Office-based employees look set to face many more months of home-working following the Prime Minister's announcement on 22 September that staff who can work from home should do so. The Government's COVID-Secure Workplace guidelines will be updated to reflect this - and this guidance is expected to remain in force for at least 6 months.
Data protection and privacy
Many employers will be keen to have greater oversight of what staff are doing at home. Although statistics suggest that home-workers generally maintain productivity, as in any working environment, some staff will take advantage of the lack of physical supervision. Technological options which track activity and output seem like the obvious answer. But employers need to consider the legal and practical implications very carefully.
The starting point for employers is to consider what they intend to monitor and what business needs will be fulfilled by that monitoring. They should assess carefully what the needs of the business actually are and balance this against employees' privacy rights, to assess whether the monitoring is justified. The more intrusive the monitoring, the stronger the justification required. Employers should choose the least intrusive means available which will achieve the objective of ensuring that performance is maintained. Further, data should only be collected if it is actually going to be used.
Employee monitoring is likely to be considered 'high risk' processing, in which case data impact privacy assessment will be needed before the monitoring is undertaken. This assessment must document the risks associated with the processing and what steps the employer is taking to mitigating them (including restricted access, data security and other in-built checks and balances). Great care is therefore needed when determining how data will be used and who will be able to access it.
The GDPR prohibits purely automated decision-making where the outcome of the decision will have a legal (or similarly significant) effect on the individual. This includes decisions related to an individual's employment. Data gathered through remote monitoring should therefore not trigger automatic consequences for an employee (although it could be used as evidence in disciplinary proceedings in the usual way).
If the monitoring involves the interception of communications (including emails), the employer will also need to ensure that it has complied with the requirements under the Investigatory Powers Act, including informing employees that this interception is taking place.
Transparency is also crucial from a data protection standpoint. Employers should comply with the ICO's Employment Practices Code and online guidance. Key points include giving employees detailed information about what data will be collected, how it will be used and who will have access to it, and about the steps taken to mitigate any identified risks. The employer's privacy notice should be updated to ensure that it covers the monitoring.
Discrimination and disciplinary action
Employers should also consider whether the monitoring could place employees with protected characteristics at a disadvantage. For example, monitoring of keystrokes or login times could place certain disabled staff at a disadvantage. Employers should take steps to mitigate this (or, if the discriminatory impact can't be eliminated, consider if it can be justified).
If an employee is dismissed as a result of evidence obtained through remote monitoring, an Employment Tribunal will need to factor in the employee's rights under the European Convention on Human Rights when determining if the dismissal was fair. This includes a right to respect for private and family life. In order to ensure that a dismissal is not unfair because it violates this right, the employer must demonstrate what steps it has taken to protect the employee's privacy. Arguably, monitoring an employee in their home may be more intrusive than monitoring them in an office, so employers should take a measured approach.
Failing to comply with GDPR requirements can result in fines of up to 4% of global turnover, while failure to comply with the interception of communications rules could entail criminal offences being committed. It could also result in unfair dismissal and/or discrimination claims where action is taken against staff on the basis of information gleaned from such monitoring. It therefore pays to get these details right.