The Article 29 Working Party (“WP29”) recently issued an opinion that discusses the processing of employee personal information (Opinion 02/2017). WP29 focuses on the use of new technologies by employers and assesses requirements in light of the upcoming General Data Protection Regulation (“GDPR”).
Consent and legal bases to process personal information
The WP29 has historically asserted that employees’ consent should not be a legal basis for processing employees’ personal information. The power imbalance between employer and employee leads to an uneven situation where consent is not freely given. Even if consent were to be considered valid, it must be specific and proactive, and the employee can withdraw it at any point.
Consent should therefore not be treated as a legal basis for processing in most cases. Instead, the majority of the processing should be based in the context of performance of a contract (e.g. salary payments), legal obligations (e.g. fraud prevention) or legitimate interest.
The Opinion extensively discusses monitoring of employees’ behavior. Several technologies allow employee monitoring, such as GPS-tracking of smartphones, monitoring IT usage, Data Loss Prevention (DLP) tools, eDiscovery, Bring-Your-Own Device (BYOD) and the use of CCTV.
The WP29 reminds employers to adopt a monitoring policy explaining monitoring details such as time and location. Employers should provide notices stipulating the purposes of monitoring and possibilities for employees to prevent their data captured by monitoring technologies. The WP29 also recommends involving a representative sample of employees in the creation and evaluation of such policies and notices.
Main types of employee monitoring
IT usage monitoring
IT usage monitoring can generate large data amounts. Data analysis and cross matching techniques create the risk of incompatible further processing. The WP29 warns that the risk is not limited to the analysis of the contents of employee communications, but even to wider communications.
To mitigate risk, prevention through technical means should be prioritized over detection. For instance, if prohibited use of communication services can be prevented by blocking certain websites, then blocking should be the preferred option.
In cases of internet traffic monitoring, the WP29 believes that employers should provide an alternative for unmonitored access for employees, such as a free Wi-Fi network or specific devices where employees can access the internet for personal use
Data Loss Prevention (DLP)
The use of Data Loss Prevention tools, which monitor outgoing communication to prevent data or confidentiality breaches, are permitted. However, unnecessary processing of personal information must be avoided through a number of ways (e.g. by delivering a warning message before the e-mail is sent to give the sender the option to cancel it). Further, the employer should implement and communicate a specific acceptable use policy for DLP.
When an employer requires employees to use cloud services in the context of their work, they must also designate private cloud folders (e.g. a cloud folder named “Private”) to which the employer may not gain access unless under exceptional circumstances.
Bring Your Own Device (BYOD) policies
Employers must avoid monitoring private information in BYOD devices. At the same time they need to protect their business and personal information. This can only be done if there are adequate means to distinguish between privacy and business uses of the BYOD device. As a result, they must have methods in place to ensure that the employee’s own data on the device is securely transferred.
As for wearable devices, the Opinion reiterates that the employer cannot use the employees’ consent as a basis for processing this information due to their sensitive nature (e.g. health data). It would be generally prohibited for employers to receive any sensitive personal information in the context of wearable devices (e.g. employees’ sleeping and exercise patterns).
The deployment of vehicle telematics to collect geo-location data is permitted for a number of purposes (e.g. efficiency of service delivery, safety of employees). However, the employer should first assess whether the processing for these purposes is necessary and whether the implementation satisfies the principles of proportionality and subsidiarity. In any event, the employee should be aware of such monitoring and should have the option to temporarily deactivate this option, for instance when he/she drives to attend to a personal matter.
Recruitment and in-employment screening
The employer is not by default allowed to process publicly available information from the social media profile of a job applicant. To process such information the employer should evaluate:
- Whether there is a legal ground that justifies processing (e.g. legitimate interest)
- Whether this is a private or a business social media account
- Whether the processing is necessary and relevant to the performance of a task (e.g. to assess the qualifications of a candidate).
In any event, such personal information should be deleted if the candidacy does not move forward, and the individual must be informed of the processing before the start of the recruitment process.
While in employment, screening of employees’ social media profiles should not occur on a generalized basis and employers should not require employees to use a corporate social media profile.
Data Protection Impact Assessment- a Useful Ally
WP29 suggests that the employer should consider running a Data Protection Impact Assessment and take measures to minimize impact on employees’ privacy and secrecy of communications.
WP29 refers to a DPIA as good practice when employers wish to roll out monitoring technology, automated decision making, and profiling that involves employees. The Opinion also mentions that employers should conduct a DPIA to introduce Mobile Device Management (MDM) that allows them to locate devices remotely.