Legal compliance of surveillance: What employers need to know
With the advancement of technology and the prevalence of remote/hybrid working arrangements, it is increasingly common for employers to adopt employee surveillance measures. The drive for workplace surveillance is motivated by various employer’s needs, including monitoring workforce productivity, ensuring employee’s compliance with company policies and applicable laws, protecting the employer’s reputation and any key sensitive or proprietary information from malicious or accidental leakage.
As employee surveillance will invariably involve personal data (of the employee subject to the surveillance but also potentially of others), employers should take care to comply with applicable data privacy laws and regulations – not just in the jurisdictions where relevant individuals are located, but also where any personal data will be processed, stored or used.
“Even if the monitoring activities are legally compliant, employers should also consider if the surveillance measures would have any detrimental impact on the workplace culture, work morale and trust amongst employees.” – Laure de Panafieu, Partner and Asia Head of Employment & Incentives, Linklaters.
For example, under the Personal Data Protection Act 2012 (“PDPA”) in Singapore, unless exceptions apply, an organisation can only collect, use or disclose the personal data of an individual with the individual’s consent and the organisation must also notify the individual of the purpose(s) for which it intends to collect, use or disclose the personal data. In addition, there are requirements to keep such personal data accurate, securely stored, and not retained for longer than necessary. In the employment context, the PDPA provides that:
1) Neither notification nor consent will be required from employees if personal data is collected, used or disclosed for “evaluative purposes” (that is, for the purposes of determining suitability for employment, continued employment, promotion, and/or dismissal).
2) Notification only (but not consent) will be required to be made by employers to employees where personal data is collected, used or disclosed for the purposes of entering into an employment relationship or managing or terminating an employment relationship (IT monitoring, for example). On request by the employee, the employer is also required to provide the business contact information of a person who can answer the employee’s questions about that collection, use or disclosure of personal data about the employee.
Whilst legal requirements may vary from country to country in South-East Asia, employers should take note of the following general principles:
1. Employers should have a legitimate business reason for monitoring. For example, the PDPA test in Singapore is whether the collection, use or disclosure of the personal data is undertaken only for purposes that a reasonable person would consider appropriate in the circumstances and that the individual has been informed of such purpose (subject to any PDPA exception to the notification requirement).
2. Employers should have a clear, written policy on workplace monitoring. This “Monitoring Policy” should ideally set out (i) the scope and nature of monitoring; (ii) the purposes for collecting, using or disclosing personal data that the employers obtain through monitoring; (iii) the prohibitions on employees regarding the use of employer-owned systems and devices; and (iv) the disciplinary sanctions for breaching such policy.
3. Employers should inform employees about the monitoring that will be conducted. Employees should be made aware of the nature, extent and reasons for any monitoring (via login notices, security policies and relevant Monitoring Policy, employment contracts, or staff handbook). By communicating this information in writing, employers will have an effective audit trail if they are investigated by the relevant authorities.
4. Employers should ensure that the monitoring is conducted in a proportionate and reasonable manner. In practice, the surveillance should not be excessive and invade individuals’ private lives. For example, the initial analysis of employee communications can be conducted in an automated manner via the detection of key words and document types. Any subsequent review of individual communications should only occur where warranted on the basis of reasonable suspicions. Communications that are clearly of a personal nature should not be reviewed unless there are strong grounds for suspecting that they infringe relevant laws or regulations or company’s policies.
5. Employers should obtain employee consent to monitoring where possible. Even if there is no strict legal requirement to obtain employee consent, it would be best practice for employers to procure the employees’ assent to address any residual risk and mitigate the risk of employee’s challenge or complaint.
For completeness, there may also be (i) other legal frameworks that govern the interception of electronic information/computer service (the Electronic Information and Transactions Law in Indonesia and the Computer Misuse Act 1993 in Singapore, for example) and (ii) sector-specific laws and regulatory requirements that apply to monitoring activities carried out by certain regulated or licensed entities.
READ MORE: If you are watching your employees, it may be time to look away
On a broader note, even if the monitoring activities are legally compliant, employers should also consider if the surveillance measures would have any detrimental impact on the workplace culture, work morale and trust amongst employees.
What can employees who are subjected to surveillance or monitoring do?
From a data privacy perspective, employees as data subjects generally have the right to:
- Access their own personal data collected by the employer through surveillance
- Correct any error or omission of their own personal data
- Withdraw their consent to the collection, use or disclosure of their personal data.
Employees can also lodge a complaint with the relevant data privacy authorities if there is any breach of the data privacy laws and regulations by their employers.
In practice, employees generally appreciate that there is a fine balance between the employer’s interest in managing the workplace and the employees’ privacy interest. In this regard, it is not common in South-East Asia for employees to actively challenge the employer’s monitoring activities unless the surveillance is conducted in an excessive, intrusive or unreasonable manner.
Adopting clear and comprehensive monitoring policies, making sure that those are brought to the attention of employees and regularly reviewed and updated will all be very helpful steps for employers to both prevent damaging leakage or misuse of data for the employer and seek appropriate damages or other redress, in remedial cases, by being able to assert and point to a clear and express breach by errant employees.
About the author: Laure de Panafieu is Partner and Asia Head of Employment & Incentives at Linklaters
For more news and analysis on the latest HR and workforce trends in Asia, subscribe to HRM Asia and be part of the region’s largest HR community!