Reconciling workplace security and safety, with employee privacy, dignity, and autonomy is a balancing act. Globally, power asymmetry in employment renders ‘consent’ unfavorable. Under the General Data Protection Regulation (GDPR), ‘legitimate interests’ as a ground to process employee data has been criticised for being overly flexible. The Digital Personal Data Protection Act 2023 (Act) instead adopts an independent basis to process personal data of employees for ‘Employment Purposes’ including:
(i) safeguarding the employer against loss or liability
(ii) maintaining confidentiality and protecting intellectual property and
(iii) providing a service or benefit that is sought by a data principal who is an employee ('Employment Purposes').
Relying on Employment Purposes will however impact employees’ rights, and conversely, employer obligations under the Act. For instance, where employee data is processed pursuant to Employment Purposes instead of consent, employees would not have the rights to access, corrections and erasure under the Act.
In this article, we explore the parameters of Employment Purposes as a lawful basis to process the personal data of employees and where employers may draw the line.
'Who is an Employee'?
The Employment Purposes ground is available to a ‘data principal who is an employee’. This raises certain questions:
(i) whether this includes only present employees or even past and future employees, for example, job applicants. If the intent is to cover only present employees, fresh consent may be required, for instance, for continued retention of employee data after their term of employment, unless retention is pursuant to a law;
(ii) whether the reference to ‘employee’ should be interpreted strictly in the data protection context, to exclude inter alia job applicants, independent contractors, consultants and temporary workers.
Would Covert Surveillance of Employees Be Kosher?
When personal data is processed for Employment Purposes, notice to and consent from the employer are not required. Though the Act is silent on such transparency requirements for Employment Purposes, in case there are excesses discovered in the business ecosystem, legislative guidance or courts may in the future impose transparency or disclosure requirements to ensure fairness in employee monitoring practices.
Safeguarding the Employer from Loss or Liability
Employers installing CCTV cameras to monitor their employees for the safety and security of the premises may, in some cases, also record the personal data of visitors who are not employees. Employers should only rely on Employment Purposes to process the personal data of employees and not indiscriminately capture the personal data of non-employee visitors.
Some workplace surveillance products offer ‘mood scores’ to assess employee behaviour and attribute risk of attrition, or vulnerability scores to avert threats, such as employee unionisation. Such measures should only be implemented to the extent necessary, considering proportionality as a guiding principle.
Protecting Intellectual Property and Confidential Information
To protect employer intellectual property and confidential information, employers sometimes implement keystroke logging, which involves the monitoring of every keystroke made on a computer. To the extent required, such practices may have to be appropriately reconciled with the Act.
Personal Devices Out of Bounds?
Globally, personal devices of employees are generally considered out of bounds for employee surveillance, unless they contain work communications. Where required, consent may have to be obtained from employees for such processing. In certain jurisdictions, emails marked as ‘personal’ are steered clear from, unless compelling reasons exist to monitor such data.
Biometric Data and Wearables
Employers monitoring biometric data through wearables to monitor the health and stress levels of employees in the course of employment should consider the necessity of such practices for Employment Purposes, depending on the nature of work, for example, field or delivery services.
Providing a Service or Benefit
Services and benefits are required to be ‘sought’ by a data principal, implying that this must be through an affirmative act instead of a benefit or service that is insisted upon by the employer.
Where to Draw the Line?
To become market-leading employers, employee surveillance should be balanced carefully with employee rights, even where not required by law. As employees become empowered and privacy becomes a driving characteristic, they will seek a privacy-friendly workplace that instills an environment of trust and sustains longstanding employment relationships.