Data Protection Working Party adopts Opinion 2/2017 on data processing at work
How do new technologies affect the balance between employers and employees in the debate over legitimate data monitoring interests vs the privacy expectations of individuals?
The Article 29 Data Protection Working Party (WP29) is a group of representatives from each EU Member State, charged with providing the European Commission with independent advice on data protection matters. The WP29's latest Opinion builds on its previous publications (Opinion 8/2001 on the processing of personal data in the employment context, and the 2002 Working Document on the surveillance of electronic communications in the workplace) by adapting its guidance to the context of modern technologies which have altered the methods by which employers can process employees’ personal data at work.
The aim of the Opinion is to assess the balance between the interests of employers and the privacy expectations of employees by outlining the risks posed by new technologies, and undertaking an assessment of proportionality. To this end, the Opinion states that in all cases employers should consider whether:
- the processing activity is necessary, and if so, the legal grounds that apply
- the proposed processing of personal data is fair to the employees
- the processing activity is proportionate to the concerns raised
- the processing activity is transparent.
The WP29 utilise a number of example scenarios in which new technologies, or the development of existing technologies, may cause high risks to the privacy of employees.
One such scenario is the processing of data through the monitoring of employee social media accounts. Whilst we now live in a society in which the vast majority of individuals have publicly-available social media profiles, employers should not mistake availability of access with permission to process. The screening of an employee's information regarding friends, opinions, beliefs, and so on “should not take place on a generalised basis”. Similarly, during the recruitment process, employers may only collect data from social media if it is relevant to the performance of the job being applied for. The applicant must be informed, and the information deleted once the process is finalised.
A new tendency for employers to provide employees with wearable devices (tracking health and activity) has also been scrutinised. The Opinion serves as a reminder that the processing of health data is prohibited under the Data Protection Directive.
The Opinion also considers the scenario of monitoring of employee ICT usage at home. The advent of remote working has created an increased risk of unauthorised access or hacking of devices. Employers are warned against deploying software packages that monitor keystrokes, capture screens or enable webcams – whilst designed to provide security, the data processing involved is very unlikely to have a legal ground.
Why is this important?
The crucial concept at the heart of the WP29's Opinion is that due to the power imbalance between employer and employee (given the employee's financial dependence on the employer) it would be rare to see an employee giving legally valid and explicit consent to the processing of data by their employer. Similarly, an employee may not feel comfortable in revoking or refusing consent. Overcoming this issue would require a truly exceptional circumstance in which there would be no consequences connected to the acceptance or rejection of the processing by the employee.
Any practical tips?From an employer's perspective, the key message is this: just because you can process data, doesn't mean you should! Consideration must always be given to the principles of proportionality, transparency, fairness and subsidiarity. Does the need for data processing outweigh the privacy rights of employees? Realistically it seems that the answer will, except in exceptional circumstances, be “no”.