knowledge 25 February 2021 |

COVID-19: Employee Monitoring and Remote Working

As discussed in our briefing (here), the Strategy sets out a range of actions and commitments from Government over the course of 2021, including legislating for the right to request remote working, and introducing a code of practice on the right to disconnect. Remote working, therefore, is no longer a short-term measure that employers must manage only until the end of the Covid-19 pandemic. Employers must implement sustainable procedures to manage remote working in the long term.

To satisfy concerns surrounding employee productivity and data security, many employers have been taking steps to monitor their employees who are working remotely. In this briefing, we discuss how employers can strike the right balance in this area.

The Legal Challenge – A Balancing Act

There is no specific piece of legislation in Ireland governing the monitoring of employees or other workers. The general legal principles are set down in:  

• Article 8(1) of the European Convention on Human Rights, which provides a right to respect for private and family life and correspondence. However, this right is not absolute and can be interfered with where it is proportionate for the employer to do so; and

• The Data Protection Act 2018 and the General Data Protection Regulation (“GDPR”).

To comply fully with their obligations under the GDPR, employers must process the personal data of their employees:

• in a lawful, fair and transparent manner;

•  for a specified, explicit and legitimate purpose; and

• data collected should be limited to what is necessary in relation to the purposes for which they are processed.

Employers must also have a legal basis for processing personal data under the GDPR and must manage a delicate balance between pursuing their own legitimate interest (in running their business) against an employee’s right to privacy and data protection rights. Employers must be able to demonstrate that the monitoring in question is a necessary and proportionate action to achieve a legitimate aim and that there is no less intrusive alternative way of achieving that purpose.

Practical Considerations for Employers

• Review your policies - When considering implementing employee monitoring software or processes, employers should review their IT and remote working policies, and other relevant employment policies, along with data protection notices, to ensure monitoring is expressly provided for. If it is not, then these policies should be updated and brought to the attention of employees prior to the monitoring taking place. Where an organisation does not already have a remote working policy in place, this should be drafted and implemented without delay.

• Complete a Data Protection Impact Assessment - An employer can mitigate some of the risks posed by employee monitoring by carrying out a robust Data Protection Impact Assessment (“DPIA”). A DPIA is an assessment that enables an employer to consider all of the data protection risks and obligations that arise from a certain activity and to examine whether such risks can be mitigated. A DPIA can help employers demonstrate accountability and compliance with the GDPR.

• Inform your employees - Employers should ensure employees are aware of the proposed monitoring, and have read and understand all relevant policies. This is fundamental to demonstrating compliance with the principle of fair and transparent processing – in other words, no surprises!

Impact on the Employer-Employee Relationship

The relationship of trust and confidence between an employee and employer must be borne in mind when considering implementing new technologies. If employees feel monitoring is intrusive or excessive, this relationship may be in jeopardy, which can result in significant issues for an organisation, both internally and externally, on a reputational basis. Employers should carefully consider whether the implementation of monitoring software might negatively affect a ‘company culture’, which may have been cultivated over a number of years. As such, it is important for employers to follow the principles outlined above and meaningfully consider whether there is a less intrusive method of achieving the desired outcome.

Guidelines to date

The European Data Protection Board intends to publish guidelines for teleworking tools and practices in the context of the Covid-19 pandemic. This has been delayed, however, in favour of finalising Covid-19 related guidance in the context of using personal data for research purposes. In the meantime, existing legal principles and guidance from the UK Information Commissioner’s Office and Irish Data Protection Commission on data protection and Covid-19 still applies and is relevant to the assessment of new technologies intended to monitor employees working remotely.

How can we help?

The Employment, Pensions & Incentives and the Technology and Innovation Groups are available to answer any queries you may have in relation to the supports available to employers in the current climate and can provide guidance on the legal consequences of measures being considered by your organisation to respond to the challenges posed by Covid-19, and assist with drafting relevant policies and employee communications. For further information on data protection issues arising from Covid-19 in an employment context, see our previous briefing here.

Also contributed by Róisín Finn