This is the next in our series of articles based on a report on data processing at work by the Article 29 Working Party (‘WP29’), an independent European advisory body on data protection and privacy.
Traditionally, the monitoring of electronic communications in the workplace, (e.g., phone, internet browsing, email, instant messaging, VOIP, etc.), was considered the main threat to employees’ privacy. However, new technological developments have enabled newer, potentially more intrusive and pervasive ways of monitoring which might put employers in contravention of DP legislation.
Such developments include, amongst others:
- Data Loss Prevention (DLP) tools, which monitor outgoing communications for the purpose of detecting potential data breaches;
- Next-Generation Firewalls (NGFWs) and Unified Threat Management (UTM) systems, which can provide a variety of monitoring technologies including deep packet inspection, TLS interception, website filtering, content filtering, on-appliance reporting, user identity information and data loss prevention.
- security applications and measures that involve logging employee access to the employer’s systems;
- eDiscovery technology, which refers to any process in which electronic data is searched with the aim of its use as evidence;
- tracking of application and device usage via unseen software, either on the desktop or in the cloud;
- the use in the workplace of office applications provided as a cloud service, which in theory allow for very detailed logging of the activities of employees;
- monitoring of personal devices (e.g. mobile phones, tablets), that employees work with in accordance with a specific use policy, such as Bring-Your-Own-Device (BYOD), as well as Mobile Device Management (MDM) technology which enables the distribution of applications, data and configuration settings, and patches for mobile devices; and
- the use of wearable devices (e.g., health and fitness devices).
Employers must consider the proportionality of the measures they are implementing, and take action to mitigate or reduce the scale and impact of the data processing. A good way of going about this would be to implement and communicate acceptable use policies alongside privacy policies, outlining the permissible use of the organisation’s network and equipment, and strictly detailing the processing taking place.
In some cases, the monitoring of employees is possible not so much because of the deployment of specific technologies, but simply because employees are expected to use online applications made available by the employer which process personal data. The use of cloud-based office applications (e.g. document editors, calendars, social networking) are examples of this.
It should be ensured that employees can designate certain private spaces to which the employer may not gain access unless under exceptional circumstances. This, for example, is relevant for calendars, which are often also used for private appointments. If the employee sets an appointment to “Private” or notes this in the appointment itself, employers (and other employees) should not be allowed to review the contents of the appointment.
If it is possible to block websites, instead of continuously monitoring all communications, blocking should be chosen in order to comply with this requirement of subsidiarity. More generally, prevention should be given much more weight than detection—the interests of the employer are better served by preventing internet misuse through technical means than by expending resources in detecting misuse.