Privacy: what data can employers collect from company-issued tech?

Whether they’re aware of it or not, employers could be collecting personal data from company laptops or smartphones. Diane Gilhooley and Paula Barrett look at what data is and is not reasonable for HR teams to collect, what they need to tell employees, and how to minimise the risk of litigation.

Organisations are increasingly issuing staff with laptops, phones and wearable tech that, whether they’re aware of it or not, might allow them to track employees’ locations, what they’ve been doing and when they’ve been doing it.

Data privacy

In-depth: When does keeping tabs on working time overstep the line?

Employees will share data if it makes them more productive

More protections against excessive employee surveillance needed

But what does the law say about this and how can HR professionals minimise the risk these devices pose to employees’ privacy?

It is not unusual for laptops, phones, security/ID passes, vehicles and other mobile tech to generate significant personal data on employees, including location, hours worked, communications, activity levels and even sleep quality. This data collection is often less obvious to employees.

In addition, as agile working blurs the boundaries between work and home, mobile tech may also record data on employees’ domestic lives. Given the obvious privacy issues involved, employers need to consider laws on data protection, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

GDPR applies to any processing of personal data and collecting employee personal data from their mobile tech will typically be covered – even if the data is inadvertently collected or is a by-product of its workplace use.

Employers must have a valid lawful basis in order to process personal data from mobile tech. Only the minimum amount of data necessary to achieve the relevant purpose can be collected. Employers cannot generally rely on employee consent, so they have to apply another permitted legal basis and the processing must be necessary (as opposed to “nice to have”) for that reason. Lawful reasons include:

• the performance of a contract with the individual
• compliance with a legal obligation
• the legitimate interests of the employer (or third party).

For example, monitoring the duration company vehicles are used for may be necessary to comply with working time and health and safety obligations for some driving roles. However, that may not apply if the tech also monitors routes taken or goes on to track use during private time. Covert monitoring is only permitted in exceptional cases, for example, where criminal activity is suspected.

Employers should conduct a data protection impact assessment (in some cases this is mandatory) which assesses privacy risks, mitigation measures, necessity and processing grounds. A legitimate interest assessment will be required if that is the legal ground being relied on.

Sensitive data

Particular care is needed if sensitive (termed “special category”) personal data will be collected, including religious or philosophical belief, trade union membership and health information, as this is harder to process lawfully. For example, if mobile tech (perhaps incidentally) collects information about employee attendance at trade union meetings or their place of worship. Additional and narrower lawful conditions for processing will need to be complied with.

Staff must be informed about the processing of their personal data and their data rights. For example, using a privacy notice which clearly details what data from mobile tech are collected, used, stored, kept secure and more.

  People analytics opportunities on Personnel Today

Browse more people analytics jobs

Monitoring employees’ use is both necessary (such as for cyber security reasons) and desirable (including facilitating performance management and flexible working).

However, unlawful monitoring and the unjustified processing of their data risk litigation, investigation and fines up to a maximum of €20 million and a consequential loss of reputation. The mishandling of employee data can also negatively affect employee relations and may constitute a breach of human rights, the implied duty of trust and confidence and other laws, depending on the circumstances.

Minimising risk

HR can minimise risk by being transparent and accountable in its data processing. Some practical examples include:

• retaining only justifiable employee information and not all data which is a by-product of the daily use of mobile tech
• adopting “privacy by default” as a core principle – processing employee data in the least intrusive manner, particularly where the private use of mobile tech is permitted
• telling employees what data is processed, their data rights and when, why and how monitoring is undertaken – in terms that are clear, detailed and easy to understand
• having specific practical guidance for mobile tech which sets out appropriate and inappropriate use, do’s and don’ts and the consequences of inappropriate use
• training employees in key data protection rights and duties.

In broad terms, employers are allowed to process some personal data drawn from this technology, but they must perform a careful balancing act between employees’ rights to privacy and employers’ interests. They have to be able to provide evidence that they have complied with their data protection obligations including applying concepts such as transparency, fairness, necessity and proportionality.

Is the law clear-cut?

Data protection laws are not clear cut. This is because they are based on guiding principles which do not “give hard and fast rules, but rather embody the spirit of the general data protection regime”, according to the Information Commissioner’s Office. Other laws may also apply, such as those relating to intercepting emails and human rights.

Employers must remember that they must have a lawful basis for processing any personal data that is collected by the technology they provide, or they could risk legal action and large fines.