EU and International Background
In Europe, the use of new information and communication technologies (ICT) at the workplace has spread rapidly in recent years. This raises numerous issues for employers, employees and their representatives and has been the subject of laborious discussions especially in terms of the link between workers’ privacy and employers’ need to control and monitor the use of ICT.
It is also pertinent to point out that there is no specific and uniform European Legislation on this topic. In fact, there are currently only two EU Directives. One of these Directives (Directive 95/46/EC) concerns the protection of individuals with regards to the processing of personal data and the free movement of such a data, while the other (Directive 2002/58/EC which amends Directive 97/66/EC), involves the processing of personal data and the protection of privacy in the electronic communications sector. However, as mentioned-above, these EU Directives do not contain any specific provision aimed at regulating the monitoring of workers’ behaviour and correspondence.
Therefore, EU Member States which decide to regulate this area at this stage only have to comply with the general principles provided by the European Legislation, as well as with the ones provided by International Legislation, such as the International Labour Organisation (ILO) Code of Practice according to which:
- employees must be informed of use of technologies at workplace;
- employers, who decide to use technologies in order to control and monitor employees’ performance, must take into account any potential consequence on employees’ privacy;
- use of “secret” monitoring must be limited to cases where it is necessary for employees’ health and safety and/or for the protection of property.
As a consequence, EU Member States regulate surveillance and monitoring of workers by employers through a number of principles and rules contained in various legal acts, including the Maltese Constitution, legislation on employment, Employment data protection Laws, telecommunication Laws and Regulations, Criminal Code, amongst other. As a further consequence, the interaction of the mentioned national provisions in so far as their application is concerned is often not clear and sometimes controversial.
In view of this, the EU Commission has undertaken the task to consult with the social partners in order to ascertain as to whether it is advisable to adopt a specific and full-detailed legislation on monitoring and surveillance at workplace. The debate is currently opened at European level.
What about the use of monitoring and surveillance in Malta?
In Malta, there is no specific regulation on monitoring and surveillance at workplace, such as CCTV surveillance, monitoring of e-mails and telephone calls, biometric-based time attendance systems through a palm reader, and monitoring and restriction of internet browsing.
Therefore, employers in Malta only have to apply data protection principles as they are set out under the Data Protection Act (Cap 440) and its Subsidiary Legislation, as well as guidelines provided by the Office of the Information and Data Protection Commissioner when it comes to methods of surveillance.
Over the last few years, many employers in Malta have started to use time and attendance (T&A) systems to record when their employees start and finish work. Such systems, in fact, enable employers to have full information on employees’ working time and labour costs. Biometric T&A technologies – such as the hand-reader, fingerprint reader or face recognition device – provide additional benefits over traditional employees’ tracking systems as they increase reliability and reduce costly errors.
However, prior to implementing a biometric system, employers should carry out a proper privacy impact assessment in order to ensure that the use of biometrics is essentially necessary.
When processing personal data which involves risks of improper interference with the rights and freedoms of data subjects, a prior checking request has to be submitted to the Commissioner to endorse such processing operation. Thus, prior to submitting a notification form, the data controller has to request a prior checking to implement a biometric system.
In addition, employers have to provide their employees with all the relevant information on biometric systems used at the workplace and if such employees are unionised, the employer should, as a matter of good practice, also consult the Trade Unions in order to provide them with the same information.
Where the introduction of biometric systems is deemed necessary, employers should opt for systems which provide a high level of comfort in terms of privacy requirements as it is possible in view of technological progress achieved in this field. These systems include those which do not physically record and process the actual image of the biometric feature, such as the fingerprint.
Where the employer engages the service of another organisation for the management of the biometric system, such a relationship has to be regulated by a written agreement. This agreement should bind the managing organisation to solely act upon the instructions of the employer and implement all the required security measures to protect the personal data against any unlawful forms of processing.
What about the use of GPS/Vehicle Tracking Systems by employers in Malta?
Generally, employers may use Global Positioning Systems (GPS) devices to track employees in employer-owned vehicles.
However, the use of GPS/Vehicle Tracking Systems is not specifically regulated in Malta. Therefore, employers are just due to act in line with the principles set out under the above-mentioned Data Protection Act and its Subsidiary Legislation. Employers have to assure that staff monitoring, including GPS systems, comply with the transparency requirements of Data Protection Legislation such as, amongst other, the duty of clearly informing employees of the existence of the surveillance and of all the purposes for which the personal data will be used.
Employers should also advise and make available to drivers, a policy on the use of tracking devices, including the use of company’s vehicles for private use.
Finally, new employees should be informed of the operation of such devices.
In case of breach of such rules, general principles on Data Protection Regulations apply. In particular, the Data Protection Commissioner may impose an administrative fine which does not exceed € 23,000, without resorting to a court hearing.
However, any person aggrieved by a decision of the Data Protection Commissioner has the right to appeal to the Information and Data Protection Appeals Tribunal within thirty days from the date of notification to him/her of the said decision.
Such a decision may on question of law be appealed to the Court of Appeal in Malta within thirty days from the date on which that decision has been notified.
Balancing Employers’ Right to know with Employees’ Right to Privacy
Employers may wish to use surveillance at workplace for a variety of beneficial reasons, including employees’ safety, prevention of theft and supervision of employees’ performance.
Such benefits include also reduced payroll error through elimination of employee fraud, increased productivity and improved management reporting, resulting in an overall reduction in labours hours, running costs and an increase of efficiency.
Moreover, employers have the interest to run their business efficiently and above all, to protect themselves from any liability which employees’ actions may create. For instance:
- employers may be victim of employees’ criminal offence;
- employees’ use of social networking sites may cause damage to the employer’s business reputation or releases confidential information;
- employees’ bullying may be carried out on the internet and mobile phones, through social networking sites, email and texts.
Therefore, there are positive arguments to have the appropriate measures to limit workers’ right to privacy.
On the other hand, there are negative aspects linked with the use of surveillance as employees’ personal data may be unfairly used and/or spread. Employers’ “need to know” needs to be balanced with employees’ “right to privacy”.
Balancing different rights and interests requires taking into consideration several principles, including the principle of proportionality. It should be clear that monitoring activity or surveillance at workplace cannot justify any intrusion into employee’s privacy.
Although there is no legal duty in this respect, employers should provide employees with a ready, accessible, clear and accurate statement of policy with regard to email and internet use, including the use of social media at workplace. This should also clearly describe the extent to which the employees can use communication facilities, either owned by the company or personal remote devices such as smartphones for personal or private communications.
This document should:
- clearly set out the conditions under which private use of the internet is permitted as well as specifying material that cannot be viewed or copied;
- provide information about systems implemented both to prevent access to certain websites and to detect misuse;
- specify what use – if any – will be made of any data collected in relation to who visited websites;
- inform employees about the involvement of their Trade Unions representatives, if any, both in implementation of the policy and in the investigation of alleged breaches;
- clearly explain enforcement procedures in case of breaches of internal electronic communication use;
- make clear to employees, reasons and purposes for which surveillance and/or monitoring must be used.
Employees should also be advised as to what personal information will be collected, used, and disclosed, and for what purposes, such as discipline or safety.
In order to ensure that employees are aware of such a policy, specific confirmation that they have read the same policy should be requested. Such policy may be also made available by means of a newsletter.
The Impact of electronic surveillance at workplace
A recent study carried out by the University of Malta and published on the website of Eurofound has explored employees’ reactions to the surveillance of employees using equipment such as CCTV, monitoring of e-mails, and restrictions on internet browsing.
Employees said monitoring had a negative impact on their wellbeing and a detrimental effect on the management-employee relationship. Monitoring systems introduced a number of negative feelings among the employees and this affected their well-being. Some expressed this in terms of a sense of discomfort, while others spoke about their frustration and how surveillance exposed their vulnerability. This left employees feeling like that they were being treated like children instead of responsible adults.
The findings also suggested that such systems could have a negative impact on the relationship between management and employees, especially if such measures were perceived to be excessive or there was a lack of communication about the systems.
According to such a research, before any monitoring system is introduced, management should be clear and honest with the employees about it if they want to avoid a loss the trust of their employees. Management should also be clear about the aims and scope of such surveillance systems to avoid a detrimental effect on employees and the employee-management relationship.
On the other hand, the use of electronic surveillance at the workplace is often necessary, especially within those companies and institutions which used to handle sensitive information (i.e.: such as EGaming Companies). Such companies and institution are required to protect this information in the interest of all the clients, customers, individuals involved. In this respect, surveillance and/or monitoring are aimed at preventing any unauthorised use of such an information by third parties.