Supervision and monitoring of employees - from a data protection perspective

HR News
29 Jun 2011

recent years' technological advances have provided employers with a number of new tools to monitor employee behaviour at work. if employers wish to use these tools, they must first consider a number of data protection issues

Jens Harkov

Recent years' technological advances have provided employers with a number of new tools to monitor employee behaviour at work. If employers wish to use these tools, they must first consider a number of data protection issues

Recent years’ technological advances have provided employers with a number of new tools to monitor employee behaviour at work. If employers wish to use these tools, they must first consider a number of data protection issues.
Traditionally, it is the employer’s prerogative to supervise and monitor employees. But where labour and employment law mainly centres on the right to supervise and monitor, data protection law centres on the employer's treatment of the information collected.
The Danish Data Protection Act
The Danish Data Protection Act implements the Data Protection Directive from 1995 (Directive 95/46/EC) on the protection of individuals with regard to the processing of personal data, and provides a number of special rules of historical origin.
More specifically, the Danish Data Protection Act sets out a number of general and fundamental principles of necessity and proportionality. It further sets out a number of processing rules which distinguish between the different types of personal data and their varying degrees of sensitivity. The main principle of the Act (and the underlying EU Directive) is that the more sensitive the personal data, the more restrictions on their treatment – also in the relationship between employer and employee.
The principle in the Act of good data processing practice is particularly interesting in the context of employee monitoring. Setting the dynamic starting point of the Act, the principle of good data processing practice ensures that the Act can keep pace and evolve concurrently with technological advances. It is also on the basis of this principle that the Danish Data Protection Agency has issued an opinion on employers' scope for monitoring employees by electronic means.
Unproblematic monitoring
Although the Act imposes a number of restrictions on which employee data employers are allowed to collect and process, monitoring is in itself entirely unproblematic in most cases. This is because of the nature of the data and the purpose for which they have been collected.
An example of unproblematic monitoring would be access control systems where employees are given access to the employer’s premises via an individual code or similar means. Another example is time and attendance recording systems to track employee attendance and hours. Other examples are employee absence documentation, skills testing of employees, for example with a view to continuing professional development, monitoring achievement of bonus targets, etc.
Possible invasion of privacy
However, certain types of monitoring may be seen as invading privacy. The Danish Data Protection Agency keeps a watchful eye on these types of monitoring.
Two examples of such monitoring are tracking of employee internet activity and monitoring of employee work-related email. In both cases, employers have a legitimate interest in carrying out such monitoring, for example for security purposes (eg to prevent virus or enable reconstruction of lost data) and to check compliance with company policies and internal guidelines such as an internet policy.
Citing the principle of good processing practice, among other things, the Agency has decided that employers wishing to carry out the above types of monitoring must inform their employees that they are being monitored and why.
The Data Protection Act also restricts video surveillance and monitoring of telephone calls. For one thing, if employees are monitored by CCTV, they must be notified and certain areas in the workplace must be CCTV free, normally areas such as wardrobes, changing rooms, etc. Additionally, the Act imposes a blanket ban on tracking outgoing telephone calls in order to protect employees from having their private conversations monitored. The consequences that it may have for employers to monitor employees illegally can be seen from a case where an employer had monitored a shop assistant in breach of the Act. That cost the employer about EUR 3 350 in damages to the employee (and a penalty of about EUR 6 700 for breach of an agreement between the social partners about monitoring of employees).
Particularly sensitive data
If an employer wishes to record employee data which qualify as ‘sensitive data’, the employer must first obtain an authorisation from the Data Protection Agency. This is because of the stricter requirements which apply to the treatment of sensitive data.
This means that employers will need an authorisation in order to ask employees to take a drug and alcohol test. The same applies if they wish to use personality tests in recruitment.
In the wake of the Enron scandal, the Sarbanes-Oxley Act was introduced in the US. Sarbanes-Oxley requires companies of a certain size to implement whistleblowing schemes to provide an effective framework for employees to report irregularities. Such schemes have spread to other countries, including Denmark. As a result, the Agency has issued a number of special guidelines for such schemes because they involve the recording of sensitive data such as criminal offences. The implementation of whistleblowing schemes, too, requires prior authorisation from the Agency.
Developments are followed closely
As already mentioned, many of the monitoring measures currently available to employers build on technological innovation. But the legal standard of 'good data processing practice' contained in the Act means that it is possible in the enforcement of the Act to dynamically keep pace with technological advances – a fact that can also be seen from the practice evolving from the Agency’s opinions in particular.
But the EU law background is also changing. The European Commission, for example, has begun the process of revising the current Data Protection Directive. What this will mean for employers and their scope for monitoring employees is not yet known, but changes in EU law will obviously affect Danish employers. This is one of the reasons why Norrbom Vinding is a regular participant in the Copenhagen Data Protection Forum. The Forum meets to discuss relevant data protection issues, including what the forthcoming changes in EU law will mean. In addition, the Forum works to raise awareness of data protection regulation and developments.