Monitoring employee conduct has always been part of the corporate environment. In many cases, it’s an essential component of prevention strategies for data leaks, fraud, theft of intellectual property and other potentially harmful behaviour. Monitoring also enables organisations to supervise and manage productivity, enforce organisational policies and procedures, manage quality control and protect employees and information assets. Prior to data privacy regulation, the commonly held belief was that the further individuals moved away from their personal space, the less privacy they could reasonably expect. Hence, businesses would safely “big brother” their employees with little risk of consequence.
Since the enaction of laws like Europe’s General Data Protection Regulation (GDPR) and South Africa’s Protection of Personal Information Act (POPIA), however, this theory no longer holds true. Monitoring employee personal data would constitute processing in terms of these two laws and thus doing so unlawfully would violate employee data privacy rights, which now comes with a very real risk of significant penalties.
Employees’ Right to Privacy
Whereas GDPR requires member states to legislate regarding the processing of personal information in the employment context, POPIA includes no specific employment provisions. That means employees are treated as data subjects like any other and enjoy the same privacy rights.
These include (subject to exceptions):
- The right to be informed of processing.
- The right to access their personal information.
- The right to rectify any incorrect, incomplete or inaccurate data.
- The right to have their personal data erased.
- The right to restrict processing.
- The right to object to processing.
- The right not to be subject to decisions based entirely on automated decision making intended to create a profile of them.
Employee Data vs Private Data
There are two categories of personal data relating to employees that businesses may need/want to process.
- Personal data given to the employer by the employee to process on their behalf, e.g. names, contact information, ID numbers, tax information etc.
- Personal data the employee manages using business devices, or uploads to business platforms without the employer’s knowledge.
The legal processing of each category is likely to differ, with the latter being more difficult to justify in the context of employee monitoring.
Grounds for Processing Employees’ Personal Data
To be able to legally process their employees’ personal data without infringing their data privacy rights, an organisation now needs (among other requirements) to base processing on one of the bases provided for in POPIA.
The first category of employee data is usually required to conclude and execute the terms of the employment contract. For the second category of personal information and, in the context of monitoring specifically, three of the identified bases become relevant, namely;
- Where the processing is conducted by consent;
- Where the processing complies with a legal obligation on the part of the employer; and
- Where the responsible party processes data in its own legitimate interests.
The unstable footing of consent
In order for consent to be relied upon as a legal basis for processing, it must be voluntary, specific and informed. However, reliance on consent as a basis for processing can present a number of problems for employers.
Firstly, the requirement for specificity means a generic consent clause in an Acceptable Usage Policy is no longer anywhere near enough to cover your bases. Employees need to know exactly when, where, how and why they are being monitored in order to be able to give specific and informed consent.
Even more challenging for employers, however, is the requirement for consent to be voluntary. The voluntary nature of consent is easier to establish where both parties are contracting on a level playing field, like in a service provider/customer relationship. However, within the employment context, where the employee is heavily reliant on the employer for their employment and salary, it is highly questionable whether consent given by an employee can ever be considered entirely voluntary. Where the employer includes consent to the monitoring of communications as a condition of the employee’s employment contract, consent certainly cannot be regarded as voluntary, an “expression of will” or “specific”.
In addition, both GDPR and POPIA provide that a data subject’s consent can be withdrawn at any time. Where the business relies on consent as the basis for employee monitoring, an employee who wishes to conduct fraudulent activities, can simply withdraw consent and continue with their criminal conduct whilst preventing an employer from being able to detect their malicious behaviour. Where consent must be relied on, company policies could be used to describe explicitly how the monitoring will take place, what activity will be monitored, which devices will be monitored and why. The purpose of processing must always be provided to the employee. In addition, appropriately worded consent forms should be used to obtain the required consent for specific and defined monitoring purposes.
Obligation Imposed by Law
As mentioned above, an employer may also process information if and when an obligation is imposed onto them by law. Numerous South African laws impose onto organisations a duty to report activity such as bribery and corruption. The Prevention and Combatting of Corrupt Activities Act, 2004 (PRECCA) imposes a duty on organisations to report corrupt, suspicious and/or unusual transactions and activities. Organisations may be able to rely on this duty to report as a legal basis for monitoring employee data.
Where no applicable legal obligation can be invoked as a basis for monitoring employee data, employers will more likely rely on legitimate interest. Employers can process employee personal information where it is necessary to pursue the employer’s legitimate interests. Organisations should always bear in mind that, despite processing on this legal ground, employees may object to such processing at any time in the prescribed manner, on reasonable grounds relating to their particular situation.
The protection of information assets and the prevention of fraud and/or financial or reputational damage to an organisation would constitute a legitimate interest for the organisation to pursue. Monitoring employee conduct to pursue this legitimate interest would therefore be permissible provided that the monitoring can be shown to be necessary.
The Limits of Legitimate Interest
Having such a legitimate interest does not give an employer free reign to keep tabs on everything their employees do.
In the South African context, POPIA includes all “correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would review the contents of the original correspondence” under its definition of personal information. For example, monitoring an employee’s access to business resources from their personal device may be necessary, but accessing private emails, chat apps etc. would be harder to justify as necessary.
Using a business device does not give an employer the automatic right to monitor an employee’s every action, either. Private activities on business infrastructure should ideally remain private unless there are reasonable grounds to believe they impact the business in some way.
To limit their risk, employers relying on their legitimate interest as a legal basis are better off minimising the collection and processing of personal data as far as possible and avoiding generalised and indefinite monitoring altogether. Random checks and/or targeted monitoring triggered by suspicious activities are far more likely to be seen as necessary to detect fraudulent activity.
Furthermore, employers would do well to ensure that the individuals monitoring employee information are fully apprised of the applicable legislation and sufficiently senior to be able to distinguish relevant and necessary information from other personal information that is not necessary to achieve the organisation’s legitimate interests.
Machine learning has become an invaluable tool for the analysis and extraction of business intelligence, including the identification of suspicious and/or undesirable employee activity. However, it is critical to use this technology responsibly, transparently, and with legitimate motivation to avoid breaching privacy laws.
Organisations must remember that an employee cannot be subject to a decision that affects them significantly or has legal consequences for them where that decision is based solely on automated processing which is intended to create a profile of them. Such a decision must ultimately be made by a human being considering all the circumstances.
For this reason, we strongly advise using an experienced partner with data privacy compliance expertise (like Cloud Essentials) when implementing this kind of functionality.
Transparency Trumps All
Data privacy laws are still relatively new and largely untested. How employee monitoring will ultimately fare in the face of legal challenges remains to be seen.
As such, we highly recommend that organisations document their processing activities including employee monitoring and adopt complete transparency, where possible, regarding their employees who should be advised of:
- The nature of the information being collected
- The purpose of its processing
- Whether its supply is voluntary or mandatory and the consequences of refusal if voluntary
- Any consequences of failing to comply
- The legal basis of processing e.g. the legitimate interests that the employer is seeking to pursue
Remember: awareness of being monitored is often an effective deterrent of undesirable behaviour in and of itself.
Well implemented, automated supervision can be a valuable addition to a Discovery Risk Mitigation strategy, feeding seamlessly into a platform like Salient’s when further investigation is required. Click here to find out more about Discovery Risk Mitigation, or get in touch with a Salient expert, today.