Limits of employers on staff data privacy rights

The Covid-19 pandemic has greatly changed workplace dynamics with remote working becoming the new norm. Some employers use workplace surveillance tools to monitor their employees’ productivity and maintain the security of its systems. This surveillance coupled with remote working raises the concern that as an employer is carrying out its employee surveillance activities, personal and official communications of an employee may be commingled. While an employer has a legitimate interest to monitor its network to protect its business operations from rogue employees, it also has the obligation to balance its legitimate interests with an employee’s right to privacy with respect to personal and confidential information.

Employee surveillance refers to collecting, observing or recording personal data of staff. It can be in the form of video or audio surveillance using CCTVs, phone tracking, computer screen recording or software installation on work equipment. Employers monitor their employees to maximise on efficiency, proper resource use, including controlling internet access by limiting it to specific sites, tracking attendance and hours worked and for organisational security.

In certain instances, surveillance and monitoring is done to investigate suspected theft, misuse of company resources or other acts of gross misconduct.

PRODUCTIVITY OR SPYING?

An employer may come across certain personal information classified as sensitive information about the employee’s private affairs. There is a thin line between surveillance to increase work productivity, which is justifiable, and monitoring to spy on employees, which is unlawful.

It is important to point out that the Kenyan Employment Act, 2007 is silent on the protection of employee personal data obtained from workplace monitoring and surveillance.

However, both the Constitution of Kenya, 2010 and Data Protection Act, 2019 (DPA) guarantee the right to privacy including the right to not have information relating to a person’s family or private affairs unnecessarily required or revealed or the privacy of their communications infringed. Further, the Kenya Information and Communications (Consumer Protection) Regulations of 2010 prohibits a licensee under the Kenya Information and Communications Act from allowing any person to monitor or disclose, the content of any information of any subscriber transmitted through the licensed systems by listening, tapping, storage, or other kinds of interception or surveillance of communications and related data.

Best practices may be drawn from the EU in its application of the General Data Protection Regulation (GDPR). The GDPR contains provisions on the processing of personal data in the context of employment and gives leeway for national laws to be drafted to make provision for specific regulations and procedures in this regard.

According to the GDPR, employee data that is obtained from surveillance and monitoring activities is deemed to be sensitive data because it contains biometric data. Where monitoring is likely to result in a high risk to the rights and freedoms of the employees, an employer must carry out a data protection impact assessment (DPIA) or seek the guidance of a supervisory authority because not all surveillance activities will be considered legitimate.

In the same vein, where investigations are carried out through covert surveillance, an employer must seek the consent of the Data Protection Authorities (DPAs).

An employer would also be required to seek written consent from an employee in accordance with the GDPR and local data protection laws in the EU since sensitive biometric data is processed. Reliance on consent as lawful basis for processing employee’s data is however discouraged in the context of an employment relationship because it is assumed that the employee will have no choice but to consent due to the unequal bargaining power between the parties. In this regard, DPAs have stipulated that the use of consent as a basis for lawful processing of employee data be limited to situations where the employee has genuine free will and is able to withdraw their consent without any detriment.

Another ground for lawfully processing an employee’s information obtained from surveillance activities is for the employer’s legitimate interests or in exercise, establishment and defence of a legal claim against the employer. However, this should not gravely interfere with or affect the employee’s right to privacy. An employer therefore needs to draw the line between its legitimate business interests and rights of employees to privacy of their personal and confidential communications in order to remain in compliance with data protection laws. Failure to do so can be very costly. In 2019, the French DPA (CNIL) fined Uniontrad Company a reported 20,000 euros (approximately Sh 2.5million) for the video surveillance systems it set up to monitor its employees.

PLAIN LANGUAGE

Some employment contracts usually stipulate that the employer reserves the right to monitor an employee’s telephone conversations, text messages and emails within the company’s network or on work equipment provided by the company for purposes of security and quality control. Further, that the employee waives his/her right to privacy once the employment contract is signed. Such monitoring clauses usually state that an employer can disclose information obtained to third parties without further permission from the employee. This is an outright infringement of an employee’s privacy rights. On the other hand, an employee should as a safeguard avoid using company equipment for private communications.

To achieve compliance with privacy laws, employers should consider mechanisms such as obtaining employees’ explicit consent and buy in to use surveillance and monitoring tools.

An employer should also develop policies on surveillance, written in plain language and containing provisions such as the types of monitoring and frequency of monitoring and mechanisms for seeking redress where the employee’s right to privacy has been infringed in the course of the monitoring exercise.