The Italian Data Protection Authority has recently issued a judgment on a “hot” issue for many companies and employers: the limit of controls on internet use by employees at the workplace.
This pronouncement is welcome, not just for its content - such guidelines could be inferred in any case from a deep and comprehensive interpretation of the existing regulations on data protection and labour law – but also because of the fact that such a pronouncement contains a clear picture of the procedures and policies to be implemented by an employer whenever it wishes to control the internet use of its employees. It is especially useful because the Italian Data Protection Authority is yet to issue a code of conduct on the use of employee data.
A receptionist of a medical centre brought a complaint about his employer before the Data Protection Authority, claiming for unlawful processing of his personal data (in particular, sensitive data concerning his sexual interests and political and religious beliefs) after being dismissed for unauthorised use of his computer during his employment.
In fact, the employee was not allowed to use the internet nor, in particular, to access “top shelf” websites. The internal policies simply specified that the information system would have been subject to back-up and antivirus systems, but did not contain anything on possible monitoring of internet use.
According to the petition of the employee, the processing of such sensitive data was (i) not based on a prior information notice to the employee (nor had the employer consulted on it with the internal trade union representatives) and (ii) not consented to by the employee, so that data collected during such inspections should have been erased.
The petition was admitted by the Italian Data Protection Authority and consequently the medical centre was made to pay a pecuniary penalty since the monitoring activities (which are lawful from a labour point of view, considering that its scope was to assess violations of internal policies and company damages with a view to imposing disciplinary sanctions) were not compliant with:
(i) the fair and lawful processing principles because of the fact that the employee had not been previously informed of the possibility of such action, and he had never consented to the use of his sensitive data; and, in particular,
(ii) the non-excessive processing principle in relation to the purposes for which data are collected and subsequently processed. This is because, since the employee was not allowed any access to the internet, the violation of the prohibition could have been assessed simply by detecting internet access regardless of the sites visited) (and therefore without keeping records of the specific websites visited).
The effects of the judgment issued by the Italian Data Protection Authority
As stated above, the regulation in force does not meet actual needs and causes interpretative issues that make this matter even less clear from a legal point of view.
The current aim seems therefore to determine a fair arrangement between the opposing interests of the parties: on the one hand, to assure the exercise of control by the employer, carried out in compliance with the limitations provided by the law; and on the other hand, to respect the guarantees recognised to the employees.
According to the proportionality criteria that can be inferred from the above judgment, an employer that intends to monitor or control internet use in the workplace should obtain the prior consent of the employee who is subject to such monitoring/control if the data collected is sensitive; in addition, the company should draw up both an appropriate internal policy (making it available to the employees) and an information notice in order to regulate monitoring/control procedures and to point out the purposes and the methods used to process data obtained through such controls.