Vacation in the boss’s time? Keep the use of “peeking software” under control.
Working from home en masse, enlisting en masse?
In these times of crisis, one of the most important changes is the mass working from home. Early this morning, on Labor Day, , a message appeared (a little hidden in a NOS live blog) that employers are buying and installing “spy software” en masse, in order to be able to follow their employees at home. A good time to write a short blog: is that allowed?
Monitoring employees is, in principle, not prohibited, but strict conditions apply and therefore, possibilities are limited. Covert peeking is usually not allowed. The monitoring of employees often involves the processing of personal data. The General Data Protection Regulation (GDPR) and related privacy legislation apply to this. Furthermore, art. 7: 611 of the Dutch Civil Code is important: employer and employee will behave as good employers resp. employees. This includes respecting the employee’s privacy and private life. Below, we provide a brief overview of the options and conditions for the control of employees who work from home. We leave aside the (employment law) question of what could possibly be done with the outcome.
Legitimate interest of the employer?
The employer must have a legitimate interest (read: a legitimate reason) to monitor employees through a personnel tracking system. This interest must outweigh the privacy interests of its employees. One of the most important questions to be asked is: is it necessary to monitor employees in this way? Are there other, less drastic ways to achieve the purpose in question? This has to be assessed on a case-by-case basis and may lead to a negative outcome in this context. As a rule, it will perhaps suffice to ‘anonymously’ monitor computer use (first). An employer is more likely to have a legitimate interest if there are strong indications that a home-based employee does not perform his or her work for no good reason. A follow-up question may then be whether it would be better to ask the employee for clarification in a conversation, or whether (secret) monitoring is still necessary in this case. Trust is always paramount.
It is also important to note that it is currently accepted that employees should also be able to spend some time on private matters during working hours. Want to “Facebook” for a while? Sure, if in moderation. In addition, some view having more breaks while working from home and taking a shorter working day as important or completely normal.
Obligation to provide information
If the employer has this test , it is important to inform employees about the fact that checks are being carried out or can take place, as well as about the rules that the employee must observe. In the context of the GDPR, it is important to also inform the employee about which personal data are processed, how long they will be stored, what the employee’s rights are, etc.. This could be done, for example, through the personnel handbook or a privacy statement for employees, and is very important in the context of the lawfulness of employee monitoring. In short, covert monitoring is only permitted if there is a reasonable suspicion of, for example, theft or fraud, and may only be incidental. Therefore, we believe that it is generally necessary to provide clear information about the (possibility of) control prior to the use of espionage software.
Monitoring should be limited to what is necessary for the purpose in question. Therefore, as an employer, you should set the boundaries well in advance. Also, you should ensure that only a limited number of authorized persons can view the data obtained from monitoring. An employer should also refrain from viewing messages (e.g. email) that have been marked as private. While not a fully perfect solution, it can help employees and employers if an employee creates a “Private” folder in his / her email box. And, how often is monitoring really necessary for the purpose in question? The following is also important here.
Relevance of type of software
When going through the aforementioned test, the employer must take into account what exactly the software in question does. If only screen time is measured, the test will easily be passed if – as stated in the aforementioned message on nos.nl – screenshots are made of open web pages every so often, as this also means that there is a much greater chance that (more) personal data will be processed or private information will be collected. It is highly questionable whether this is not a disproportionate infringement of the privacy of employees. The news report also mentions taking photos of the employee, which definitely seems to be a bridge too far to us.
Software supplier agreements
Can an employer not just simply ask for consent during this time of crisis? No, in order to be able to process data on the basis of consent, consent must be freely given. We have already written a bit more about it this week, but in short it is assumed that there is no possibility to give “free consent” in an employment relationship.
DPIA and Works Council
Depending on the degree of monitoring, a Data Protection Impact Assessment (DPIA) might have to be carried out before the employer can deploy the software. This is also relevant for accountability under the GDPR; in any context, we recommend that you report on the aforementioned test and keep the report. Furthermore, an entrepreneur will first have to ask the works council for their consent before introducing “peeping software” or a comparable control system (personnel tracking system), but also if a work-from-home protocol is introduced or adjusted.
Need help? Our team of privacy and employment law specialists is happy to assist you. Please contact us via the details listed in the sidelines or via firstname.lastname@example.org.