Employment update - working from home and employee monitoring

Introduction

The Coronavirus pandemic has brought with it many changes to our personal and professional lives, not least amongst them to the way in which we work and the new emerging norm of 'working from home'. Indeed, there is every indication that this will remain with us in some shape or form (and dependent on industry sector) for good once the pandemic - and its accompanying social restrictions - have subsided.

This new way of working has, in turn, brought a new raft of issues for employers keen to ensure productivity and employees' work rate is not impacted, and has brought the controversial topic of 'employee monitoring' into the spotlight.

Employee monitoring refers to any form of surveillance of employees by their employer. It can range from checking email/internet usage throughout the working day, to sophisticated software which tracks keyboard use/mouse movement, takes screenshots or records calls. Among the more extreme measures is also making use of webcams to monitor whether employees are at their computers and working when they are supposed to be.

However, these practices invoke all kinds of privacy rights, and employers should be aware of the significant legal obligations which fall upon them in their use of any such monitoring methods. In particular, employers should act with caution when making use of employee monitoring software: it is the employer's responsibility to ensure that any such technology - which is often manufactured in the US where less stringent privacy and data protection rules apply - is compliant with UK law, and that the monitoring practice for which they are used do not breach any of their employees' various rights.

---

The Law

The primary legislation, which regulates and/or prohibits the ability of employers to monitor their employees in this country are:

1. The General Data Protection Regulation and the Data Protection Act 2018;
2. The Investigatory Powers Act 2016 and the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018;
3. The European Convention on Human Rights and the Human Rights Act 1998; and
4. Employment Rights Act 1996 and the Equality Act 2010.

In short, the combined effect and force of these different sources of legislation means that there are a number of legal considerations employers must undertake before engaging in employee monitoring:

• First, there are the overriding data protection obligations which apply to any data gathered using electronic forms of surveillance, which involve the processing of personal data. Data protection obligations are perhaps the most stringent of all forms of legislation in this area and must be abided by at all times.
• Secondly, employers should make sure that, if their employee monitoring practices involve the interception of communications (i.e. emails) in the course of their transmission, this is done for one of only a handful of permitted purposes: either to ascertain regulatory compliance, to establish whether staff are achieving the required standards in the course of their duties, or to investigate or detect the unauthorised use of the telecommunications system.
• Thirdly, employers should consider the impact that Article 8 of the European Convention of Human Rights (the right to private and family life) has on employee monitoring practices, as well as the fact that courts and tribunals must, when issues relating to employee monitoring arise before them, consider whether Article 8 is engaged.
• And fourthly, employers must consider whether the steps they are taking to monitor employees may amount to a breach of the implied term of mutual trust and confidence between employer and employee, enabling an employee to resign and claim constructive unfair dismissal. Employees with protected characteristics may also argue that they have been unlawfully discriminated against if they believe they have been unfairly targeted by their employers' monitoring activity.

Updated guidance is expected from the ICO, in the form of a new version of the Employment Practices Code, which will translate the myriad of legislative obligations into practical terms and help employers to navigate the law in this complex area. It is expected the new Code will also address the various new forms of employee monitoring practices and software which have arisen in recent years. In the meantime, the old ICO Employment Practices Code (from 2011) provides some assistance to employers, but it is not up to date with the latest legislation, such as the General Data Protection Regulations and the Data Protection Act 2018.

---

When, and what types of, employee monitoring can legally be implemented?

The type of monitoring that can be legally introduced will vary according to industry. For instance, employers operating in highly regulated industries may be permitted more leeway in monitoring employees; and in the case of the financial services industry, for instance, the Financial Conduct Authority has made it clear that, while employees work remotely during the course of the global pandemic, it expects firms to carry out "rigorous oversight" on traders operating from home.

Permitted types and levels of monitoring also depend on the business and/or type of business in which it is introduced, and a balance must be struck at all times between protecting an employer's interests and protecting its employee's right to privacy. Employers should, as a first step, identify the interest it is trying to protect; consider if the chosen form of monitoring is a proportionate way of protecting that interest; and, consider whether there is a less intrusive form of monitoring available which could protect that interest.

---

Data protection Law

Data protection law imposes perhaps the most stringent legal obligations on employers in the arena of employer monitoring, and imposes the harshest penalties too: employers found by the ICO to be in breach of data protection law may face fines of up to 4% of the business' global annual turnover, or £17,500,000 (whichever is higher).

To comply with the GDPR, data must be processed lawfully, transparently and fairly; collected for specified, explicit and legitimate purposes; and, limited to what is necessary for these purposes.

Legitimate purposes for gathering data from employee monitoring might include: tracking productivity or performance; ensuring compliance with policies; making decisions on employee wellbeing; for use as evidence in disciplinary or capability procedures and for use as evidence in tribunal or court proceedings.

---

Practical Steps

Practically-speaking, and besides their data protection obligations, employers engaging in employee monitoring should also consider carrying out the following steps: carry out appropriate impact assessments; consulting their employees on the proposed practices, making it clear the extent and purpose of monitoring, how it will be carried out, and how data gathered will be used; introducing training for those staff carrying out the monitoring and/or using the data gathered; and, ensuring a secure way of storing data gathered, restricting access to it, and retaining for no longer than necessary.

The use of employee monitoring should, as a general rule, always be done having made the employee(s) aware of the practice. Information collated covertly may only be used in very limited circumstances and the ICO only permits it where there is suspected criminal activity or malpractice and where to inform the employee of the monitoring would prejudice the detection of that criminal activity or malpractice.

Updated guidance from the ICO is expected to clarify all of these issues in due course, but in the meantime, employers should seek legal advice before venturing into this highly regulated area, as well as giving due regard to how the introduction of monitoring could affect relationships with their employees.

---

For any queries regarding these topics and any other employment matters, please contact our Employment team.