"However reasonable these concerns may be, careful consideration must be given to employers’ legal obligations before implementing this technology."
The ongoing pandemic has entrenched remote working as a common practice in the financial services sector. A recent survey conducted by the British Council for Offices found that, once it is safe to do so, only 30% of UK employees plan to return to the office five days a week.
Understandably, many financial services firms are concerned as to how this will affect their oversight of their staff’s productivity levels, leading to an increasing number investing in employee monitoring technology. However reasonable these concerns may be, careful consideration must be given to employers’ legal obligations before implementing this technology.
The General Data Protection Regulation (GDPR) requires that employees’ personal data be handled in a lawful, fair, and transparent way. In practice, this means those financial services firms looking to introduce monitoring tools will need at the outset to identify a lawful basis on which to process the personal data collected through it and communicate this (along with details of the monitoring and its purpose) to staff in an updated privacy notice.
For most employers, the relevant lawful basis will likely be ‘legitimate interests’. The specific legitimate interests will need to be stated in an updated privacy notice circulated to staff and balanced against their individual rights and freedoms. This balancing exercise should be undertaken before implementing any monitoring technology using a data processing impact assessment. This is a process designed to assess whether the proposed monitoring is necessary and proportionate, taking into account employees’ reasonable privacy expectations and what they would likely consider excessive.
Although some industry players in other jurisdictions (notably the US) have embraced certain intrusive forms of monitoring, such as software that records keystrokes and mouse movements, these are likely to fall foul of the GDPR, especially if they are used for automated decision-making or profiling (for example, basing pay rises on those who are recorded to have logged in at certain times). Continuous audio and video monitoring of employees’ homes should never be conducted.
Those firms who do implement monitoring tools will need to ensure that only a limited number of staff trained in data protection compliance should handle the personal data collected through them. The data should not be used for any other purpose unless it uncovers criminal activity or something else that an employer could not be reasonably expected to ignore.
Another reason to limit employee monitoring to that which is proportionate and necessary is that excessive staff surveillance could also breach the duty of trust and confidence implied in every employment relationship, or potentially even the right to respect for privacy and family life. There are, however, some grounds where a greater level of monitoring may be lawful (for instance, where firms suspect that an employee is preparing to compete with the business or disclose confidential information).
The consequences for getting staff monitoring wrong can be severe. An employee could resign and claim constructive dismissal, releasing them of all employment obligations and entitling them to compensation. In addition, contraventions of the GDPR could result in the Information Commissioner (the UK’s privacy regulator) imposing fines of up to 4% of worldwide turnover or €20 million, whichever is greater.