The Article 29 Working Party (“WP29”) recently published an opinion on data processing at work (“Opinion”).
The Opinion restates the position and conclusions in WP29’s 2001 Opinion on processing personal data in the employment context (WP48), and its 2002 WP55 Working Document on the surveillance of electronic communications in the workplace. However, it addresses the need for a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees, because of risks posed by advancements in modern technologies since the other documents were published.
The Opinion is primarily concerned with the Data Protection Directive 95/46/EC (“DPD”), so employers should continue to take account of the fundamental principles of the DPD when processing personal data in an employment context. Technological developments and new methods of processing have not changed this position.
The Opinion also looks towards the “new” obligations placed on all controllers, including employers, under the General Data Protection Regulation 2016/679 (“GDPR”) – including data protection by design, the need to carry out Data Protection Impact Assessments for high-risk processing, and any specific national rules that are introduced pursuant to Article 88 relating to processing employees’ personal data.
WP29 has considered various scenarios in the Opinion which describe how certain technologies might be used to process personal data in the workplace, and the points that employers should consider. Some of these include:
Employers should not assume that they can check the social media accounts of prospective job candidates just because they are publicly available. They will need a legal basis for processing the individual’s personal data (e.g., legitimate interest); it must be necessary and relevant to performance of the job, and they should consider whether the social media account has been set up for personal or private purposes before accessing any information. The individual must also be informed about any such processing – e.g., in the job description – before they engage with the recruitment process.
Monitoring ICT use
Many modern technologies available in the market have enabled potentially more intrusive ways of monitoring. For example, an employer might deploy a TLS inspection appliance to decrypt and inspect secure traffic, but this appliance can also record and analyse all of an employee’s online activity. Or an employer might use a Data Loss Prevention tool to monitor all outgoing emails automatically to prevent a data breach, regardless of whether an action is unintentional.
In each case, before using any of these products and applications, employers must consider the proportionality of the measures they are implementing and whether any actions can be taken to mitigate or reduce the scale and impact of the processing. WP29 considers it good practice for employers to complete a DPIA before introducing any monitoring technology, and to implement and communicate acceptable-use policies alongside privacy policies providing clear details of the processing which takes place.
Monitoring outside the workplace
The shift towards remote working and the popularity of “bring your own device” policies presents more risk for employers as data moves away from the corporate network. However, the key is to address these risks in a proportionate manner, particularly if the boundaries between business and private use are fluid. For example, if employers are concerned about securing data that is transferred between the device and their network, they could consider additional protections such as “sandboxing” data (keeping data contained within a specific app), rather than installing monitoring software on the employee’s personal device.
International transfers of employee data
The use of most cloud-based applications will result in the international transfer of employee data. Any transfers of personal data to third countries may only take place where an adequate level of protection is ensured. Employers should also ensure that data shared outside the EU/EEA, and subsequent access by other entities within the group organisation, remains limited to the minimum necessary for the intended purposes.
Businesses should be reminded that although WP29 Opinions are not legally binding, they are influential as they have been prepared by representatives of the data protection authorities from each EU Member State: thus, they broadly reflect the approach regulators are likely to take. Businesses should therefore review the Opinion in detail as it provides practical guidance in an area that has developed significantly in recent years. It can also be used as a helpful reference point as businesses start to review their internal policies and processes in preparation for the forthcoming GDPR.