Employees monitoring of information and communication technologies private usage Guidelines updated in Portugal

Transcription

1 COELHO RIBEIRO E ASSOCIADOS SOCIEDADE CIVIL DE ADVOGADOS Employees monitoring of information and communication technologies private usage Guidelines updated in Portugal CRA Coelho Ribeiro e Associados, SCARL Mónica Oliveira Costa Portugal December 2013 On 14 November last the Portuguese Data Protection Authority (CNPD) published the updated guidelines on employees monitoring of information and communication technologies private usage issued on 16 July. Despite being in line with the previous ones (issued on 29 October 2002) these guidelines establish some new rules as far as phone calls, and internet monitoring and addresses the remote computer access which was not foreseen previously. CNPD made clear that these guidelines do not include the use of geolocalisation systems by the employer, which will be address autonomously and in a different guideline. 1. General Requirements As the previous guidelines, the CNPD emphasizes that the legitimacy of the employee monitoring lays down on the fair balance between the employer s right to establish rules on how the work and the work tools should be performed and used (employees productivity and companies assets management) and the employees right to privacy. A V. E N G º D U A R T E P A C H E C O, E M P R E E N D I M E N T O D A S A M O R E I R A S T O R R E I I, 1 3 º A L I S B O A P O R T U G A L T E L. ( ) F A X ( ) E - M A I L : c r W W W. C R A L A W. C O M

2 Again, the CNPD highlights that it is unrealistic and unreasonable that the employer forbids the private use of information and communication technologies by the employees. Instead, the employer should establish clear and precise rules on the private use of such assets made available to the employees and the level of tolerance admitted as well as on the means of monitoring used. Such rules should be based on the principles of necessity, proportionality, and good faith, being the employer able to demonstrate that the means of monitoring used are the ones with less impact on the employees privacy. Thus, employer shall privilege generic means of monitoring (time and duration of the connection) rather than individual ones (traffic data that reveals the private life of the employee, such as, called number, receiver s address or the website visited) as those will be sufficient to ascertain whether there have been any abusive use. CNPD expressly bans any kind of monitoring of personal , social networks or similar even if accessed through the computer at the workplace. In addition, communications extract lists even if intended to be sent to the employees for their alleged control is also not seen by CNPD as legitimate because it disrespects the necessity and adequacy principles. In what concerns to data retention, CNPD clarifies, in these updated guidelines, that data should not be retained for more than 6 months, unless in case a disciplinary or judicial procedure is ongoing. As in the previous guidelines, the retention period for phone calls should be less than the statutory period of payment applicable to the invoices of such phone calls. Interconnection of this processing with other databases of the controller or third parties is not allowed as well as disclosure to any third parties, unless to comply with a legal obligation within a judicial or a disciplinary procedure. 2

3 CNPD underlines the need to ensure the employees access, rectification and deletion rights and explicitly refers that employees should be informed of the conditions to exercise such rights and provided, upon their request, without constraint, at regular intervals and without excessive delay or expense the information legally foreseen in the law as far as the right of access is concerned (article 11.1 a), b) and c) of the Data Protection Act): (a) Confirmation as to whether or not data relating to him are being processed and information as to the purposes of the processing, the categories of data concerned and the recipients or categories of recipients to whom the data are disclosed; (b) Communication in an intelligible form of the data undergoing processing and of any available information as to their source; (c) Knowledge of the logic involved in any automatic processing of data concerning him. Particular attention is given by the CNPD to security measures. Considering that sensitive data are processed special security measures foreseen in the Data Protection Act will be required and the CNPD provides some guidance on what specifically should be implemented by the controllers: (i) Create a specific access profile for the purposes of this processing; (ii) The access to the systems which record this information shall only be made through user accounts that allow to uniquely identify the user; (iii) Restrict access to the servers (physical and logical); (iv) Access record to the sensitive information for purposes of operations control as well as internal and external audits; (v) Trusted audit system; (vi) Tracking of access monitoring (configuration of systems that allows logs to record who accessed, day and hour timestamp what was done assigning a sequential number id for each occurrence and a hash with these elements: id, user, date, hour and operation). In order to be valid, logs, should be digitally signed; (vii) Alarm system and response in case of misuse; (viii) Log analysis Policy with period analysis reports that should be kept for 1 year for CNPD s supervising purposes. 3

4 Pursuant the data subjects information right, the employer should have a written policy governing the information and communication technologies usage that shall define with accuracy the rules and conditions, under which the company assets may be used for private purposes or the level of tolerance admitted. Furthermore, the employer shall inform previously the employees about the existence of the processing, its purpose, the control methods adopted, the data processed and the retention period, as well as the consequences for the misuse of the company s assets made available to the employee. Prior consultation of the workers council or similar employees representative structures/entities, if any, must be made and afterwards the employer must post the policy at the working places, in order to allow the employees to have full awareness of its content. Moreover, because sensitive data are processed, prior authorisation of the CNPD must be obtained. Finally, prior to the writing policy the controller should conduct a Privacy Impact Assessment in order to evaluate the effects that the control mechanisms will have on the employees privacy and find those that are less intrusive and simultaneously answers the company s legitimate purposes. 2. Specific Requirements a) Telephone usage data and traffic data Access to communications content, the use of any tapping device, storage, interception and surveillance of the communications are forbidden. Recording telephone conversations is allowed under the terms legally foreseen, for the purposes and within the conditions authorised by the CNPD in accordance with its guidelines of 10 September

5 No monitoring is permitted within the activities subject to professional secrecy (ex.: lawyers, physicians and journalists). Calls monitoring shall be limited to the user identification, his/her rank/function in the company, number called/received (being the last 4 numbers removed), type of call (local, regional or international), duration of the call and price. b) and traffic data CNPD reaffirms its understanding that in no event the employer is entitled to open, automatically, the s addressed to the employees. The fact that such s are stored in the company s servers does not legitimise the access to such s, even within a disciplinary investigation. Neither the need of virus detection nor other malicious software justifies for itself the access to the s received by the employee. However, employees should be required to create folders, duly identified on which the employees should save their personal s received in their company s mail box. Again, the employer shall not undertake a permanent and systematic monitoring of the employees . The control shall be punctual and towards the areas or activities that present a greater risk. As in the case of phone calls, no monitoring is permitted within the activities subject to professional secrecy (ex.: lawyers, physicians and journalists). monitoring should be made on a randomly basis. The employer may also adopt the necessary procedures always with the knowledge of the employees to filter certain files that may indicate not being professional s (exe. Files, mp3 or image files). 5

6 Eventual monitoring for prevention or detection of commercial secrets disclosure shall be directed exclusively for the employees with access to those secrets and only when there are grounded suspicions. It shall be clearly distinctive the level of exigency and accuracy in relation to the monitoring of received and sent s. Instructions to the employee to delete messages received in breach of the Policy should be given. When facing an abusive use of the the employer should issue a warn notice to the employee. The access to the employee s shall be the last recourse to be used by the employer, and it should be done in the presence of the employee and a representative of the work council or other similar employees representative structure/entity or someone the employee chooses. The access shall be limited to watch the addresses of the recipients, the subject, date and hour. The employee is entitled to identify the s that are personal and object their reading by the employer; in which case, the employer shall refrain from consult the content of those s, in case the employee still had not the chance to save them in the personal folder. In case of scheduled absence (ex.: holidays or parental leave) the out of office reply together with an alternate address should be adopted. The reasons for acceding to the mailbox of the employee in case of absence shall be clearly expressed and of the employee s previous knowledge. Likewise, it should be done in the presence of a representative of the work council or other similar employees representative structure/entity or someone the employee chooses. If not possible and for companies who have a Data Protection Officer, the latest should be responsible to ensure compliance with the law and the rights of the employee preventing any unlawful access from the employer. 6

7 Finally, procedures on mail box of former employees ( heritage) should also be implemented. The employee should be given with a period to remove all the personal e- mails, at the end of which the account should be deleted and shall not be reused/assigned to another employee. c) Internet The employer shall adopt a preventive approach, giving preference to the creation of filters that block the access to the websites unauthorised by the employer. Time limits for private use of internet at the workplace are admissible. However the employer shall not undertake a permanent and systematic control of the Internet s access. It shall be done in a global way, not individualised, in relation to all accesses made in the company, with reference to the time of web connection. It is admissible that the employer processes data about the most acceded websites, but without identifying the place of origin of the access. Whenever there are reasons of costs and productivity involved, the monitoring shall be done through the counting of the time of connection, independently of the sites visited. In case it is found excessive and disproportionate, the employee shall be warned in respect to his level of use. The control of the time daily spent in the access to Internet and the web sites consulted by the employee shall only occur in exceptional circumstances, in particular when the employee, after the warning, doubts of the employer s accesses data and wishes to confirm them. 7

8 Finally, the CNPD clarifies that in no event the employer should have access to the employee s personal profile area as it is deemed to be private, such as, conversations in chats rooms. d) Remote computer access Remote computer access (ex: VNC Virtual Network Computing), in real time or delayed, is not admissible, unless for technical assistance upon the employee s request or knowledge each time it is performed. Systems that allow search, localisation and obtaining data or electronic stored information at the companies computers is not permitted either. The employer must ensure that backups of individual computers granted to the employees and the general archive centralization of the dispersed business documentation do not include private information. In order to accomplish this goal clear and comprehensive procedures to separate personal from business folders must be created. Employees should be duly informed of such procedures and guidance on how to archive personal files should be made available to them as well. Regrettably the CNPD did not take the opportunity to address in these guidelines the use of employees own personal computing devices for work purposes (BYOD) which of course raises different issues and challenges that companies need to face ever more. 8