By Richard Woodman, Royds Withy King
Banking and financial services businesses have for many years monitored the work patterns and behaviours their staff. Since the coronavirus pandemic and the subsequent seismic shift in working patterns, we are now seeing an increasing number of employers monitoring their staff in their own homes.
There will be many valid reasons for businesses to monitor their staff, but is a legal minefield, particularly for global financial institutions operating in countries with very different regulatory and cultural frameworks, says Richard Woodman at Royds Withy King.
In the UK, it is commonplace for banking and financial services firms to monitor staff; be this for regulatory and compliance or productivity reasons.
In a survey of 504 financial services firms in 2018, PwC found that 77% routinely tracked productivity of their staff, and that a quarter of banks, asset managers, and insurers with assets exceeding $5bn even went as far as tracking productivity on an hourly basis.
And monitoring does not extend to just productivity. Recent banking scandals have seen the private messages and social media accounts of employees closely monitored.
In the UK, financial services, alongside legal services, is one of the most highly regulated industry sectors. Its staff are well-used to being closely watched. But can employers replicate the same monitoring measures when staff are in their own homes? When does monitoring leave an employer vulnerable to charges of spying on the private lives of their staff?
Interestingly, from a legal perspective, there is currently no data privacy law in the UK which specifically governs monitoring employees. However, there is legislation in place which has a significant impact on how this can be done, chiefly the European Convention on Human Rights (ECHR) and the General Data Protection Regulation (GDPR) – both EU regulations which have been incorporated into UK law. The UK also has a statutory regime in place to govern the interception of electronic communications, which is set out in the Investigatory Powers Act 2016.
In terms of what level of employee monitoring is permissible – this is a very complicated question, which will depend on a number of variables. Probably the best starting point for employers is the ICO’s “Employment Practices Code”, which contains guidance and good practice recommendations for any company seeking to monitor their staff.
Generally speaking, the following questions will all feed in to whether or not an employer is in breach of the law in monitoring their staff:
- Is the monitoring being undertaken because of a legitimate reason? Lacking a legitimate reason for implementing particular staff monitoring measures will make it far more likely to fall foul of UK legislation.
- What is the extent of the monitoring? Employers should always seek to implement the minimum level of monitoring required to achieve their goals. If a less intrusive method of monitoring employees is readily available, an employer will likely have little justification for implementing anything further.
- Who has access to the data being collected through monitoring? This should always be restricted to the smallest number possible in order to achieve the legitimate aims of the employer.
- Has the employer considered the potential consequences for its employees, and have the necessary safeguards been put in place?
- Are the employees aware of the fact they are being monitored? The ICO guidance recommends that employers set out (amongst other things) the circumstances in which monitoring may take place, the nature of the monitoring, and how any information obtained through monitoring will be used.
- Is any information collected being processed lawfully, in accordance with GDPR?
Compliance with GDPR is of particular importance for larger companies and financial institutions, who will necessarily process far more data, and therefore require most sophisticated systems in place for safeguarding this adequately.
Failure to do so may put companies in the unenviable position of Barclays, who last year were investigated by the ICO for their use of staff monitoring software. In choosing to enable an additional function to allow monitoring of individual employees rather than anonymous monitoring, Barclays faced significant staff criticism, followed by an ICO investigation, and ultimately the termination of the monitoring programme a month later.
If Barclays are found to have breached UK data protection law, they face a potential fine of up to 4% of annual turnover (over £800 million).
Balancing employment legalisation, data privacy, and the health and wellbeing of staff is undoubtedly similar to walking the proverbial tightrope. The need to get it right now the working week looks set to permanently include time in both the office and at home is paramount. Get it wrong and the penalties can be stiff.
Based on the ICO guidance, legislation, and also case law, probably the two most important factors for any company implementing monitoring measures for their employees are: proportionality and transparency.
Proportionality, especially in the context of an individual’s expectation of privacy, will play a pivotal role in what is considered “acceptable” monitoring of employees. The courts will always look to balance the expectations of the individual, and the individual’s right to privacy, against the public interest and the protection of others. In this regard, the employer’s reasoning for monitoring its employees is crucial.
Likewise, transparency is a concept that crops up continuously in the field of employee monitoring, in particular in the ICO’s guidance. This is probably best summed up in the ICO’s statement: “If organisations wish to monitor their employees, they should be clear about its purpose and that it brings real benefits. Organisations also need to make employees aware of the nature, extent and reasons for any monitoring.”
A final point to bear in mind is the additional burden of companies with a global reach, who must be aware of the different law governing different jurisdictions. Although much of the UK law stems from EU regulations, providing a helpful measure of consistency across other EU countries on the continent, it must be noted that policies which work in some countries may not be appropriate in others.
Richard Woodman is a partner and head of financial services at law firm Royds Withy King. Visit www.roydswithyking.com.