Do you have a private life at your workplace?

Transcription

1 Do you have a private life at your workplace? Privacy in the workplace in EC institutions and bodies Giovanni Buttarelli

2 In the course of his supervisory activities, the EDPS has published positions on a number of matters that illustrate the difficult balance to be struck in the field of Privacy in the Workplace. I would like to briefly touch upon some of the most significant examples, notably in the areas of internet and telephony monitoring, staff productivity and work quality, flexible working and video surveillance. The main data protection legislation that applies to Community institutions and bodies is Regulation (EC) 45/2001 which governs the processing of personal data and the free movement of such data. In addition there are specific provisions on data protection in the electronic communications sector outlined in the e-privacy Directive (2002/58/EC). Regulation (EC) 45/2001 specifies that the independent supervisory authority required under Article 286 EC Treaty is the European Data Protection Supervisor (EDPS). The supervisory tasks of the EDPS are performed through a range of activities such as the prior checking of processing operations presenting specific risks, complaints received from staff members and other data subjects, and consultations received from the DPOs of the EC institutions and bodies. They cover all Community institutions and bodies (as opposed to "Union" institutions and bodies), excluding the Court of Justice acting in its judicial capacity. e-monitoring Perhaps the most illustrative and complicated area in this field is that of the monitoring of communications (otherwise referred to as "e-monitoring") whether these be communications, use of the internet or the use of mobile or fixed telephony. The recitals to Regulation (EC) 45/2001 provide that it may be necessary to monitor the computer networks operated under the control of the Community institutions and bodies for the purposes of prevention of unauthorised use, and that the EDPS should determine whether and under what conditions this should occur. There is therefore recognition that some sort of monitoring is permitted, but that this monitoring must be done in accordance with the rules provided for in the Regulation, notably that of necessity and proportionality. The EDPS has indicated his preference for a preventive approach to the misuse of communication networks rather than a repressive one, and for selective monitoring only in specific well defined cases, rather than for monitoring across the board. In the event of a breach of the usage policy, the EDPS recommends a gradual approach to any investigations, where the identity of persons breaching the rules is only revealed to management when absolutely necessary. Regarding the monitoring of the use of internet, the EDPS considered in a prior checking opinion that, in the absence of adequate suspicion, the monitoring of all the URL's visited by all users is unnecessary and excessive. The EDPS advised institutions to make use of indicators (for example, volume of data downloaded) rather than monitoring all URLs. Only in certain specific circumstances, could it be 2

3 considered necessary for the institution to monitor all the URLs accessed by specific individuals. This is the case, for example, when there is an adequate suspicion that a given user is engaged in criminal behaviour (e.g. downloading paedophilic material). Proportionality also guided the EDPS approach to the monitoring of professional telephone communications where the EDPS considered that targeted monitoring of traffic data could only take place if the costs of the communications were well above the average costs of communications per month. As for the recording of communications at the workplace, Article 36 of Regulation (EC) 45/2001 provides that the Community institutions and agencies must ensure the confidentiality of communications in accordance with the general principles of Community law. These general principles refer to the notion of fundamental rights as laid down by the European Convention on Human Rights. The EDPS therefore advocates that a breach of the confidentiality of communications may only take place in exceptional circumstances where there are no other less invasive or intrusive means available and a number of very strict conditions have been satisfied. Criminal investigations of course remain the competence of the Member States. On the other hand, the EDPS has authorised the recording of certain professional communications by the European Central Bank in the context of standard business transactions for the purposes of proof of the transaction and with the consent of the parties to the communication. The EDPS also considered that the recording of calls to the Helpdesk of an institution could be used for the purposes of solving the IT problem with the consent of the parties involved, but found that further use of the recordings for quality control and training purposes overstepped the acceptable limits of necessity. The EDPS therefore invited the institution concerned to make the data anonymous or to obtain the consent of the parties involved. The recording of communications to an emergency unit was also considered as lawful by the EDPS based on the obligations of the institution according to internal rules or National security provisions (in the case of an agency or institution on a nuclear site, for example). Monitoring staff availability, productivity and work quality There is an increasing trend among Community institutions and bodies to use IT databases to monitor the availability and use of their human resources, and in particular, to monitor the productivity and quality of work, both individually and organisationally. Some agencies have gone as far as setting up IT systems feeding large amounts of data into them precisely for these purposes. For example, one agency set up a system whereby certain managers (senior case workers and some head of units) randomly reviewed selected outputs (decisions, letters, etc) of employees. The results of these reviews (containing, for example, the types of mistakes made by an individual) were then fed into an electronic database. Another agency required staff members to keep detailed timesheets broken down by over 50 specific categories 3

4 and subcategories in much the same way as an international law firm would do for billing purposes. Again, this was fed into a database. We have also seen some efforts to create databases of multi-layered competencies within an organisation, to enable management to have an accurate view of the skill sets of its staff and therefore optimise the use of its human resources. The common aim of all these initiatives is to measure how organizations use their human resources, and to help improve the productivity and overall quality of work. However, there is often an additional, sometimes insufficiently explicit, goal of monitoring individual's productivity or work quality, for purposes of performance evaluation. Such monitoring is then used to inform decisions that may affect these employees, such as the distribution of tasks, temporary staff contract renewals, or promotions. In practice, monitoring for these purposes has a place in a modern administrative culture. However, it is important to carry out this monitoring in a privacy-friendly and data protection compliant manner. Organisations must be very clear on what they wish to accomplish and why. Institutions must bear in mind that there is an obvious relationship between the number of targets, criteria, and checks that are in place to monitor the use of time, productivity, and quality of work, and the amount of stress experienced by staff. As well as undermining trust between an organisation and its employees, such steps could be counter-productive leading to increases in absence rates and staff turnover. Therefore, the EDPS has emphasised the need to always consider whether there is indeed a need for the specific monitoring proposed, whether the monitoring is excessive, and whether there are alternative methods of achieving the same goals. We have also emphasised the need to make monitoring policies explicit, detailing them in formal decisions or manuals written in user-friendly language, and discussing them with staff representatives before adoption of any system. Further, the EDPS has stressed that such procedures must ensure a high level of data accuracy, reliability, and consistency. Even with such safeguards EDPS advises that management must clearly and explicitly recognise the limitations of the data to inform decisions, especially those affecting individual staff. In one case, the EDPS considered that it was legitimate for management in a translation unit to monitor the individual productivity of their staff. However this should not be the sole tool for evaluation and sufficient guarantees must be provided to staff members to rectify inaccurate data or to provide justifications for certain figures. Flexitime Another relevant area in the field of privacy at the workplace is that of monitoring the working hours of staff. Many institutions and agencies have put policies into place to allow staff to adopt flexible working hours (flexitime). The EDPS has reminded institutions that the data recorded by any flexitime system should not be used to monitor attendance at work on a general basis. This approach was highlighted by the objection of the EDPS to the sending of electronic mails to heads of units when a staff member registered his/her working hours on a flexi-system. The EDPS also marked his objection to the use of access control data to check the correct use of the flexitime system on a systematic basis. He ordered that the access control data could only be used as part of a pre-determined administrative procedure enquiring into a specific and well-founded suspicion of fraud of the flexitime system. 4

5 Security investigations Another area of concern regarding privacy in the workplace is that of security enquiries which are performed in some institutions and agencies. The security departments of some of the institutions and bodies are permitted to take certain measures against criminal or unlawful acts against buildings occupied by the institution/body or persons working within these buildings (or having access to them), as well as against any other acts which may prejudice the institution. Here again, the EDPS underlined the importance of the proportionality of such investigations notably the "necessity" of the processing which must be assessed on a case by case basis. From this perspective, the EDPS has underlined that the processing of personal data to be conducted in the context of the investigations has to be proportional not only to the general purpose of the processing operation (investigating criminal offences, protecting people and property, etc) but also to the particular purpose of the processing operation in the context of the case (considering, for instance, the seriousness of the incident under investigation, the sort of data needed to clarify the facts, etc.). In the context of such investigations, the EDPS also reminded institutions that whenever access to personal data appears to be necessary for the purposes of the investigation, such access should respect appropriate guarantees, taking into account any potential risk of inadmissibility of the evidence in a possible future criminal case, which could arise if the fundamental rights to privacy and personal data protection were not respected when the evidence was collected. Particular attention must be paid to respecting these principles when access to files which are manifestly of a private nature seems necessary for the purposes of the investigation. These same principles also apply to processing operations involving the forensic examination of computers. The EDPS considers that specific precautions should be taken regarding access to the contents of a computer belonging to a Community institution, since it may also contain files used by the employee for private purposes (for instance in the folder "My documents", or s marked as "private"), or files which are not relevant to or are excessive for the purposes of the investigation. Forensic examination of computers must be subject to particular authorisation mechanisms. In this respect, the EDPS recommends the adoption of formal procedures for the conduct of forensic examinations of computers, which will also help to ensure that the principle of data quality is respected. Video-surveillance Video-surveillance is another area with a significant impact on privacy in the workplace. We all know that video-surveillance has become a popular tool to tackle security issues. It also has an increasing presence within the European Community institutions and bodies who use this technology to help ensure the security of their buildings, the safety of staff and visitors, as well as to protect property and information located on their premises. 5

6 Despite its popularity and potential benefits, there are fundamental rights at stake, such as the right to privacy in the workplace, the right to be free from discrimination, freedom of speech and freedom of assembly - rights we cherish and all too often take for granted in Europe. Therefore, decisions on whether to install cameras and how to use them should not be made solely on security needs. Rather, security needs must be balanced against respecting the fundamental rights of an individual. In this context and in a climate of increasing concern regarding surveillance, the EDPS is currently working on a set of Video-surveillance Guidelines for Community institutions and bodies. The guidelines are designed to provide practical advice for deciding whether or not to install or use video-surveillance equipment, and when using, how best to address data protection issues. A consultation version of the draft was published in July - I invite you to take a look at it on our website at: We plan to formally publish the guidelines before the end of this year. They focus mainly on video-surveillance for security purposes but they also address the issue of employee monitoring. The compliance framework proposed in the guidelines focuses on the need to move away from a culture of seeing data protection as an administrative burden, to one based on privacy by design, transparency in local decision-making involving all stakeholders, active roles for data protection officers, and institutional accountability. As regards employee monitoring, our strongly held belief is that overly intrusive measures can cause employees unnecessary stress and can also erode trust within an organisation. The use of video-surveillance to monitor how staff members carry out their work should therefore be avoided, apart from in exceptional cases. To determine whether non-security video-surveillance, such as monitoring employees, is permissible, and whether such use requires additional safeguards not provided for in these guidelines, a case-by-case approach is necessary. Therefore, any such proposed video-surveillance should be subject to a privacy and data protection impact assessment by the institution. In this respect, we emphasise accountability and local decision-making. Nevertheless, due to the intrusiveness of employee monitoring, the EDPS also wants to keep a close eye on any such monitoring. Therefore, the institution must also submit its plans to the EDPS for prior checking. Where the institution proposes to use video-surveillance technology to monitor the work of staff, the EDPS will pay special attention to the views and concerns expressed by the institution s staff representatives and whether such views were taken into account. Goals such as managing workplace productivity, ensuring quality control, enforcing the institutions policies, or providing evidence for dispute resolution, alone, do not generally justify the video-surveillance of employees in the context of the work of the institutions. To give you a few simple examples; institutions should not use their existing video-surveillance systems to monitor the efficiency of outsourced cleaning staff carrying out their work in the early morning even if adequate notice were given to them in this regard, and there had been repeated 6

7 complaints regarding their quality of work. Neither should they use video-surveillance footage to check whether employees arrive at work on time or whether their flexitime records correspond to the arrival and departure times recorded on the cameras. As for monitoring triggered by security or health and safety concerns or similar compelling interests in exceptional circumstances, the EDPS will evaluate any such usage on a case-by-case basis. Complex issues also arise as to whether, and if so under what circumstances and subject to what safeguards, video-surveillance footage should be used for internal investigations, such as the investigation of benefit fraud, professional incompetence, employee harassment or procurement fraud. Our general recommendation is that the institutions should clearly state that video-surveillance is not used to control the performance of the employee s work and will also not be used as an investigative tool or evidence in internal investigations or in disciplinary procedures, unless a security incident or criminal behaviour is involved. That said, the guidelines are flexible, and exceptions might be granted, provided that the institutions adequately justify the need and proportionality of the proposed measure in a privacy and data protection impact assessment and a prior checking procedure before the EDPS. Further, practices where an employee is under constant surveillance (continuously in the field of vision of video-surveillance cameras) must be avoided. For example, the institutions should not use video-surveillance cameras to continuously monitor the cashier and the cash register in the canteen during opening hours, even if adequate notice were to be given to the cashier in this regard. One last issue that I would like to mention with regard to video-surveillance in the workplace is that of "covert surveillance". The use of covert surveillance is highly intrusive due to its secretive nature. Further, it has little or no preventive effect and is often merely proposed as a form of entrapment to secure evidence. Therefore, its use should be avoided. Proposed exceptions again must be accompanied by a compelling justification, a privacy and data protection impact assessment and must undergo prior checking by the EDPS who may impose, as necessary, specific data protection safeguards. In principle, the EDPS is unlikely to issue a positive prior checking opinion in this situation unless a number of very strict conditions are satisfied. 7