New Council of Europe recommendation on processing of employee’s personal data in light of new technologies
The new recommendation on processing of data for purposes of employment is designed to meet challenges posed by greater digitisation.
On 1 April 2015 the Council of Europe adopted Recommendation CM/Rec(2015)5 of the Committee of Ministers to member States on the processing of personal data in the context of employment. The previous recommendation was issued before the growth of the internet and new technologies, and did not reflect contemporary realities. Aware of the increased use of new technologies and electronic communications in dealings between employers and employees, the Council of Europe decided to modify the recommendation to ensure adequate protection of personal data in employment.
The Council of Europe recommendation is not binding, but it should nonetheless be expected to be taken into consideration by national data protection authorities, such as Poland’s Inspector General for Personal Data Protection (GIODO), as well as courts, when assessing legal compliance of processing of employees’ personal data, particularly given that the recommendation refers to data processing rules already codified by legal regulations. Thus it would be reasonable to treat the recommendation as a source of guidelines or best practice for complying with rules for processing of employees’ personal data using tools provided by new technologies.
Apart from general rules for processing of personal data in employment, the recommendation also refers to methods of processing personal data using specific new technologies, including the internet and electronic communications at the workplace, systems and information technologies for monitoring employees (including video surveillance), equipment revealing employees’ location, internal reporting systems, and biometric data.
General guidelines
The guidelines largely seek to ensure respect for the dignity and privacy of employees and job candidates and protection of their personal data, while recognising the need of employers to obtain certain personal data from employees and candidates and to monitor their staff.
To achieve this, the guidelines incorporate fundamental principles of processing of personal data, including the principles that processing must be lawful, conducted for a legitimate purpose, transparent and proportionate. With respect to transparency and proportionality, processing of data should be limited only to data necessary to achieve the defined purpose in specific instances, and data should primarily be obtained directly from the data subject. The employee should also be informed of what personal data are being processed by the employer, including the categories of data, the purpose for the processing, and the recipients of the data.
Detailed guidelines for processing personal data using new technologies
Under the Council guidelines, processing of personal data while using the new technologies referred to in the recommendation requires application of additional protective measures. The employer should inform employees of the system before it is implemented, the purpose for using it and how long the data will be processed, and also inform them of their right to access and rectify their data and how they can exercise these rights. It is recommended to consult with employee representatives, and if there is a risk of violation of the right to privacy and dignity, consent should also be obtained from employee representatives.
Internet and electronic communications
Many comments are devoted to the issue of the use of internet, intranet and electronic communication devices at the workplace. Fundamentally, employers should avoid unjustifiable and unreasonable interferences with employees’ right to private life. Permissible purposes for interference would include improvement of management effectiveness, ensuring the security of the network, and employers’ efforts to protect against harm caused by employees and liability for their actions.
In the event of processing of personal data relating to internet or intranet pages accessed by the employee, preference should be given to the adoption of preventive measures, such as the use of filters which prevent particular operations, and to the grading of possible monitoring on personal data, with a preference for non-individual random checks on data that are anonymous or aggregated.
Private electronic communications at work should not be monitored under any circumstances. Employers may access professional electronic communications of their employees, but only when necessary for security or other legitimate reasons, for example to detect infringement of the employer’s intellectual property rights or to obtain evidence of improper performance of the employee’s duties. Employees should be warned in advance of that possibility.
The Council recommends introduction of procedures for obtaining access to the correspondence of absent employees in the least intrusive way possible, only when there is a professional necessity, and only after informing the employees concerned. Additionally, an employee’s electronic messaging account should be automatically deactivated on the employee’s departure from the organisation. If the employer needs to recover the contents of an employee’s account for the efficient running of the organisation, this should be done before the employee’s departure, and in the employee’s presence if feasible.
Information accessible online
The Council recommends that employers should not require an employee or job applicant to provide access to information that he or she shares with others online, notably through social networking sites.
Monitoring of employees’ activity, behaviour and location
In the Council’s view, the use of information systems and technologies (e.g. video surveillance) for the direct and principal purpose of monitoring employees’ activity and behaviour should not be permitted. Nor should they be used for constant checking of the quality or quantity of work of individual employees. If their use for other legitimate purposes, such as to protect production, health and safety or to ensure the efficient running of the organisation, indirectly enables monitoring of employees’ activity, then they should be specifically designed and located so as not to undermine employees’ fundamental rights. Video surveillance of locations that are part of the most personal area of life of employees (such as toilets or cloakrooms) is not permitted in any situation.
Storage of recordings should be subject to a specific time limit, which should be as brief as possible. Recordings should be accessible only by employees who are authorised in connection with performance of their duties, such as staff responsible for workplace safety and security. However, an employee should be able to obtain a copy of a recording if needed in the event of a dispute or for legal or administrative proceedings.
Similar principles apply in the case of technologies enabling identification of employees’ location, such as RFID or GPS. (Such technologies may be found not only in digital devices, but also for example in work uniforms.) Such technologies should be used only when necessary to achieve a legitimate purpose of the employer. Monitoring should not be the main purpose, but only an indirect consequence of other necessary actions. Continuous monitoring of employees 24/7 must be avoided, for example by disabling location functions outside of working hours.
Biometric and genetic data – sensitive data
According to the Council, genetic data cannot be processed, for instance, to determine the professional suitability of an employee or a job applicant—even with the consent of the data subject—as the use of such data could lead to discrimination. Processing of genetic data may only be permitted in exceptional circumstances, for example to avoid serious injury to the health of the data subject or third parties, and only if it is provided for by national law and subject to appropriate safeguards. Examples given in the explanatory memorandum include a genetic monitoring program that monitors the biological effects of toxic substances in the workplace, where the monitoring is required by law or, under carefully defined conditions, where the program is voluntary.
There are similar limitations with respect to biometric data, including individual characteristics such as fingerprints, the retina and iris of the eyes, voice patterns and facial patterns. Obtaining and processing of such data are permissible only when necessary to protect the legitimate interests of the employer, employees or third parties, and there are no other less intrusive methods for protecting such interests (proportionality). The explanatory memorandum gives the example of the necessity to control access to particularly sensitive areas such as a nuclear plant or a military base. In processing of such data, the data must be adequately secured. Biometric data should not be stored in a centralised database, and if possible the employee should maintain control over the data, e.g. by recording the data on a magnetic card accessible only to the employee.
Summary
The requirements discussed above limit employers’ freedom to use new technologies for employment purposes, but are consistent with a general trend toward increasing the protection of employees’ privacy and personal data. They are also consistent with the positions taken by the Polish data protection authority and the courts, serving as guidelines on processing of personal data in an employment context in the absence of precise regulation of these issues in Polish law.
In their rulings, these authorities take a restrictive view of the permissibility of interfering in employees’ privacy and of processing certain categories of their personal data (particularly sensitive data, such as biometrics). For this reason, employers processing personal data for employment-related purposes should always carefully consider whether the data processing is consistent with the law, meets the tests of proportionality and transparency, furthers a concrete and legitimate purpose, and does not excessively interfere with employees’ right to privacy.
Katarzyna Żukowska, Personal Data Protection Practice, Rafał Kuchta, New Technologies Practice, Wardyński & Partners
The article is a part of the New Technologies Newsletter, June 2015