasons.
- Employers should assess whether a less intrusive monitoring system could be set up. In respect of monitoring content the employer must assess whether they could meet the legitimate reasons (see point 3) without directly accessing the full content of the communication(s).
- The monitoring process should be constantly reviewed by the employer, including the use of the results of the operation, the consequences for employees and whether the results achieve the identified ‘legitimate reasons’.
What is new however is the COVID-19, and hopefully soon-to-be post-COVID-19, working world that we are, and will be, in. Many large and small employers in the United Kingdom and beyond have embraced home and remote working, and have publicly said that they will not return to their pre-COVID-19 way of working (including a number of international law firms and professional services firms) meaning that widespread presenteeism appears to be a thing of the past. Indeed, the Chairman of Price Waterhouse Coopers, Kevin Ellis, has gone as far as stating that ‘presenteeism is dead’ . Thus, many employees will no longer be required to be based in a particular location, and in many cases will also not be required to work typical 9 to 5 hours. Rather, they will continue to work remotely from home, and flexibly. The reasons for this are obvious and numerous. For example, it reduces overheads (such as leasing expensive office space, providing equipment and facilities, cleaning and security costs, maintenance costs etc), cuts down on commuting and travel time and associated costs, reduces the company’s carbon footprint, and contributes (at least in theory) to employee well-being as it allows for a better work/life balance.
At this point you may be thinking so far, so good: ‘Everyone is a winner – employees are able to avoid the grind of the daily commute and employers save money whilst having a happier, healthier and more efficient workforce. What is there not to love about this new way of working?’ There is however an arguably more sinister side to our Brave New Working World. It has led to an increase in companies producing software to enable employers to monitor their employees at home. For example, the US company Hubstaff provides software that enables employers to track their employees’ hours, keystrokes, mouse movements and websites visited. According to a recent BBC News report, Hubstaff says that its number of UK customers is up four times year-on-year since February 2020. Another company called Sneek offers technology that takes photographs of workers through their laptop and uploads them for colleagues to see (with photographs being taken as often as every minute). However, the firm describes itself as a communication platform, and says “everyone on the app has the same experience whether they are an employer or an employee.” Its co-founder, Del Currie, told the BBC that it had seen a five-fold increase in its number of users during the first lockdown, taking the firm to almost 20,000 in total.
This begs the questions; how far can employers go (at least domestically) in monitoring their home/remote working employees, and where they should they be looking for this guidance?
The Information Commissioner’s Office
The Information Commissioner’s Office has been remarkably quiet on the subject, which is perhaps surprising bearing in mind the increased prevalence of home working and monitoring. In fact, its only guidance (The employment practices code) pre-dates the GDPR and the Data Protection 2018, and is written from a Data Protection Act 1998 perspective. However, it does provide some helpful guidance, most notably:
- The Data Protection Act 1998 (and we would presume the 2018 Act) does not prevent an employer from monitoring workers (in the workplace), but such monitoring must be done in a way which is consistent with the Act. Employers – especially in the public sector – must also bear in mind Article 8.
- Expectations of privacy are likely to be significantly greater at home than in the workplace.
- If employees are using mobiles or home telephone lines, for which the employer pay, that are subjected to monitoring, the employer must ensure that the employee is aware of the nature and the reasons for the monitoring.
It also sets out the following core principles:
- It will usually be intrusive to monitor employees.
- Employees have legitimate expectations that they can keep their personal lives private and that they are also entitled to a degree of privacy in the work environment.
- If employers wish to monitor their employees, they should be clear about the purpose and satisfied that the particular monitoring arrangement is justified by real benefits that will be delivered.
- Employees should be aware of the nature, extent and reasons for any monitoring, unless (exceptionally) covert monitoring is justified (see Lopez Ribalda above).
The relevance of Bărbulescu to home working and the Article 29 Data Protection Working Party Opinion 2/2017
Arguably more helpful guidance on the issue is provided by Bărbulescu and the (now disbanded) Article 29 Data Protection Working Party.
Although Bărbulescu related to monitoring employees in the workplace, the Strasbourg Court’s guidance set out above is likely to apply to home working scenarios. This is because, I would suggest, that in litigation ‘workplace’ will be construed broadly to include an employee’s home if that is now their official place of work. In any event, the Bărbulescu principles reflect the comprehensive guidance provided by the Article 29 Data Protection Working Party in its Opinion 2/2017 on data processing at work, which although published before the GDPR came into force, takes it into account. The Opinion tells us the following:
- Because of the employer/employee relationship, and the unequal power that exists between the two, consent is rarely an appropriate lawful basis for monitoring employees (page 4), either in the workplace or at home (this reflects the opinion of the ICO as set out in its employment practices code).
- Employers can rely on other lawful bases to monitor employees, but they may be challenging to establish. Accordingly, “a proportionality test should be undertaken prior to its commencement to consider whether the processing is necessary to achieve a legitimate purpose, as well as the measures that have to be taken to ensure that infringements of the rights to private life and secrecy of communications are limited to a minimum.” (page 4).
- In its recommendations it states that: “The legitimate interest of employers can sometimes be invoked as a legal ground, but only if the processing is strictly necessary for a legitimate purpose and the processing complies with the principles of proportionality and subsidiarity” (page 23). This is because “Modern technologies enable employees to be tracked over time, across workplaces and their homes, through many different devices such as smartphones, desktops, tablets, vehicles and wearables. If there are no limits to the processing, and if it is not transparent, there is a high risk that the legitimate interest of employers in the improvement of efficiency and the protection of company assets turns into unjustifiable and intrusive monitoring.” (page 9 to 10)
In relation to home working specifically, the Working Party’s Opinion is clear on the issue (page 16). Although it recognises that to mitigate the risk attached to home working employers may think there is a justification for deploying software such as Hubstaff and Sneek, the processing involved in such technologies is disproportionate, and employers are unlikely to have a legal basis under legitimate interest for such processing.
However, what is important for employers and employees alike to realise is that this does not mean that monitoring employees in the workplace or at home will always be unlawful. Rather, in line with the Bărbulescu judgment and its guiding principles, the key for employers is addressing the risk posed by home and remote working in a proportionate, non-excessive manner, in whatever way the option is offered, and by whatever technology is proposed, particularly if the boundaries between business and private use are fluid, as is now increasingly the case in our Brave New Working World.
Ultimately, it is my belief that as the boundaries between work and home become increasingly blurred, we will see more litigation relating to employer/employee surveillance within the home. Consequently, more robust guidance, ideally from the ICO, for employers, employees and lawyers will be required, ideally sooner rather than later.
Dr Peter Coe, Lecturer in Law, School of Law, University of Reading; Research Associate, Information Law and Policy Centre, Institute of Advanced Legal Studies, University of London; Editor-in-chief of Communications Law.
This post will appear as the Editorial in the February issue of Communications Law and is published here with kind permission.