Tag Archive: Employment

EUROPE: Practical impacts of GDPR on the employment relationship

In this article we focus on some of the practical impacts of GDPR on the employment relationship and what businesses can do to manage these and prepare for implementation by May 2018.

Data subject access requests

Under the GDPR, employees will have the right to much more detailed, transparent and accessible information about the processing of their data. Data subject access requests will be easier for employees. In most cases employers will not be able to charge for complying with a request and normally will have just a month to comply, rather than the current 40 days. The removal of the £10 subject access fee is a significant change from the existing rules under the Data Protection Act (DPA).

Where requests are complex a two month extension is possible, giving a total of three months to comply. Where requests are manifestly unfounded or excessive, in particular because they are repetitive, employers can  either charge a reasonable fee (not capped) taking into account the administrative costs of providing the information, or refuse to respond.

Guidance will hopefully give an indication in due course of what sorts of requests could be viewed as complex, unfounded or excessive. However, the ICO is very unlikely to consider a request from an employee as complex, unfounded or excessive, even if they are asking for all their data, unless they have made a previous request recently. The ICO will expect employers to keep information in a manner which means they can locate and supply information within the initial month.

Where an employer intends to delay the response or refuses to respond to a request, the employer must write promptly to the individual within the month explaining why the request is refused or delayed. The employer must also inform them of their right to complain to the supervisory authority and to a judicial remedy.

The DPA contains various exemptions to the duty to disclose such as in relation to legal privilege but at present, the GDPR contains no such exemptions which an employer can rely on to avoid provision of the employee’s personal data. It may be that, in the UK at least, the doctrine of privilege will ‘trump’ data protection rights, but that remains to be tested.

Employers need to update procedures and plan how to handle requests within the new timescales. The GDPR introduces a new best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information. This will not be appropriate for all organisations, but there are some sectors where this may work well. In any event the ICO will expect employers to keep employee personal data in a manner which means that requests for access can be responded to promptly.

What this means in practice is that employers will need sophisticated policies and IT systems to manage DSARs within reasonable timeframes. In order to prepare for compliance, employers should take steps now to:

  • Update procedures and plan how to handle SARs and provide any additional information within the new timescales;
  • Develop template response letters to ensure that all elements of a response to a SAR under the GDPR are complied with;
  • Assess the organisation’s ability to isolate data pertaining to a specific individual quickly and to provide data in compliance with the GDPR’s format obligations;
  • Ensure that employees are trained to recognise and respond quickly and appropriately to SARs.
  • Consider putting a ‘data subject access portal’ in place allowing an individual to access their information easily online.

Automated processing and profiling

Employees have a right under the GDPR to not be subject to a decision made solely by automated processing where that decision significantly affects them. This includes decisions based on profiling (any form of automated processing to evaluate certain personal aspects of individuals, in particular to analyse or predict indicators such as their performance at work, health, personal preferences, reliability, and behaviour).

The ICO recently published a discussion paper on profiling in which it set out its initial thoughts on where automated processing may significantly affect an employee. In their view this includes processing that:

  • Limits rights or denies an opportunity;
  • Affects individuals’ financial or economic status or circumstances;
  • Leaves individuals open to discrimination or unfair treatment;
  • Involves the analysis of the special categories of personal data or other intrusive data;
  • Causes, individuals to change their behaviour in a significant way; or
  • Has unlikely, unanticipated or unwanted consequences for individuals.

It is not difficult to see how these might be the outcome of automated processing of HR data. Areas where employers might currently use automated decision-making, which they should therefore review, include:

  • Recruitment, including automated rejection or shortlisting;
  • Performance management/triggers for sickness absence;
  • Eligibility for attendance bonuses;
  • Holiday or shift rostering;
  • Employee monitoring; and
  • Profiling, particularly where this may impact on selection for talent programmes or career progression rather than purely for development purposes.

From a practical perspective employers need to ensure that where they use automated decision making they can explain how it works and there is another way to make an equivalent assessment of the individual if he/she objects.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-practical-impacts-of-gdpr-on-the-employment-relationship/

Employers must still exercise significant caution when monitoring employee emails, despite European judgment.

A recent case before the European Court of Human Rights Barbulescu v Romania has set the cat amongst the pigeons on the perennial hot topic of employees’ entitlement to privacy in the workplace.

Widespread media reports in the UK in particular would give employers to believe that unfettered monitoring of employee emails and internet use is now acceptable and that engaging in personal email or messaging during working hours is legitimate grounds for dismissal. However, this is simply not the case, and employers must beware. An employer who engages in this type of monitoring and imposes disciplinary sanctions as a consequence can, in fact, expect to find themselves in hot water in many jurisdictions. Employers must, as a minimum, have comprehensive, and bespoke, IT and internet policies in place, clearly setting out the rights and obligations of employees, how monitoring is conducted and how data is processed and used. The policies must also be effectively communicated to employees, accompanied by appropriate training and consistently enforced.

The case

The claimant, Mr Barbulescu, was an engineer in charge of sales. In July 2007, he was asked by his employer to set up a Yahoo Messenger account for the purpose of responding to clients’ enquiries. The employer gave notice to its employees at the beginning of July that internet use would be monitored (although this was disputed by Mr Barbulescu). In the period 5-13 July, the employer monitored Mr Barbulescu’s Yahoo communications. This identified that Mr Barbulescu had been using the internet for personal purposes, contrary to the company’s rules which prevented personal internet use.  The rules stated: “It is strictly forbidden to disturb order and discipline within the company’s premises and especially…to use computers, photocopiers, telephones, telex and fax machines for personal purposes“.

Mr Barbulescu initially denied any personal use, but the employer’s produced a transcript of his communications. Mr Barbulescu sought to argue that his employer had violated the Criminal Code and the Romanian Constitution by violating his correspondence and brought a claim in the Bucharest County Court.

The court dismissed his claim, finding that the employer had complied with the relevant disciplinary proceedings and that Mr Barbulescu had been informed about the employer’s rules on personal internet use. Mr Barbulescu appealed the court’s decision, claiming that emails are protected by Article 8 of the Convention relating to respect for private life and correspondence. The Court of Appeal dismissed Mr Barbulescu’s appeal, ruling that the employer’s conduct had been reasonable and that monitoring his communications was the only method of establishing the disciplinary breach.

Mr Barbulescu took his case to the European Court of Human Rights (ECHR). The ECHR identified that, on the face of it, telephone calls from business premises are covered by the notions of ‘private life’ and ‘correspondence’ for the purposes of Article 8, and that emails, and information derived from monitoring employee usage, would be similarly protected. The ECHR also relied on previously established case law that in the absence of notice about monitoring, employees would have a reasonable expectation as to the privacy of their calls and emails.

The ECHR said that it therefore needed to examine whether a fair balance had been struck between Mr Barbulescu’s right to respect for his private life and correspondence, and his employer’s interests. It found that there had, and that therefore Mr Barbulescu’s claim should fail (although one judge dissented in strong terms). It relied on the following findings:

  • Mr Barbulescu had been able to raise his arguments before the domestic courts and they had found that the employer had acted within its disciplinary powers;
  • The domestic courts had also found that Mr Barbulescu had used the company’s computer for personal use during working hours, and that there had therefore been a disciplinary breach of the employer’s rules;
  • The employer had only accessed Mr Barbulescu’s account on the basis that the information in question was assumed to relate to Mr Barbulescu’s professional activities given the clear rule against personal use and Mr Barbulescu’s statement that he had not made personal use of the account; it had not accessed any other documents or data on Mr Barbulescu’s computer and its monitoring was therefore limited in scope and proportionate;
  • The domestic courts had not placed any weight on the contents of the specific messages; it had only considered activity on that account to the extent it proved the breach of company rules;
  • It was not unreasonable for an employer to want to verify that employees are completing their professional tasks during working hours; and
  • Mr Barbulescu had failed to convincingly explain why he had used the Yahoo account for personal purposes.

Implications

On the face of it, this case does appear to give employers some confidence about their ability to monitor employee emails and internet use. However, the outcome was heavily dependent on the facts; in particular the ECHR was willing to find that a blanket ban on personal internet use was sufficient in this case to weigh the employer’s interests evenly against the claimant’s right to private life and protection of correspondence. This was so, even though it was in dispute whether the employee had been properly notified that monitoring would take place.

However, while in a few jurisdictions it is considered good practice to prohibit all personal use (e.g. Germany and Spain), in the majority of workplaces enforcing a blanket ban on personal use of communications systems is unworkable. In some jurisdictions a total ban on personal use may potentially be challenged as unlawful, particularly given the importance of the role of the internet in freedom of expression or right of assembly. In practice most employers will allow employees to use the company’s internet and email/messaging systems for reasonable personal use; others will allow employees to use their own equipment for work-related matters, and some employers will permit both. In that context, as the dissenting judge identified in his judgment, strict limits apply to an employer’s surveillance of employees’ communications.

The key issues to consider are:

  • Employees have a reasonable expectation of privacy;
  • Expectations of privacy may be displaced in most jurisdictions by a bespoke policy with specific rules on email, instant messaging, social networks, internet surfing etc and a comprehensive policy on employee monitoring that explains what is monitored and how. In some jurisdictions, however, any policy allowing employees to reasonable personal internet use will make it impossible for the employer to access / monitor e-mails without each time obtaining the employee’s specific consent;
  • Employees must be aware of the employer’s policies, both in terms of the rules which apply during working hours, and outside working hours, and in terms of any restrictions on the use of company equipment. Employees should preferably give their explicit consent to these policies. It some jurisdictions it may be necessary to obtain local works council’s consent before implementing such policies;
  • The enforcement of an employer’s internet policies should be guided by the principles of necessity and proportionality. For example, monitoring for systems protection should use filters only. Before carrying out any substantive monitoring, employers should consider whether the benefits of that measure outweigh the adverse impact on the employee’s right to privacy. Continuous monitoring of internet use or emails will not be permissible;
  • Local employment laws and collective agreements will also impact on the lawfulness of policies on email and internet use and monitoring. Any processing of personal data for the purposes of the employment relationship, including staff management, and termination of employment, by way of an electronic device must be regulated by contract or collective agreement in line with data protection laws and principles. Specific forms of data processing like internet and email use are likely to warrant detailed rules and procedures.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/employers-must-still-exercise-significant-caution-when-monitoring-employee-emails-despite-european-judgment/