Developments in technology mean that HR professionals are increasingly having to consider the ways in which data protection and privacy may impact upon employment issues. By far one of the most common challenges that arises is the use of CCTV, and also surveillance of workers in the broader sense. So what do employers need to know? David Jones, employment solicitor at Myerson Solicitors takes a look.
It is increasingly common for CCTV footage to be referred to as evidence in disciplinary hearings. There are occasions where a security camera captures an incident taking place that an employer then wishes to utilise. Whilst the footage is being used for the purpose of a disciplinary investigation, the camera may have originally been installed for a different purpose, such as security of premises.
Steps to take before installing CCTV
The guidance from the ICO (Information Commissioner’s Office) on the use of CCTV is that, where possible, the employer should inform staff of the presence of cameras, and also the purpose for which the CCTV is installed. It is also recommended that an employer conducts a Privacy Impact Assessment before installing a CCTV system so that, if the ICO ever raises a query, the employer is able to demonstrate they conducted a balancing exercise between the employer’s legitimate purpose and the rights of individuals.
Be clear about your purpose in advance, to document it in a Privacy Impact Assessment, and to notify your workers and employees (where feasible).
There may be occasions where informing employees about the presence of cameras would defeat the intended purpose. There is no blanket rule that covert surveillance is automatically unlawful, but it will be more difficult to justify on the whole, and the ICO is likely to expect additional safeguards to be in place.
The use of covert surveillance cameras
The recent European Court of Human Rights decision of Lopez Ribalda v Spain illustrates the risks involved where covert surveillance is used. A group of five supermarket cashiers were dismissed following a disciplinary investigation in which images from a CCTV system were relied on as evidence. The images were taken by hidden cameras.
Staff were informed the CCTV cameras were being installed. As regards the specific purpose, the staff were informed it was to combat an increase in thefts within the store. That was correct, but only in part. The employer was also concerned that some of the cashiers were involved in the thefts and so they installed a separate set of hidden cameras to secretly film the cashiers at work.
The employees admitted they had either stolen goods, or assisted customers and co-workers to steal goods. However, on discovering secret cameras had been installed, they claimed the use of covert filming had breached their right to private and family life.
The ECHR agreed with the workers. There was a breach of the Spanish data protection legislation and also their right to private life had been infringed without sufficient justification. Whilst the company argued there was a legitimate reason involved (to tackle suspected thefts) it was not enough to justify their decision to carry out covert filming in this instance.
It is important to note that there was no challenge on the decision to dismiss. The workers had admitted the allegations, and did not pursue the equivalent of an unfair dismissal claim under Spanish law. The case raises the possibility that an employee could be dismissed fairly using covert CCTV footage, but then have a separate claim for breach of data protection legislation and/or interference with private life.
Worker tracking devices
Surveillance of workers has developed so that it extends well beyond CCTV footage. Worker tracking solutions have been used routinely for many years. A brief search on the internet will reveal that there is already a mature market in software designed to secretly monitor employees’ computer use. The sophistication of these offerings makes for interesting reading!
Amazon was the latest company to attract media attention in February 2018. A patent application has revealed the company is developing a wristband that will be able to track movements of workers in their distribution centres. The technology not only tracks the location of workers but has the ability to track arm movements when workers reach for the shelves. The wristband will also include “haptic” technology, which means the wristband will vibrate in order to guide the worker to the correct item on the shelf. It is not known whether the motion sensors in the wristband are capable of tracking productivity based on how often they raise their arms.
What are the consequences of using monitoring systems in the workplace?
The first considerations are practical as well as legal. The more personal data you process, the more data you become responsible for. As an organisation, you would need to invest in the infrastructure required to collect, store, and secure such large amounts of data. The first questions to ask are commercial: do you want to invest the time and cost of implementing the new system? Do you want to take on the extra responsibilities and liabilities in the first place?
In addition to having an adequate infrastructure, there is the additional time and cost of the measures that have to be put in place to lawfully process large amounts of personal data. After the GDPR (General Data Protection Regulation) comes into effect on 25 May 2018, an employer must be able to demonstrate they have taken appropriate organisational and technical measures. Therefore, as the scale of your data processing increases, your measures and procedures will need to increase proportionately.
An illustrative example
To illustrate the kinds of legal issues that can arise when using surveillance tools, we can look at the example of employers wanting to monitor the frequency of toilet breaks taken by their workers. There are a number of liabilities that might arise in this situation.
One of your employees might have a medical condition that means they need to visit the lavatory. By tracking this data, are you now collecting “sensitive data” relating to health (as defined currently under the Data Protection Act 1998), or “special categories of personal data” (as defined under the new GDPR). You have now incurred the additional liability of processing sensitive health data, which carries more onerous responsibilities and processing requirements under the legislation.
Is the employee’s higher than average number of visits to the lavatory related to a condition defined as a disability? By monitoring the employee you might be breaching the Equality Act by subjecting them to unfavourable treatment because of something arising in consequence of their disability (the “something” being their need to make an above average number of visits to the bathroom).
An employer then needs to consider what it will do with that data. Will some form of wristband or GPS-based device be connected to a software tool that analyses worker movements to provide automated data on how often each worker visits the toilet? This could mean you are engaged in “automated individual decision making” under GDPR Article 22. Not only could this be automated profiling based on personal data, this particular data is sensitive health data. One of the possible outcomes to processing sensitive health data by automated methods is that you may need explicit consent from the workers in order to continue. That would obviously present a practical difficulty.
The scenario above demonstrates that there are many questions to be considered before an employer takes a decision to implement any form of worker surveillance, particularly if the monitoring will be covert. It is important that employers and HR professionals get appropriate advice before proceeding.
The cost of getting it wrong
The ICO has the power to issue financial penalties. The upper limit on these penalties is about to increase from 25th May 2018 as part of the new GDPR regime. The new upper limit for the most serious cases will be £17 million pounds, or 4% of global turnover (whichever is the higher).
Whilst it is understandable that the potential fines attract the most headlines, there are other sanctions available to the ICO that could be just as damaging to an employer’s operations. The ICO has the power to order suspension of the unlawful data processing activity until they are satisfied it has been remedied. Whilst not a fine as such, the potential cost to a business caused by that suspension could be just as damaging.