Last updated: 
22 hours 18 min ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Article 29 WP on Workplace Monitoring

Wednesday, July 5, 2017 - 09:59

The Article 29 Working Party has produced new guidance on data processing in the workplace, to account for the very significant changes that have occurred since their previous guidance in 2001. Although the focus is on "employee monitoring", it is likely to be relevant to other situations where an organisation has significant power over those who use its premises and equipment. The guidance considers the requirements under both the Data Protection Directive and, from next year, the GDPR.

The Working Party confirm that the same basic principles continue to apply, indeed they are now even more important because modern workplace systems are both more capable of intruding into privacy and much less obvious when they do so (compare a 2017 wifi monitoring system with a 2002 CCTV camera). Also, for many people, the boundary between workplace and home has blurred, so employers must take additional care not to intrude into private contexts. So, especially:

  • Proportionality: the benefits of monitoring must clearly justify the privacy intrusion;
  • Transparency: monitoring must be clearly explained and justified to those being monitored.

Legally, the guidance suggests that most activities will need to be done on the basis that they are necessary for a contract, necessary for a legal duty (e.g. to pay tax and national insurance), or necessary in the employer's legitimate interests. Consent is considered "highly unlikely to be a legal basis for processing at work, unless employees can refuse without adverse consequence". Page 6 has a helpful summary of the circumstances when each of these may apply, and the associated obligations on the employer.

The guidance stresses that technologies do not know why they are being used, so may well collect more data than is actually required. It is the employer's responsibility to ensure that they have a clear, transparent and legitimate purpose for any collection of data, that collection and processing are the minimum necessary to achieve that purpose, and that appropriate measures are taken to prevent the reuse of data for other purposes. Whatever legal basis is being used, an analysis should confirm that processing is necessary and proportionate and that any interference with rights is minimised: this might well be formalised under the GDPR as a Data Protection Impact Analysis (DPIA).

A basic checklist: Is it necessary? Is it fair? Is it proportionate? Is it transparent?

Finally, chapter 5 provides helpful discussions of a number of specific scenarios that frequently arise: social media profiles of recruitment candidates; social media profiles of employees; ICT monitoring (both via security tools and general usage); monitoring of home/remote/BYOD working; physical access control; video monitoring; vehicle monitoring; third-party disclosure; international transfers.