Tips and pitfalls for staff monitoring in the context of COVID-19: Big Brother (probably) wants to be watching more

Many employers are now, as a result of the COVID-19 pandemic and government guidance, being forced to implement remote working arrangements but those concerns remain and employers may be tempted to implement new or additional ways of checking on or monitoring staff in order to manage or assuage these concerns.  But do so carries certain risks, and we explore these further below.

For further details on the latest requirements for the UK (and other countries), including emergency legislation and business support, see our COVID-19 employment page here. For further information around the wider business protections and government support available, please see here.

Quick reminder – what do we mean by "monitoring"?

At its most basic level, staff or employee monitoring encompasses any activity involving the surveillance, supervision or observation of staff members.  In practice, it comes in many forms; whilst monitoring email content / traffic and internet use is now fairly standard, other forms such as keystroke monitoring and location tracking are becoming increasingly popular.  Monitoring may be carried out in various ways, including:

• spot checks (such as monitoring access to certain internet sites or the number of emails sent, for example) which are targeted on the activity being monitored rather than the individual doing it;
• specific checks or monitoring focused on the activity of particular individuals; or
• monitoring content, such as content of emails or other electronic communications, which may be carried out on a random basis, targeted at specific individuals or (as is increasingly common) applied using key words and phrases.

Why might you want to monitor staff working remotely, particularly at this time?

Common concerns about the efficiency of homeworking include the perceived loss of control and damage to team working and culture, costs, risk that employees won't "pull their weight" and potential data security breaches.  All of these are potentially, if not necessarily, heightened by the COVID-19 pandemic and monitoring may be the first-resort response of employers in these circumstances.

Monitoring is also often carried out in the context of safety, security and the protection of assets.  This could include guarding against damage to or compromise of the employer' systems (such as hacking or viruses), its premises or the health and safety of staff and customers.  Aside from the usual business risks, we are seeing a number of scammers and criminals are already looking to exploit the COVID-19 crisis, and a number of phishing scams have emerged.  Again, monitoring may form part of your response to these risks.

What rights do employers and employees have regarding monitoring?

As a starting point, whilst there is no statutory right to privacy in the workplace under UK employment law, employers are by no means free to monitor as they please.  The mutual duty of trust and confidence which is implied into every employment contract is a key consideration.  Inappropriate or non-compliant monitoring activities could constitute a breach of this duty and thus form the basis of a grievance or constructive dismissal claim.  Employers must consider also any human rights implications, and particularly the right to privacy under Article 8 (as applicable).

Workplace monitoring will usually involve processing personal data and is therefore governed by the General Data Protection Regulation 2016 (GDPR) and domestic legislation.  For the UK, that means the Data Protection Act 2018 (DPA 2018), as well as a host of other legislation including the Computer Misuse Act 1990, the Investigatory Powers Act 2016 (IPA 2016) and the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018 (IPR 2018), which impose criminal and civil sanctions for breach.  

Do note that a number of national data protection authorities across the EU have indicated they will adapt their approach in light of the COVID-19 pandemic and have issued guidance – for further details please see here.

So what should employers do or not do when considering monitoring staff?

1. Identify the underlying concern and purpose of the monitoring – how will the monitoring you propose tackle this?

When considering whether or how to monitor staff, the starting point should be the underlying concern and purpose – as the employer, what are you trying to achieve / protect?  Is this more a question of ensuring efficiency, or are there specific security concerns in question?  Is this a one-off concern (such as the suspected leak of information by a specific individual) or is it a more general concern?  Would monitoring the flow of communications be enough or do you need to monitor their actual content? Doing their homework at the early stage and making sure that the monitoring chosen is proportionate to the risks employers are looking to mitigate should help employers comply with the legislative requirements.  On a more practical note, it should also force employers to think about their real concerns, and how they can best protect themselves.

Once an employer has identified the reason or purpose for any monitoring, the next step should be to consider how the chosen monitoring addresses the concern or reason identified, and whether there are any alternative ways of meeting its purpose other than monitoring.  This has a practical as well as legal purpose – if there is a less intrusive way to protect a business than monitoring employees, the courts and the Information Commissioner's Office (ICO) would expect the employer to take it and doing so should lower the risk to the business.

2. Take steps to ensure any underlying GDPR compliance is in place

Even during the COVID-19 pandemic, to carry out GDPR-compliant monitoring of staff, employers must identify a legal basis for carrying out and processing the monitoring information, and any exemptions for sensitive data such as health data (for further details regarding data privacy matters in the COVID-19 context, please see here).  

As consent is not a viable legal basis for processing personal data in the employment context (especially for sensitive activities like monitoring), in most cases employers will have to rely on the catch-all "legitimate interests" ground for processing (meaning a legitimate interests assessment (LIA) must be undertaken and objections to processing can be raised).  Further, staff monitoring is generally considered to be "high risk" processing meaning a data protection impact assessment (DPIA) must also be undertaken.  It is important for employers to carry out these steps and ensure they are appropriately documented – aside from demonstrating accountability with data protection and other compliance requirements, the documentation will form the basis of the employer's defence in the event of a claim, complaint or ICO investigation.

3. Informing staff: implement appropriate policies and publicise

This step is critical.  Employers must inform staff clearly as to what monitoring will be carried out, the purposes for which it will be carried out and how that information will be used.  The information about how you intend to monitor staff must be included in what is known as a privacy notice. It is not sufficient to rely on the small print; in the notice an employer should draw the relevant acceptable use and monitoring policies to the attention of staff.  Appropriate training for staff carrying out and using monitoring data is also key.  

Failure to do so will hamper the steps you can take to monitor safely and/or leave you exposed to additional risk and claims.  Put simply, if you don’t tell staff what monitoring you are carrying out and what you will use it for, you risk push back and grievances from the employee (and any trade union involved) at the initial stage.  Depending on the circumstances, employees may also have grounds for an unfair dismissal or constructive dismissal claim, and might in some circumstances be able to establish a whistleblowing aspect to such a claim.  This, together with other risks, could also damage both your defence of any steps taken and your negotiating position should you wish to consider settlement.

4. Access and retention

If you decide to undertake employee monitoring, you must ensure that you limit access to monitoring data – only those who really need access should be able to access it.  This means thinking about how to control access, including any permission / sign off processes etc. to facilitate access where needed (for example, in the event of an employee grievance or disciplinary process).

Connected to this are the thorny problems of retention and security.  Under the GDPR data should only be kept to the extent it is relevant to the purpose for which it is processed and whilst it remains accurate; indefinite retention is not permissible.  The period of retention will, to a certain extent, depend on the nature of the information collected and its usefulness.  The employer must also implement appropriate technical and organisational measures to ensure the safety and integrity of the data at all times and, once no longer needed, data must be disposed of safely and securely.

5. Employee communications are key

As noted, employees remain deeply suspicious of the introduction of new forms of monitoring and the impact of employee monitoring has been a hot topic of late.  Employee communications around proposed monitoring will be vitally important; get those wrong and the employer will cause itself a world of pain.  This is particularly the case during periods of uncertainty, and experience with COVID-19-related matters so far indicates that employee communications are key to avoiding lasting damage to employee relations.

6. Private means private, personal means personal

Not everything on your systems is fair game.  Given that personal and working lives are more intertwined that ever (as a simple example, many employees will be using their personal devices rather than work devices when working remotely), employers need to be extremely careful.  

• Whilst employees should be warned as to the lack of privacy in relation to their activities on work systems, employers should not read documents that are marked "private" or "personal" unless they have very good reasons for doing so.  
• Employers should treat personal devices as out of bounds, unless such devices hold workplace systems and/or work-related communications and the employer has a clear policy (such as a BYOD policy) in place setting out what monitoring it can carry out.  
• The same applies where an employee uses a personal email account or uses their personal devices for work-related matters.  

There will always be sensitivities around such matters, and if Whatsapp or other encrypted systems are used, this will add to the complexities involved.  Getting this wrong can be problematic and consideration must always be given to the employee's right to privacy under the European Convention on Human Rights.  Additionally, accessing communications without grounds to do so could amount to criminal or other civil offences for the business and potentially its directors.

7. Location, location, location

Location tracking is seen by the ICO and UK courts as a particularly invasive form of employee monitoring, which raises the risk factor in implementing it.  Where this is being used to check that employees are in fact at home during the COVID-19 pandemic, it is likely to carry significant legal, as well as reputational, risk.  

There is rarely any legal obligation, public interest or contractual requirement basis for processing location tracking data, and employee consent will almost certainly not be valid, meaning employers have to work harder to justify such tracking.  Employers may feel they can track assets or equipment, such as laptops, tablets and phones – if that is the case, the tracking should be fully anonymous and in any event may still be prohibited in many EU countries.

Even if the employer can get over the legal basis and justification hurdles, if it wants to use such data for the management and discipline of wayward employees it must spell this out clearly for employees, otherwise it will breach key provisions of the GDPR and employment legislation and could set itself up for additional claims and risks.

8. Covert investigations and mission creep: don't go rogue 

There will inevitably be scenarios where an employer is tempted to use the monitoring facilities available to it for wider purposes, particular in the COVID-19 context, but the risks of doing so are significant and employers should beware of 'mission creep'.  Monitoring data should only be used for the purpose for which it is collected, and changing its purpose will raise further questions and compliance hurdles as to whether the monitoring was justified and whether employees affected were appropriately informed.  It is hard enough to justify employee monitoring; attempting to use that data for another purpose creates a new layer of risk.

Covert investigations are particularly risky and should only be undertaken in exceptional circumstances.  In short, they should be authorised by senior management, and limited to circumstances where there are legitimate grounds for suspecting criminal activity / malpractice and where notifying the individuals would prejudice its detection or prevention.  The ICO, the civil courts and employment tribunals tend to take a dim view of covert investigations or monitoring unless there are clear and sufficiently serious reasons for doing so, so employers are advised to consider this very carefully.

What if you get it wrong?

Staff monitoring is a contentious issue, and any complaints or unusual activities carry risks to an employer's reputation.  Such sensitivity is likely to be heightened in a period of crisis like the COVID-19 pandemic, as we have already seen.

Where employees believe there has been a breach, or data has been improperly processed, they can complain to their national data protection authority (for the UK, this would be the ICO).  Like many national authorities, the ICO has the power to investigate and to impose significant sanctions, including banning processing activities, suspending data transfers and imposing fines of up to 4% of global annual turnover or €20million (whichever is greater), all of which may have wider implications for the employer's business.

The more immediate data protection concern is that under the GDPR individuals have the right to request all of the personal data an organisation holds about them (subject to narrowly construed exemptions, such as correspondence which is legally privileged).  This would include any monitoring information, and personal information or opinions about that employee contained within emails and instant messages.

On the employment side, aside from the employee relations and reputational issues it can cause, employees can raise grievances or complaints where they believe monitoring has been carried out unlawfully or the data produced has been used improperly.  In practice, this adds to the complication of dealing with sensitive matters (e.g. allegations of sexual harassment) and can give rise to further risks.  As an example, if an employee makes allegations relating to unlawful monitoring in the context of a grievance, this may give them grounds to bring whistleblowing claims.

In the context of a dismissal, where an employee can point to flaws in the employer's processes (including improper monitoring), this can affect the fairness of the decision to dismiss.  UK employees with two or more years' service have unfair dismissal rights, meaning that in order to dismiss lawfully the employer needs to show both that it had a fair reason to dismiss and that it followed a fair process.  There may be other risks as well; where an employee can establish that employee monitoring has caused or exacerbated ill health (stress would be the obvious risk here), this could open up personal injury and/or disability aspects to any claim.

As an overall comment, it is now more important than ever for employers to ensure any staff monitoring is carried out in an appropriate and compliant way, as the implications for not doing so can be significant for the employer and its wider operations.