Monitoring staff at work and at home

In the UK, it is commonplace for banking and financial services firms to monitor staff; be this for regulatory and compliance or productivity reasons.

In a survey of 504 financial services firms in 2018, PwC found that 77% routinely tracked
productivity of their staff, and that a quarter of banks, asset managers, and insurers with
assets exceeding $5bn even went as far as tracking productivity on an hourly basis.

And monitoring does not extend to just productivity. Recent banking scandals have seen the private messages and social media accounts of employees closely monitored.

In the UK, financial services, alongside legal services, is one of the most highly regulated
industry sectors. Its staff are well-used to being closely watched. But can employers
replicate the same monitoring measures when staff are in their own homes? When does
monitoring leave an employer vulnerable to charges of spying on the private lives of their
staff?

Interestingly, from a legal perspective, there is currently no data privacy law in the UK
which specifically governs monitoring employees. However, there is legislation in place
which has a significant impact on how this can be done, chiefly the European Convention on Human Rights (ECHR) and the General Data Protection Regulation (GDPR) – both EU regulations which have been incorporated into UK law. The UK also has a statutory regime in place to govern the interception of electronic communications, which is set out in the Investigatory Powers Act 2016.

In terms of what level of employee monitoring is permissible – this is a very complicated
question, which will depend on a number of variables. Probably the best starting point for employers is the ICO’s “Employment Practices Code”, which contains guidance and good practice recommendations for any company seeking to monitor their staff.

Generally speaking, the following questions will all feed in to whether or not an employer is in breach of the law in monitoring their staff:

• Is the monitoring being undertaken because of a legitimate reason? Lacking a
  legitimate reason for implementing particular staff monitoring measures will make it far more likely to fall foul of UK legislation.
• What is the extent of the monitoring? Employers should always seek to implement the minimum level of monitoring required to achieve their goals. If a less intrusive method of monitoring employees is readily available, an employer will likely have little justification for implementing anything further.
• Who has access to the data being collected through monitoring? This should always be restricted to the smallest number possible in order to achieve the legitimate aims of the employer.
• Has the employer considered the potential consequences for its employees, and have the necessary safeguards been put in place?
• Are the employees aware of the fact they are being monitored? The ICO guidance recommends that employers set out (amongst other things) the circumstances in which monitoring may take place, the nature of the monitoring, and how any information obtained through monitoring will be used.
• Is any information collected being processed lawfully, in accordance with GDPR?

Compliance with GDPR is of particular importance for larger companies and financial
institutions, who will necessarily process far more data, and therefore require most
sophisticated systems in place for safeguarding this adequately.

Failure to do so may put companies in the unenviable position of Barclays, who last year
were investigated by the ICO for their use of staff monitoring software. In choosing to
enable an additional function to allow monitoring of individual employees rather than
anonymous monitoring, Barclays faced significant staff criticism, followed by an ICO investigation, and ultimately the termination of the monitoring programme a month later.

If Barclays are found to have breached UK data protection law, they face a potential fine of up to 4% of annual turnover (over £800 million).

Balancing employment legalisation, data privacy, and the health and wellbeing of staff is
undoubtedly similar to walking the proverbial tightrope. The need to get it right now the
working week looks set to permanently include time in both the office and at home is
paramount. Get it wrong and the penalties can be stiff.

Based on the ICO guidance, legislation, and also case law, probably the two most
important factors for any company implementing monitoring measures for their employees are: proportionality and transparency.

Proportionality, especially in the context of an individual’s expectation of privacy, will play a pivotal role in what is considered “acceptable” monitoring of employees. The courts will always look to balance the expectations of the individual, and the individual’s right to privacy, against the public interest and the protection of others. In this regard, the employer’s reasoning for monitoring its employees is crucial.

Likewise, transparency is a concept that crops up continuously in the field of employee
monitoring, in particular in the ICO’s guidance. This is probably best summed up in the
ICO’s statement: “If organisations wish to monitor their employees, they should be clear
about its purpose and that it brings real benefits. Organisations also need to make
employees aware of the nature, extent and reasons for any monitoring.”

A final point to bear in mind is the additional burden of companies with a global reach, who must be aware of the different law governing different jurisdictions. Although much of the UK law stems from EU regulations, providing a helpful measure of consistency across other EU countries on the continent, it must be noted that policies which work in some countries may not be appropriate in others.

This article originally appeared in Global Banking and Finance Review.