Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

General Data Protection RegulationLatest NewsData protectionHR TechnologyStaff monitoring

Privacy: what data can employers collect from company-issued tech?

by Diane Gilhooley and Paula Barrett 26 Jul 2019
by Diane Gilhooley and Paula Barrett 26 Jul 2019 Shutterstock
Shutterstock

Whether they’re aware of it or not, employers could be collecting personal data from company laptops or smartphones. Diane Gilhooley and Paula Barrett look at what data is and is not reasonable for HR teams to collect, what they need to tell employees, and how to minimise the risk of litigation.

Organisations are increasingly issuing staff with laptops, phones and wearable tech that, whether they’re aware of it or not, might allow them to track employees’ locations, what they’ve been doing and when they’ve been doing it.

Data privacy

In-depth: When does keeping tabs on working time overstep the line?

Employees will share data if it makes them more productive

More protections against excessive employee surveillance needed

But what does the law say about this and how can HR professionals minimise the risk these devices pose to employees’ privacy?

It is not unusual for laptops, phones, security/ID passes, vehicles and other mobile tech to generate significant personal data on employees, including location, hours worked, communications, activity levels and even sleep quality. This data collection is often less obvious to employees.

In addition, as agile working blurs the boundaries between work and home, mobile tech may also record data on employees’ domestic lives. Given the obvious privacy issues involved, employers need to consider laws on data protection, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

GDPR applies to any processing of personal data and collecting employee personal data from their mobile tech will typically be covered – even if the data is inadvertently collected or is a by-product of its workplace use.

Employers must have a valid lawful basis in order to process personal data from mobile tech. Only the minimum amount of data necessary to achieve the relevant purpose can be collected. Employers cannot generally rely on employee consent, so they have to apply another permitted legal basis and the processing must be necessary (as opposed to “nice to have”) for that reason. Lawful reasons include:

  • the performance of a contract with the individual
  • compliance with a legal obligation
  • the legitimate interests of the employer (or third party).

For example, monitoring the duration company vehicles are used for may be necessary to comply with working time and health and safety obligations for some driving roles. However, that may not apply if the tech also monitors routes taken or goes on to track use during private time. Covert monitoring is only permitted in exceptional cases, for example, where criminal activity is suspected.

Employers are allowed to process some personal data drawn from this technology, but they must perform a careful balancing act between employees’ rights to privacy and employers’ interests.”

Employers should conduct a data protection impact assessment (in some cases this is mandatory) which assesses privacy risks, mitigation measures, necessity and processing grounds. A legitimate interest assessment will be required if that is the legal ground being relied on.

Sensitive data

Particular care is needed if sensitive (termed “special category”) personal data will be collected, including religious or philosophical belief, trade union membership and health information, as this is harder to process lawfully. For example, if mobile tech (perhaps incidentally) collects information about employee attendance at trade union meetings or their place of worship. Additional and narrower lawful conditions for processing will need to be complied with.

Staff must be informed about the processing of their personal data and their data rights. For example, using a privacy notice which clearly details what data from mobile tech are collected, used, stored, kept secure and more.

  People analytics opportunities on Personnel Today

Browse more people analytics jobs

Monitoring employees’ use is both necessary (such as for cyber security reasons) and desirable (including facilitating performance management and flexible working).

However, unlawful monitoring and the unjustified processing of their data risk litigation, investigation and fines up to a maximum of €20 million and a consequential loss of reputation. The mishandling of employee data can also negatively affect employee relations and may constitute a breach of human rights, the implied duty of trust and confidence and other laws, depending on the circumstances.

Minimising risk

HR can minimise risk by being transparent and accountable in its data processing. Some practical examples include:

  • retaining only justifiable employee information and not all data which is a by-product of the daily use of mobile tech
  • adopting “privacy by default” as a core principle – processing employee data in the least intrusive manner, particularly where the private use of mobile tech is permitted
  • telling employees what data is processed, their data rights and when, why and how monitoring is undertaken – in terms that are clear, detailed and easy to understand
  • having specific practical guidance for mobile tech which sets out appropriate and inappropriate use, do’s and don’ts and the consequences of inappropriate use
  • training employees in key data protection rights and duties.

In broad terms, employers are allowed to process some personal data drawn from this technology, but they must perform a careful balancing act between employees’ rights to privacy and employers’ interests. They have to be able to provide evidence that they have complied with their data protection obligations including applying concepts such as transparency, fairness, necessity and proportionality.

Is the law clear-cut?

Data protection laws are not clear cut. This is because they are based on guiding principles which do not “give hard and fast rules, but rather embody the spirit of the general data protection regime”, according to the Information Commissioner’s Office. Other laws may also apply, such as those relating to intercepting emails and human rights.

Employers must remember that they must have a lawful basis for processing any personal data that is collected by the technology they provide, or they could risk legal action and large fines.

Avatar
Diane Gilhooley and Paula Barrett

Diane Gilhooley, is global practice group head of human resources and pensions, and Paula Barrett is global co-lead of privacy & cyber security law at Eversheds Sutherland.

previous post
Never mind the gender pay gap: here’s the gender pensions gap
next post
Doubt surface over Boris Johnson’s police recruitment plan

Leave a Comment Cancel Reply

Save my name, email, and website in this browser for the next time I comment.

You may also like

ICO publishes subject access requests guidance

24 May 2023

Council publishes staff salaries online in error

22 May 2023

Payroll giant SD Worx hit by cyberattack

13 Apr 2023

‘TikTok should not be on work devices’

17 Mar 2023

Cybersecurity is an HR issue, not just a...

12 Jan 2023

Interserve fined £4.4m following employee data breach

24 Oct 2022

Do your employment contracts address modern legal risks?

11 Oct 2022

GDPR to be scrapped in favour of UK...

4 Oct 2022

Women’s health, the workplace and ‘big data’ –...

19 Aug 2022

Employment law changes for 2022 and beyond: update...

1 Jul 2022

  • The HR Bundle: Your one-stop guide to building a successful global HR Department PROMOTED | Get your hands on Deel’s free HR bundle...Read more
  • The Benefits of an Employee Assistance Programme PROMOTED | EAPs support employees in a range of ways...Read more
  • Intergenerational working and how to manage up and down the generations PROMOTED | The benefits and challenges of intergenerational workplaces...Read more
  • Bereavement in the workplace: How training can help HR get it right PROMOTED | HR professionals play an essential role...Read more
  • UK workforce mental wellbeing needs PROMOTED | The mental wellbeing support employers are providing misses the mark...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2023

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2023 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+