Between risk and opportunity: employee surveillance policies

‘Surveillance typically fans fears of a dystopian future, but this desire to improve understanding of how employees feel about work and increase their wellbeing signals a largely positive and welcome intention.’

The way employers approach the surveillance of staff is changing. Employees have long been monitored to prevent theft and detect crime or phone calls have been recorded to check customer satisfaction. However, increasingly, employers have come to view surveillance as a way to enhance the efficiency and wellbeing of their staff and, in turn, the profitability of their businesses. The Royal Society of Arts suggested in its Future of Work report that in 2035, the growth in the Internet of Things and the widespread availability of technology designed to track activity means that workplace monitoring will be pervasive. It seems that some employers have already embraced this strategy, so this vision is already becoming the reality in many workplaces across the UK.

A better understanding of how employees are spending their time at work is valuable, but there are also significant risks to employers when monitoring workers. The reaction to Barclays’ recent installation of software which tracks the time employees spend at their desks illustrates the dangers of increased monitoring of staff. The software, which its developers claim creates ‘unprecedented transparency’ within companies, was used to send warnings to those spending too long on breaks. The system was scrapped in response to feedback from employees, but also provoked criticism from privacy campaigners and HR professionals who considered this software to be invasive and an irresponsible use of personal data.

Use of technology in this way signals a marked departure from traditional reliance on CCTV footage as the prevalent method of monitoring employees. The variety of means of obtaining information is much greater and so is the resulting volume of data. Employers can now review the websites staff are visiting minute-by-minute; they can use wearable technology to understand their workers’ precise location and body movements to determine productivity and workflow; and, in the near future, we may see microchips implanted into staff which can monitor blood oxygenation, temperature profile, heart rate and breathing patterns.

As well as gaining a more accurate understanding of physical location and condition, businesses are investing heavily in monitoring the emotional wellbeing of staff. Employers are using software which allows them to review instant messages and emails sent between colleagues for words associated with depression and fatigue, as well as circulating daily surveys and using apps to track employee mood and frame of mind. Companies have considered the use of laptop cameras that regularly scan the faces of their workers to detect changes in moods.

Surveillance typically fans fears of a dystopian future, but this desire to improve understanding of how employees feel about work and increase their wellbeing signals a largely positive and welcome intention from employers.The Taylor Wessing Work in Progress report found that to continue to attract and retain talent, employers must prioritise delivering a compelling employee experience. Technology which helps monitor and enhance workers’ wellbeing will play an important part in this strategy. This expanded use of technology, and the shift in rationale underpinning it, has led to an increase in the personal data used and held by employers. It is important, therefore, for companies to ensure they have the correct policies in place to safeguard themselves and their employees. This article considers the legal framework underpinning worker surveillance as well as suggesting how internal policies may need to change to keep up with rapidly evolving technology. It also considers whether some employers would be best advised to resist the move towards increased surveillance altogether.

It is important for companies to ensure they have the correct policies in place to safeguard themselves and their employees.

Legal position

The General Data Protection Regulation 2016 (GDPR) and Data Protection Act 2018 (DPA) provide the legal framework which governs how employers are required to collect, store and transfer their employees’ personal data. The starting point is that they must use personal data fairly, lawfully and transparently. Employers must not process personal data unless there is a lawful ground for processing or, in the case of sensitive data such as genetic data, health-related data and data about a person’s sex life or sexual orientation, two lawful grounds must exist. It is likely that certain personal information processed when monitoring employees will be deemed to be sensitive data. This includes details of religious or philosophical beliefs and political opinions, which may be referred to in emails or instant messaging conversations with colleagues, as well as biometric and health data, which may be captured by wearable technology.

The UK Information Commissioner’s Office (ICO) has suggested that to comply with their obligations, employers should be clear about the purpose of their surveillance and make staff aware of the nature, extent and reasons for any monitoring before it takes place.

There has been recent EU case law on what level of transparency is required to meet this threshold and which will continue to have influence in the UK despite Brexit.

EU case law

In October 2019, the European Court of Human Rights (ECHR) considered the effect of workplace surveillance on an employee’s Article 8 right to a private life, specifically the extent to which an employer was required to notify staff that it was monitoring activity at work. The court was ultimately willing to accept that, in certain instances, employers are not required to make employees aware that their activity is being monitored. This decision has been interpreted by some privacy campaigners as undermining the ‘employee-friendly’ Grand Chamber judgment in Bărbulescu v Romania [2017].

Bărbulescu v Romania [2017]

Mr Bărbulescu worked as a sales engineer and, as part of his role, his employer required him to create a Yahoo Messenger account to respond to customers. He signed a version of the employer’s policy, which prohibited use of workplace computers for personal use. Mr Bărbulescu later signed a notice which told employees not to use the internet at work for non-work purposes. This notice also referred to the employer’s right to ‘supervise and monitor employees’ work’. The company terminated Mr Bărbulescu’s employment for using the Yahoo Messenger account for personal reasons, and it presented him with a transcript of his communications when he attempted to deny this. His termination, he argued, had been based on a breach of his right to respect for private life and correspondence.

The ECHR held that the employer had infringed Mr Bărbulescu’s right to a private life because it failed to explain the ‘extent and nature’ of the monitoring. This meant that the attempts to use personal data gathered from this monitoring to dismiss Mr Bărbulescu were unlawful.

The court outlined a number of steps which employers must follow for workplace surveillance measures to be lawful:

• The employer must give prior notification of the possibility and the implementation of such measures as well as disclosing information about their nature;
• It must limit the extent and duration of the monitoring as well as the number of people with access to the data;
• It must identify a legitimate reason for the monitoring;
• It must consider the availability and usefulness of less intrusive methods;
• It must weigh up the consequences of the monitoring; and
• There must be appropriate safeguards for employees (which in the UK means informing them that they can complain to the ICO)

In Lopez Ribalda, because of the nature of the surveillance, the employer was entitled not to warn the employees that it was monitoring their behaviour.

Lopez Ribalda v Spain [2019]

The ECHR in Lopez Ribalda again highlighted the importance of these factors in determining whether surveillance will be lawful, particularly as more intrusive technologies are developed. However, it confirmed that in certain instances employers are entitled to monitor employees with little or no warning.

The court held that Spanish supermarket employees who were covertly filmed by security cameras in their workplace following suspicions of theft had suffered no violation of their Article 8 right. Because of the nature of the surveillance, the employer was entitled not to warn the employees that it was monitoring their behaviour.

Although this decision has disappointed privacy campaigners, its application to the types of surveillance that employers are increasingly using is limited. The reasoning in Lopez Ribalda seems confined largely to cases where there is a suspected theft or where the purpose of the surveillance is to prevent crime. For newer uses of surveillance technology, which seem increasingly targeted at increasing productivity and wellbeing, it will be much harder to argue that transparency was not required.

Key considerations when updating policies

• Ensure policies are as transparent as possible and written in plain English.
• Do not seek simply to rely on a broad statement that the company may monitor employees’ use of electronic systems, or otherwise carry out surveillance, at its discretion. This will be insufficient to comply with the GDPR.
• Notify employees in advance of what monitoring or surveillance may occur, the scope of the monitoring or surveillance and what the legitimate reason to justify the monitoring or surveillance is, with reference to the GDPR.
• Make very clear exactly what kind of personal data may be processed, what will happen to it and what safeguards are in place to protect the data gathered.
• Put guidelines in place for staff on using electronic systems. Without these, any disciplinary process may be flawed as the employee can say they were not told what they should and should not be doing.
• Make clear what the potential outcome of employee monitoring or surveillance might be – for example, disciplinary action or perhaps pay rises and bonuses if surveillance is used to monitor strong performance.
• Make clear how staff can raise objections to monitoring or surveillance.

What gets measured gets done – or avoided?

Employers should consider the above points, but it is important to think too about the potentially counterproductive effects of such technology.

The aim is often to improve employee efficiency and wellbeing, but the feeling of being watched by your employer may have the opposite effect. Indeed, the Trade Union Congress has reported that use of surveillance data creates ‘fear and distrust’ in employees and is likely to undermine morale. Rather than incur time and costs in upgrading their surveillance technology and policies, for some employers it will be more effective to invest in other initiatives which look to achieve the same goals. Hilton Hotels, for example, reportedly considered using tools to analyse employees’ social-media use to pick up on signals outside work that they may be unwell. Instead, though, it decided to provide additional training to its general managers to assist them in looking for signs that their workers need help.

There is a danger that increased surveillance by employers will not produce a more efficient workforce but rather one which spends its time finding ways to subvert monitoring. Such technology may diminish trust and autonomy, and may drive some employees towards the exit. A targeted use of technology to monitor employees, underpinned by well-informed policies, will be effective for some businesses. For others, however, the best approach may be to reject this strategy outright or use very limited forms of employee monitoring.

About the authors: Joe Aiston is a senior associate, Joe Pengelly is a trainee solicitor and Sean Nesbitt is a partner and head of the employment, pensions and mobility group at Taylor Wessing. This article was published under the name “Create or update and employee surveillance policy” in the April 2020 Edition of the “ Employment Law Journal”.