The UK’s Information Commissioners Office (ICO) is investigating reports that Barclays Bank used potentially intrusive employee monitoring software.
This system was used over the past 18 months to monitor anonymised employee performance data, but it appears that from February, the software functions were changed so that the data was no longer anonymised. This meant that managers could see specific employee data on how long they take to complete tasks and how long they spend away from their desks.
The change in February caused controversy and led to claims by employees that the employee monitoring software breached the Data Protection Act 2018 (DPA 2018) requirements and key GDPR data protection principles. The investigation by the ICO is a reminder to all organisation that finding the right balance between the business benefits of employee monitoring software systems and the privacy rights of its employees is crucial.
Data Protection Principles
Whilst we do not yet know the full details, Barclays ought to have considered the key data protection principles, both when it first introduced the employee monitoring software and again when it changed its functionality in February. It is critical that organisations consider the data protection principles when carrying out any form of employee monitoring. These include:
- Principle 1: Lawfulness, fairness and transparency. An organisation can rely on six available options to identify a lawful basis for processing; consent, contract, legal obligation, vital interest, public task and or legitimate interest.
- Principle 2: Purpose limitation. An organisation should aim to document its purpose for processing clearly and avoid an ambiguous purpose which can lead to a breach.
- Principle 3: Data minimisation. The processing of data should be adequate, relevant and limited to the purpose of the processing.
In current circumstances, Barclays may be able to demonstrate to the ICO that it had:
- considered all of the above principles when implementing the employee monitoring software system
- been clear about its purpose and that it brings real benefit
- made its employees aware of the nature, extent and reasons for the monitoring.
In this context the ICO will be particularly concerned to ensure that the principle of transparency was maintained.
Data Protection Impact Assessment (DPIA)
One issue which the ICO may look at is whether a DPIA was carried out before the monitoring was introduced. Article 35(1) of the GDPR provides that you must do a DPIA where a type of processing is likely to result in a high risk to individuals’ rights and freedoms. Areas identified as being potentially high risk include the use of innovative technology, systematic monitoring of individuals or the tracking of an individual’s geolocation or behaviour, including but not limited to, the online environment.
Employment Practices Code
The ICO’s Employment Practices Code sets out best practice for employers with regard to employee monitoring. It confirms that, if an employer wants to monitor employees, they should consider the data protection principles, along with the principles set out by the ICO and Article 8 of the European Convention of Human Rights which creates rights in respect of private and family life.
Barclays will need to demonstrate to the ICO that its use of the employee monitoring software was both lawful and fair to its workers. The ICO may also consider whether the system was intrusive to the employee’s private life or interfered with the relationship of mutual trust and confidence between Barclays and its employees.
It is not clear whether Barclays conducted any of the monitoring covertly. The Code suggests that covert monitoring should only take place where there are grounds for suspecting criminal activity or equivalent malpractice and notifying individuals of the monitoring would prejudice its prevention or detection. Covert monitoring is justifiable only in rare circumstances.
Employee disciplinary or performance processes
An organisation which wishes to rely on employee monitoring software for disciplinary or performance-related purposes should also consider the demands of the Code. A central theme in employment law is that organisations are expected to conduct themselves in a fair and reasonable manner; this may be difficult to demonstrate when an employer wishes to rely on information which may not have been gathered lawfully.
The ICO has a range of enforcement actions available to it in response to a breach – these include:
- Issuing warnings and reprimands
- Imposing a temporary or permanent ban on data processing
- Ordering the rectification, restriction or erasure of data
- Fines of 20 million euros (or equivalent in sterling) or 4% of your total worldwide annual turnover in the proceeding financial year, whichever is greater.