A great deal of comment about the newly enforceable provisions of the EU’s GDPR regime has focused on data that your organisation stores and processes about customers and external stakeholders.
But employees also have enforceable rights when it comes to information you might hold about them, and how you use that information.
This will be especially relevant to senior managers and human resources executives. From time to time, it is necessary to carry out internal investigations into employees, and to balance the employees’ rights on the one hand with the need to be alert to potential harm to your organisation.
Prior to GDPR, many employment contracts contained wide-ranging clauses permitting the employer to “monitor” (read or listen to) employees’ electronic data on company devices (email, voicemail and text messages on company phones). Signing the contract of employment was generally deemed to assign consent to such monitoring.
Now international law firm Osborne Clarke, with headquarters in London, has analysed the effect of such “consent” in the light of GDPR. It found that GDPR imposes strict requirements upon data controllers who wish to rely on “consent” as a legal basis for processing personal data.
Such consent must be “freely given, clearly distinguishable from other matters and in an intelligible and easily accessible form”. In other words, it is not enough to say that it is covered by the employment contract and that therefore does not legally allow for the processing of personal data.
The first thing to point out, say both Osborne Clarke and indeed the Citizen’s Advice Bureau, this does not mean you don’t have a legal right to carry out such monitoring in order to protect your organisation.
What is does mean, though, is that you need a separate monitoring policy that is made clear to all employees, either when they start or, in the case of existing employees, by way of an updated privacy statement. This must inform employees that you reserve the right to monitor communications and it must tell them how they can find out more about the policy if they wish.
In the case of specific individuals, you could seek their consent. However, they are unlikely to give it, you’ll have warned them that you are watching them, which could be counter-productive and, in any case, the Information Commissioner’s Office would be unlikely to see this as “freely given” consent, given the imbalance of power in the relationship.
Instead, says Osborne Clarke, make the policy widely known (and separate, not a buried clause in a lengthy staff handbook or contract of employment) and you will be able to rely upon the concept of “legitimate interest” in cases where you rightly feel the need to monitor a specific employee’s electronic data.
As for employees, the old advice stands. Never put anything in a work email (or text message on a work mobile) that you wouldn’t be relaxed about managers reading.