This is the next in our series based on a report on data processing at work by the Article 29 Working Party (‘WP29’), an independent European advisory body on data protection and privacy.
It has become commonplace for employers to offer employees the option to work remotely, e.g., from home and/or whilst in transit. This is a central factor behind the blurred distinction between a workplace and home. This may involve the employer issuing IT equipment or software to the employees which, once installed in their home/on their own devices, enables them to have the same level of access to the employer’s network, systems and resources that they would have if they were in the workplace, depending on the implementation. (BYOD – Bring Your Own Device – will be considered in our next article).
Whilst remote working can be a positive development, it also presents an area of additional risk for an employer. For example, employees that have remote access to the employer’s infrastructure are not bound by the physical security measures that may be in place at the employer’s premises. To put it plainly: without the implementation of appropriate technical measures the risk of unauthorised access increases and may result in the loss or destruction of information, including personal data of employees or customers, which the employer may hold.
In order to mitigate this area of risk employers may think there is a justification for deploying software packages (either on-site or in the cloud) that have the capabilities of, for example, logging keystrokes and mouse movements, screen capturing (either randomly or at set intervals), logging of applications used (and how long they were used for), and, upon compatible devices, enabling webcams and collecting the footage thereof. Such technologies are widely available including from third parties such as cloud providers.
However, the processing involved in such technologies are disproportionate and the employer is very unlikely to have a legal ground under legitimate interest, e.g. for recording an employee’s keystrokes and mouse movements.
The key is addressing the risk posed by home and remote working in a proportionate, non-excessive manner, in whatever way the option is offered and by whatever technology is proposed, particularly if the boundaries between business and private use are fluid.