The Internet of Things v Privacy: what it means for the workplace

Summary

• The rapid development of the internet of things and monitoring technology in the workplace has brought into focus the tension between employees’ right to privacy and employers’ business interests
• Employee monitoring is primarily regulated by the Data Protection Act, which places the obligation on employers to undertake their own balancing exercise in determining if the interference with employees’ rights to privacy is proportionate
• Additional specific regulations apply to the monitoring of telecommunications, such as email and telephone calls
• The legislative framework regulating employee monitoring is almost 20 years old and was formulated at the dawn of the internet era. Technological advances are fast outpacing the law placing unsatisfactory burdens on employers to make risky judgement calls on whether to implement new technology unforeseen by current guidance

Introduction

A phrase which has increasingly entered the tech lexicon is the “internet of things”.  In simple terms, it means the interconnectivity of devices through the internet.

This concept is expanding into our everyday lives, such as the emergence of “smart cities” which utilise data such as traffic behaviour and resource usage to achieve more streamlined and efficient day to day management, which at least in theory, improves citizens’ quality of life. 

The workplace will undoubtedly be at the forefront in the continued development of the internet of things and management by “smart” tech and is becoming a 21^st Century panopticon.  Employers can now continually scrutinise employee performance and conduct in ever more sophisticated ways, using continually flowing data and metrics to achieve further efficiencies. 

Systems and devices exist which can immediately alert employees (and their employer) if their rate of production or physical activity slows below target.  “Worksnaps” software can continually monitor employees’ computer screenshots and keyboard activity.  Devices can detect if employees are present at their desks.  Employees’ precise vehicle locations and driving standards can be constantly monitored in real time by tracking systems.  Conversations on smartphones are instantly recordable and accessible and there is the ubiquitous presence of CCTV cameras and other surveillance tools in monitoring conduct and performance.

Smart tech is something which is becoming a crucial feature of the modern workplace and increasing source of industrial conflict.  This article seeks to briefly summarise the essential employment law framework in which these monitoring technologies are fast developing.

Human Rights

The central tension in workplace monitoring is employees’ expectation of privacy versus the employer’s legitimate business interests in monitoring employee performance and conduct, and the growing range of smart technology at its disposal.     

Until its proposed repeal by the UK Government, the Human Rights Act 1998 (HRA) for now incorporates into UK law the European Convention on Human Rights.

Article 8 of the Convention states that “everyone has the right to respect for his private and family life, his home and his correspondence”.  This right is not absolute, and can be interfered with in accordance with law and as necessary in a democratic society.

Although the HRA is only directly enforceable as a claim against public authorities, the Convention permeates all law as courts and tribunals must interpret where possible legislation in a way which is compatible with the Convention Rights, including Article 8.

Legislation regulating employee monitoring will reflect this balancing act between the right of privacy on one hand and the legitimate business needs of the employer on the other.  Any interference with Article 8 rights must be proportionate, taking into account the degree of the employee’s expectation of privacy and the level of the employer’s need to interfere with that right. 

Where an employee has a strong expectation of privacy, such as private emails sent from a work address which is to some degree tolerated by the employer, any interference through monitoring should be clearly communicated in advance and limited to what is necessary.    

In contrast, where an expectation of privacy is low or non-existent, such as undertaking cash-handling on a shop floor, an employer has broader freedoms to monitor these activities, such as using continuous CCTV surveillance of these activities.

As prominently reported in the media this month, the Human Rights Court in Barbulescu v Romania (12 January 2016) found that in principle, in interfering with privacy rights, such as monitoring private emails sent through a work address, it is not unreasonable for an employer to want to verify that employees are performing their professional tasks during working hours.  However, contrary to the headlines, this judgment is by no means carte blanche for employee monitoring, and UK employers still must follow the legislative framework set out below.

Data Protection Act 1998

This underlying human rights tension features in the practical application of the Data Protection Act 1998 (DPA), which is the primary legislation regulating employee data gathering and management.

Stored data concerning identifiable individual employees’ performance, behaviours, movements, telephone discussions, other communications and image, is likely to amount to “personal data” within the meaning of DPA. 

The employer, as data controller, must comply with the 8 data protection principles of the DPA when obtaining and processing personal data. 

The first two data protection principles require personal data:

• to be processed lawfully and fairly; and
• to be obtained only for one or more specific and lawful purpose(s), and must not be processed in any manner incompatible with those purposes.

The data subjects (i.e. the employees) must be fully informed of any monitoring system and its purposes, give consent to their data being processed for those purposes, and the use of data gained must not be incompatible with those purposes. 

Employee consent is not strictly required if the purpose of processing the personal data is the legitimate interests pursued by the employer, unless it amounts to an unwarranted interference with the data subject’s rights, freedoms and interests, such as Article 8 rights.    

Employers should therefore in most cases:

• ensure its policies, staff handbooks and contracts of employment contain detailed provisions explaining the purpose and scope of data gathering and processing of any monitoring system;
• ideally obtain employees’ informed consent to the processing of their personal data through monitoring systems;
• provide periodic reminders to employees of the operation of the monitoring systems and the processing of their data of that purpose;
• ensure the roll out of new monitoring technologies and devices is fully transparent and accompanied with an explanation to employees of how and why personal data will be processed

The other data protection principles in general also require employers to ensure:

• the amount of data gathered and retained is proportionate, accurate and secure; and
• personal data is not shared with organisations in countries outside the European Economic Area, unless that country ensures it has adequate levels of data protection.

The Information Commissioner’s Office (ICO) enforces the provisions of the DPA, and can issue fines of up to £500,000 against data controllers who commit serious breaches of the data protection principles.

DPA – the Employment Practices Code

The DPA does not prevent employee monitoring in principle, but proportionality is always key.  The more intrusive the system of gathering data, the greater the burden of justification on the employer under the DPA. 

The ICO has issued the Employment Practices Code which provides useful guidance to employers in complying with the data protection principles in practice.

Part 3 of the Code recommends employers before implementing monitoring systems to undertake an impact assessment demonstrating that it has properly considered the balance between allowing employees privacy in the workplace and ensuring the legitimate interests of the business are protected. 

This balancing exercise will involve:

• Identifying the purpose of the monitoring and likely benefits to the employer
• Identifying the adverse impact of the monitoring on the employees and others
• Considering alternatives to monitoring or different ways of achieving monitoring
• Considering the obligations arising from monitoring
• Judging whether monitoring is justified.

If a thorough impact assessment is properly undertaken and documented, the risk of not obtaining explicit employee consent to any monitoring is reduced, as the assessment is evidence that a monitoring system is a proportionate pursuit of an employer’s legitimate business interests, thereby complying with the first data principle of fairly processing data. 

However, if “sensitive” personal data (e.g. concerning health such as drug test results, sexual orientation, religion, race etc) is also to be processed, in most cases explicit and informed consent of employees must be obtained. 

DPA Example 1 - Covert Audio and Video Recording

The Code advises that this practice is not normally justified, unless an employee is suspected of criminal activity or equivalent malpractice and notifying the employee of the monitoring is likely to prejudice its prevention or detection.

The monitoring must also be limited to the purposes of an employer investigation and will avoid normally private areas such as toilets and changing rooms unless a serious crime is suspected and there is an intention by the employer to report the matter to the police.

Although outside the scope of the Code, employers must also be conscious of ensuring the fairness of any “entrapment” of employees to commit acts of misconduct which is covertly recorded.  If the opportunity to commit an act of gross misconduct such as theft is given, such deliberately planting unattended property, then arguably the covert recording of any theft is proportionate if it was a specific problem in the workplace and the general policy of occasional covert recording in certain areas was communicated to staff. 

On the other hand, if the employer took significant steps to encourage and facilitate the act of misconduct, such as arranging colleagues to encourage a suspect employee to take unattended property in an area not normally recorded, then the fairness and proportionality of such monitoring is much more doubtful.   

DPA Example 2 - Open Video Recording and drones

The overt use of video surveillance, such as CCTV cameras in the workplace, is subject to specific additional guidance from the ICO.  Again, the ICO recommends an impact assessment to be undertaken to ensure the use of CCTV is proportionate to the employer’s business needs, and alternatives are considered. 

Generally, the Code suggests monitoring should be confined to areas where expectations of privacy are low and/or risks of malpractice are high, and the continuous monitoring of specific individuals, unless justified, should be avoided. 

Employees should also be informed that video surveillance is active, usually by displaying prominent signs in the place being monitored and via staff policies and handbooks.   More prominent signage is required in places where employees and members of the public are less likely to expect that they will be monitored by a camera surveillance system.

The ICO guidance has been recently updated to take into account new technologies, including body cameras and drones, which are beginning to be used for monitoring purposes in large spaces such as warehouses.  The ICO is concerned with the broad and indiscriminate area drones are able to record, and employees and members of the public would not necessarily know they were being monitored.  To be proportionate, there must therefore be strong justification for its use, and prominent signage is needed to inform persons of areas which may be captured by drone cameras. 

DPA Example 3 - Vehicle Tracking Systems

Under the Code, vehicle tracking systems are permitted under the DPA for vehicles on employer business, but recommends that the private use of the vehicle, if this is allowed by the employer, should not be tracked, unless freely consented to by the employee.  A recommended proportionate approach would be to allow employees to disable the tracking system when using the vehicle for legitimate private use.    

Regulation of Investigatory Powers Act 2000

In addition to the DPA, further specific regulation applies to the interception of communications, which potentially is a particularly intrusive infringement of privacy. 

The Regulation of Investigatory Powers Act 2000 (RIPA) outlaws the interception of communications by the telecommunication systems controller. 

If an employer intercepts calls and emails in the course of their transmission without lawful authority, an offence will be committed, and the sender and recipient have a cause of action against the employer for damages.                           

Monitoring systems which enable employers to listen in and store phone conversations, listen to unopened voice messages and open unopened private emails intended for an individual are likely to amount to interceptions within the meaning of RIPA. 

However, employers’ access to stored and opened emails and unopened emails intended to be sent to the business will not amount to an interception.

No offence will take place if the employer has reasonable grounds to believe both the sender and recipient of the communication have consented to its interception. 

Whilst this is a potential option available to employers for internal calls and emails if adequate policies and handbooks confirm that such communications are intercepted, it may be more difficult for an employer to reasonably believe an external party has consented to the interception of private communications they send to or receive from an employee within the business. 

An opening message at the start of making or receiving an external call confirming that the call may be recorded may go some way in establishing this defence under RIPA if the external caller still continues with the call. 

Telecommunications Regulations 2000

It is possible under RIPA to lawfully intercept communications without consent if the interception falls within the Telecommunications Regulations 2000.  A communication can be monitored or recorded by businesses without consent in order to establish facts relevant to that business in order to:

• Ascertain compliance with any regulatory requirements applicable to the business
• Ascertain or demonstrate standards relevant to the business
• Prevent or detect crime
• Investigate or detect the unauthorised use of the business’ telecommunications systems
• Ensure the effective operation of the business’ telecommunication systems

The business must still take reasonable steps to inform users of its telecoms systems (i.e. employees, workers, consultants, agency staff) that interceptions of communications may take place.  Again, this is most likely to be in the form of communications policies issued to staff and available on the employer’s intranet.

It is important however to be aware that even if the interceptions are lawful under RIPA and the Telecommunications Regulations, any system of interception and monitoring must still also comply with the proportionality regime under the DPA.

The Contract of Employment

At the heart of all contracts of employment is an implied duty of mutual trust and confidence. 

Actions by the employer which undermine this relationship can amount to a breach of contract, and entitle an employee to resign and claim damages and/or constructive unfair dismissal, thereby providing employees remedy in the courts or employment tribunal in additional to any complaint they may have to the ICO. 

Deliberate or serious infringements of the DPA and RIPA regimes, or the imposition of intrusive systems without adequate consultation may well erode or destroy this relationship, particularly if done in an oppressive or heavy handed manner.  Compliance with the DPA is therefore not simply an administrative requirement to avoid action by the ICO – it will also minimise risks of litigation in the employment tribunal and improve industrial relations.

Conclusion

The rapid development of the internet of things in the workplace is in stark contrast to the current regulatory framework in this area, which at nearly 20 years old was formulated at the dawn of the online age, and could not have envisaged the how our lives are now dominated by the internet.

A considerable burden is imposed on the employer to undertake its own assessment of the impact of new systems and their proportionality under the DPA, and must make complex judgement calls on the balancing between privacy and the need for monitoring.

This can only mean that as new technologies emerge and not foreseen by the ICO, employers are in the unsatisfactory position of having to take calculated risks in balancing its interests against the privacy rights of its employees while the ICO plays catch up with ad hoc additional guidance in response to new technologies.   

Via Clarkslegal