Employers tracking employees

Employers are increasingly turning to different forms of technology to improve their businesses. Whether this be through AI to enhance strategies, or new software which allows employees to streamline their performance, technology is an integral part of everyday, professional life. In the Health and Social Care sphere specifically, technology has ‘enormous potential’ as suggested recently by Lord Darzi; epitomising the need to utilise any and all applicable advances.

One form of technology which remains constant, albeit mostly passive, is GPS location tracking. Employers are beginning to turn towards GPS software as a means to track employees when they are away from their primary work location. Doing so allows employers to monitor their employees’ productivity, but can also, in certain circumstances, provide an additional safety precaution for those who may be required to undertake lone working.

The practical implications of location tracking are especially pertinent within the Health and Social Care sector. At their core, many providers are not limited to the traditional ‘9 to 5’ working hours; nor are they limited by location. From General Practitioners conducting routine home visits, to paramedics urgently responding to a 999 call, the sector is one which is governed by the patients they treat; and as such the safety of employees whilst lone working in remote locations is paramount.

Although there may be clear benefits to using such software, questions may also be raised over employees’ right to privacy, and how this may be compromised. To counteract this, employers using employee tracking software must ensure they comply with the relevant data protection legislation.

The legal position

An employee’s location data is considered to be ‘personal data’ under data protection law.

Data protection law does not prohibit an employer from monitoring their workers, however, it does require monitoring to be conducted in accordance with a number of key requirements.

To collect and process data lawfully from monitoring workers, an employer must identify a lawful basis. There are 6 lawful bases in total, however, for the monitoring of employees’ location data the following are likely to be the most appropriate:

• Public Task – Employers can rely on this basis if they can demonstrate that monitoring their workers is necessary to perform their public tasks as set out through legislation or common law. This is particularly relevant to employers who are public authorities, and whose workers carry out tasks in the public interest. For example, by NHS trusts and/or local authorities providing care in the community. Note, this basis can only be relied upon if the same purpose could not be achieved through a less intrusive manner.

• Legitimate Interests – The monitoring of workers is necessary for the employer’s, or a third party’s, legitimate interests. This basis is flexible and can apply in a manner of different circumstances. It will be the most appropriate lawful basis for most private bodies.

Another lawful basis to be considered is consent. Here, monitoring personal data is considered to be lawful if the worker gives consent to process their personal data for a specific reason. A worker must freely give their consent, the consent must be unambiguous, and must include an affirmative action. Unless employers intend to give workers a genuine choice as to whether to participate in location monitoring, consent is unlikely to be the appropriate lawful basis, given the imbalance in power meaning workers are likely to feel they have no choice but to give consent. In such cases, consent would not be valid.

The remaining legal bases of Contract, Vital Interests, and Legal Obligation are either limited in scope, or unlikely to be applicable when considering data protection compliance for employee tracking software.

Where the personal data collected from monitoring will include ‘special categories of personal data’ (e.g. health or biometric data) or criminal offence data, an additional, stricter condition must also be identified.

In addition to having an appropriate the lawful basis, data protection law also establishes rights for individuals and imposes data protection principles and a variety of security, accountability and governance requirements on those responsible for processing an individual’s personal data. It is essential that employers are able to demonstrate that they have considered, and are able demonstrate compliance with, all of these requirements.

These principles state that personal data must be:

• Used fairly, lawfully, and transparently.

• Used for specified, explicit purposes.

• Used in a way that is adequate, relevant and limited to only what is necessary.

• Accurate and, where necessary, kept up to date.

• Kept for no longer than is necessary.

• Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

Individuals’ rights include:

• Right to be informed

• Right of access

• Right to rectification

• Right to erasure

• Right to restrict processing

• Right to data portability

• Right to object

• Rights related to automated decision-making including profiling

Other key security, accountability and governance requirements include:

• To keep documentation of processing activities

• To undertake data protection impact assessments (DPIAs) when appropriate

• To appoint and consult a data protection officer (DPO) when appropriate

• To ensure third party processors of personal data are appointed under a data processing agreement

• To ensure any transfers of personal data outside of the UK have appropriate safeguards in place

In conclusion, an employer can monitor an employee’s location as long as the monitoring can be justified using the most appropriate legal basis, follows the data protection principles, respects and facilities individuals’ rights, and the appropriate security, accountability and governance measures are in place.

Putting this into practice

Ultimately, when deciding whether to monitor workers, employers must identify their public tasks and/or business interests that justify monitoring, balance these with workers’ rights and freedoms under data protection and human rights law, and be able to justify monitoring as a necessary and proportionate measure.

Employees are likely to have concerns over how an employer will use their location, regardless of the legal justification. For example, if GPS tracking remains active on a device outside of an employee’s working hours, it may consequently infringe on an employee’s Article 8 Human Rights – the right to privacy and family life.

To mitigate these concerns, employers should consider what form their GPS tracking of employees may take. Employers may look to avoid continuous background location tracking and instead use the most minimal GPS tracking which focuses solely on the employer’s legitimate purpose without infringing on an employee’s privacy.

In order to ensure complete transparency, employers must explain how they intend to monitor their workers in a way which is accessible and easy to understand. This may potentially be done through a Data Protection Impact Assessment (DPIA). A DPIA helps an employer to identify and minimise the risks of any planned monitoring activity, and also involves a step where employers can discuss their monitoring plans with workers. In addition, inviting employee feedback at an early stage of the planning process can help avoid more serious complaints at a later stage.

It is vital for employers to explain to workers how their personal information will be collected during any form of monitoring – including through location tracking. Employers should look to review their monitoring practice regularly, and must keep privacy information up to date and inform workers of any changes.

Workers can object to being subject to location tracking data, specifically when the lawful basis relied on by an employer is either the performance of a public task, or necessary for a legitimate interest. The worker must give specific reasons as to why they object, and this reasoning should be tailored to their specific situation. An employer can refuse to accept a worker’s objection if they can demonstrate a compelling legitimate interest for the monitoring that overrides the worker’s interests, rights and freedoms, or the processing of the worker’s data is for the establishment or defence of a legal claim.

When deciding whether location tracking data is correct for your organisation, you must consider the balance of the employee’s rights and freedoms, with your legitimate interests. An employee’s opinion should be at the forefront of your decision-making from both a legal, and a commercial perspective.

If handled correctly, location tracking can lead to enhanced productivity for employers and increased safety for employees. If not, employers risk a breakdown in their relationship with their workforce giving rise to complaints, issues and in a worst case-scenario claims or enforcement action by the Information Commissioner.