{"id":57973,"date":"2017-08-23T09:00:06","date_gmt":"2017-08-23T08:00:06","guid":{"rendered":"https:\/\/blogs.dlapiper.com\/iptitaly\/?p=57973"},"modified":"2019-06-24T11:42:53","modified_gmt":"2019-06-24T09:42:53","slug":"article-29-working-party-issues-opinion-on-usage-of-technology-at-work","status":"publish","type":"post","link":"https:\/\/blogs.dlapiper.com\/iptitaly\/2017\/08\/article-29-working-party-issues-opinion-on-usage-of-technology-at-work\/","title":{"rendered":"Article 29 Working Party issues an opinion on usage of technology at work"},"content":{"rendered":"<p>Privacy risks can arise from the usage of new technologies by employees at work and require a deep assessment especially in the light of the General Data Protection Regulation.\u00a0<img decoding=\"async\" class=\"alignright size-full wp-image-56492\" src=\"https:\/\/blogs.dlapiper.com\/iptitaly\/files\/2015\/02\/Coraggio-Fusion.jpg\" alt=\"Giulio Coraggio\" width=\"67\" height=\"90\" \/><!--more--><span id=\"more-5830\"><\/span><\/p>\n<p>The Article 29 Working Party, a European advisory body made by European data protection authorities, issued an\u00a0<a href=\"\/\/\/Users\/GiulioCoraggio\/Downloads\/Opinion22017ondataprocessingatwork-wp249%20(1).pdf\">opinion<\/a>\u00a0on the usage of technologies at work which considers both current privacy laws and the upcoming\u00a0General Data Protection Regulation.<\/p>\n<h2>The privacy principles applicable at work<\/h2>\n<p>According to the Article 29 Working Party:<\/p>\n<ol>\n<li><strong>consent cannot and should not be the legal basis of the data processing at work<\/strong>\u00a0\u2013 this is a quite often mistake, the potential consent from employees would not be freely given because of the employment relationship and therefore would not be valid;<\/li>\n<li><strong>processing may be necessary for the performance of a contract<\/strong>\u00a0where the employer has to process personal data of the employee\u00a0<strong>to meet contractual obligations\u00a0<\/strong>\u2013 this means that such legal basis cannot be used to justify data processing activities that go beyond what necessary for the performance of the employment contract;<\/li>\n<li><strong>legitimate interest can be the legal basis of the data processing<\/strong>, but the chosen method or specific technology must be necessary, proportionate and implemented in the least intrusive manner possible and\u00a0<strong>accompanied by mitigating measures to protect employees\u2019 privacy<\/strong>\u00a0\u2013 the balancing test necessary to rely on legitimate interest will be tricky and legitimate interest is definitely not a strong legal basis of data processing as it is open to different interpretations;<\/li>\n<li><strong>employees should be clearly and fully informed of the processing of their personal data<\/strong>, including the existence of any monitoring \u2013 this is something already provided in Italy by the\u00a0guidelines of the Italian data protection authority\u00a0on the monitoring of the usage of Internet and emails on the workplace. The provision of adequate information on the type of data processing activities performed by means of technologies is not just a recommendation, but an obligation;<\/li>\n<li><strong>principles of\u00a0privacy by design, by default and of data minimisation shall be followed<\/strong>\u00a0in building technologies that can monitor employees \u2013 this means that such technologies shall by default adopt the most privacy-friendly settings; and<\/li>\n<li><strong>a\u00a0privacy impact assessment\u00a0has to be run<\/strong>\u00a0when technologies can lead to high risk for individuals such as in case of potential profiling or decisions taken by means of automated systems.<\/li>\n<\/ol>\n<h2>The potential scenarios occurring on the workplace<\/h2>\n<p>The European privacy authorities adopted a very practical approach listing frequent scenarios occurring on the workplace and giving instructions on how they should be handled:<\/p>\n<h3>1. Processing during the recruitment process<\/h3>\n<p>Information about a candidate on social media can be reviewed only if necessary and relevant to the performance of the job which is being applied for, can be performed only on social media related to business (e.g. LinkedIn, but not Facebook) and data should be deleted once it appears clear that an offer of employment will not be made or is not accepted by the individual concerned;<\/p>\n<h3>2. Screening of employees\u2019 social media profiles<\/h3>\n<p>The review of social media profiles of employees, of their contacts\/friends, opinions, beliefs, interests, habits, whereabouts, attitudes and behaviours should not take place and should not be required to employees and applicants.<\/p>\n<h3>3. Monitoring of electronic devices on the workplace<\/h3>\n<p>These technologies not only include the monitoring of emails and of Internet usage, but include among others<\/p>\n<ul>\n<li>data loss prevention (DLP) tools,<\/li>\n<li>security applications and measures that involve logging employee access to the employer\u2019s systems; and<\/li>\n<li>technologies enabling the monitoring of personal devices (e.g., PCs, mobile phones, tablets), that employees supply for their work in accordance with the Bring-YourOwn-Device (BYOD), as well as Mobile Device Management (MDM) technology which enables the distribution of applications, data and configuration settings, and patches for mobile devices.<\/li>\n<\/ul>\n<p>In relation to the technologies above, the Article 29 Working Party recommends to<\/p>\n<ul>\n<li>run a\u00a0privacy impact assessment\u00a0in order to also understand whether the technology complies with\u00a0<strong>the principle of proportionality and changes are needed to reduce the scale of the data processing<\/strong>; and<\/li>\n<li>provide employees with acceptable use policies that describe in details\u00a0<strong>the processing that takes place and the rules of functioning of the system<\/strong>.<\/li>\n<\/ul>\n<p>The second point above is at least arguable and risks to vanish in some circumstances the purpose of monitoring systems. Indeed, if in case of data loss prevention technologies, it is indicated in detail when it is triggered and in case of action triggering the monitoring a prior notification is sent to the employee in order to enable him to cancel it, the risk is that\u00a0<strong>the technology will \u201ceducate\u201d the employee on how to avoid the alert to be triggered<\/strong>. This would result in a potential higher risk of data breaches that want to be avoid by means of such technologies.<\/p>\n<p>Likewise, if it is given on the workplace the possibility to employees of sending private communications or in any case keeping such activities private,\u00a0<strong>the risk is to create a channel for potentially illegal activities<\/strong>.<\/p>\n<p>The above is difficult to explain in a regime that under the General Data Protection Regulation will oblige to implement \u201c<em>appropriate technical technical and organisational measures to ensure a level of security appropriate to the risk<\/em>\u201c, also introducing burdensome obligations\u00a0in case of data breach.<\/p>\n<p>The privacy authorities state that \u201c<em>prevention should be given much more weight than detection<\/em>\u201d which I fully agree. But in relation to the scenario above for instance, it is difficult to argue that employees should be given to mark some appointments as \u201c<em>private<\/em>\u201d and offered with \u201c<em>alternative unmonitored access<\/em>\u201d when in the 21st century basically everyone has a smartphone with a data plan and a private email.<\/p>\n<p>In relation to the labor law approvals required for the usage of such technologies, a higher level of flexibility was given in Italy by means of the\u00a0provisions of the so called Jobs Act.<\/p>\n<h3>4. Monitoring of electronic devices outside the workplace<\/h3>\n<p>This is a practice that is becoming exponentially common with the growth of home working, remote working and \u201cbring your own device\u201d policies. The position of the Article 29 Working Party is the following:<\/p>\n<h4>Monitoring of home and remote working<\/h4>\n<p>There is a higher risk of unsecure usage of personal data outside of working premises, but monitoring tools may be considered disproportionate and unjustified. The risk should be addressed in a proportionate and non-excessive manner, but the Article 29 Working Party does not give indications on how such goal can be achieved.<\/p>\n<h4>Bring your own device (BYOD)<\/h4>\n<p>It is prohibited to use technologies that perform a complete scanning of private devices and areas that are meant to be used for private purposes should be skipped.<\/p>\n<p>Likewise monitoring the location and traffic of private devices may be justified by legitimate interest, but the technologies able to distinguish private and business usage shall be in place.<\/p>\n<p>A secure transfer of data between the private device and the business network can be ensured by means for instance of a VPN, but again it should be avoided that such measure leads to privacy issues during private usage of the device.<\/p>\n<p>An interesting point is that according to the Article 29 Working Party<\/p>\n<p>\u201c<em>the employer must also\u00a0<strong>consider the prohibition of the use of specific work devices for private use<\/strong>\u00a0if there is no way to prevent private use being monitored\u2014for example if the device offers remote access to personal data for which the employer is the data controller.<\/em>\u201c.<\/p>\n<p>The above is expected to be the easier conclusion in order to avoid misbehaviours by employees and potential privacy breaches. If a device can be used only for business purposes, employers would definitely be in a stronger position.<\/p>\n<h4>Mobile device management<\/h4>\n<p>Mobile device management enables employers to locate devices remotely, deploy specific configurations and\/or applications, and delete data on demand. A privacy impact assessment shall be run in order to avoid that such technologies can be used to monitor employees. Likewise, employees should be informed about the tracking and its features.<\/p>\n<h4>Wearable devices<\/h4>\n<p>Wearable technologies tracking employees health data should be prohibited and employees\u2019 consent is unlikely to be considered as a legal basis for the processing.<\/p>\n<p>However, data protection authorities do not go too much into detail on the matter and in my view the issue should be reviewed taking into account the peculiarities of each case.<\/p>\n<h3>5. Processing operations relating to time and attendance<\/h3>\n<p>The crucial element on the usage of such technologies relates to the purposes for which collected data is used. If this is used for safety purposes, it is likely to be covered by legitimate interest, while if used to assess the performance of employees it is likely to trigger privacy risks.<\/p>\n<h3>6.\u00a0Processing operations using video monitoring systems<\/h3>\n<p>The amount of information that can be collected by means of such technologies needs to be in line with the principle of proportionality and for instance employers should refrain from the use of facial recognition technologies.<\/p>\n<h3>7. Processing operations involving vehicles used by employees<\/h3>\n<p>The monitoring of vehicles used by employees is becoming very common, but the data processing performed by means of such technologies shall be proportional.<\/p>\n<p>For instance an option to opt-out to the tracking should be given when the vehicle is used for private purposes or outside working hours, unless it is justified its continuous operation (e.g. in order to avoid the theft of the vehicle). But also in such case the monitoring shall be limited to what strictly necessary for the required purpose. And the same principle of proportionality shall be complied with in case of usage of technologies able to monitor the behaviour of employees in the vehicle.<\/p>\n<p>A number of interesting points of discussion are raised by the opinion above and the General Data Protection Regulation is expected to lead to major challenges when it comes to the need to keep data secure and prevent that such security measures are in breach of employees\u2019 privacy rights.<\/p>\n<p>As usual, if you found this article interesting please share it on your favourite social media.<\/p>\n<p><strong><a href=\"https:\/\/twitter.com\/GiulioCoraggio\">@GiulioCoraggio<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Privacy risks can arise from the usage of new technologies by employees at work and require a deep assessment especially in the light of the General Data Protection Regulation.\u00a0<\/p>\n","protected":false},"author":41,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_s2mail":"yes","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[17],"tags":[34,14463,769,6],"class_list":["post-57973","post","type-post","status-publish","format-standard","hentry","category-dataprotection","tag-data-protection","tag-employees","tag-gdpr","tag-privacy"],"_links":{"self":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/posts\/57973","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/comments?post=57973"}],"version-history":[{"count":0,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/posts\/57973\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/media?parent=57973"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/categories?post=57973"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/tags?post=57973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}