Employees are provided with resources like internet access and email because they need them for the work they are expected to do. As these tools are made available to them, not to mention being owned and managed by their employers, the latter are entitled to make use of these tools subject to certain conditions. The problem is that the lines between private and professional use of the internet are not always clear. On the other hand, why wouldn’t employers simply assume that people will occasionally take care of personal business during office hours? And be perfectly okay with that? A general ban on the private use of internet, in other words, is not a practical option, apart from generally making no sense. But there is more at play here than mere practical considerations. There are issues of principle and legal matters as well.
The right to privacy, within the framework of organisational loyalty and professional performance, applies in the workplace as well. Employers cannot just go ahead and monitor their staff’s online activities, not even where there is the chance or likelihood of private or inappropriate use of business resources. Still, the need employers feel to look over their employees’ shoulders, especially since Covid-19 and the resulting massive shift to working from home, is not only understandable but often fully justified. What’s more, under certain conditions, monitoring employees during their working hours is entirely within the law.
There are many ways of doing this. Tracking software for can be used for recording online activity, logging key strokes and mapping the way people use e-mail and internet. And there are other, more traditional methods as well, like camera surveillance and recording telephone conversations.
But in keeping an eye on their staff, employers do have to comply with requirements imposed by the GDPR. To name one of these, the employer must have “justified interest” in monitoring his employees and this interest, which the employer must be able to demonstrate and substantiate, has to outweigh the rights and interests of the individuals being observed. An additional condition is that monitoring has to be necessary, in other words, it must be the only way to achieve the purpose for which it is intended, there being no other, less intrusive methods of accomplishing the same goal. The employer must also inform his employees of the possibility of surveillance or actual presence of monitoring equipment and of the ways in which surveillance may be or is being carried out. One way of meeting this obligation to inform, is by drawing up protocols.
On top of this, the employer must make the distinction between work-related and private communication, the latter by definition being confidential. For instance, employers are not allowed to read emails that are obviously exchanged for private purposes. Also, while large-scale monitoring of personal data is principally allowed, as in the case of checks on internet use, gps trackers in the cars of employees who travel as part of their jobs and camera surveillance for the prevention of theft and fraud, it does require prior performance of a DPIA (Data Protection Impact Assessment). And where this assessment shows the likelihood of substantial, unmitigable risk to the rights of employees, the organisation is required to consult the Data Protection Authority. Covert surveillance, which under specific circumstances is also allowed, requires additional precautions on top of what is necessary for “normal” monitoring.
Private use of internet in the workplace has long been considered a serious problem which had to be strictly controlled, if not severely sanctioned. It was not uncommon for employers to be immediately discharged for having visited websites on company computers for job-unrelated purposes. This initial paranoia has obviously passed, but many organisations remain uncomfortable with the idea of private use of business resources and feel the need for some measure of control. Understandably so. But today, businesses have to meet all sorts of very strict requirements in order to implement any sort of monitoring mechanism. And as long as their staff’s private internet use does no professional damage, there is little justification for surveillance, restriction or regulation, let alon disciplinary measures. Monitoring employees first of all requires the demonstrable applicability of justified interest, apart from which the proposed surveillance has to be the only way to achieve the intended purpose. Furthermore, employees have to be informed of the presence and nature of monitoring mechanisms. Finally, in case of the likelihood of high risk to privacy, the organisation is required to perform a DPIA, which, if the presence of significant risk is confirmed, calls for DPA consultation.