Monitoring Employees’ Office Attendance in a Post Covid World: A Worldwide Issue – Key Data Privacy Issues

However, many countries (including the United Kingdom (“UK”)) have now been without restrictions for some time which has allowed employers to develop more robust and consistent RTO Policies, and has meant non-compliance has become more of a significant workplace issue. Its, therefore, unsurprising to see this becoming a focal point for many employers. 

The attitude to office attendance will inevitably vary country by country, company by company, manager by manager, and team by team, but it is important to be aware of the fundamental data privacy constraints in processing employee data to monitor such attendance. Whilst some employers may be using sophisticated technology to monitor RTO Policy compliance (e.g. facial recognition technology across the office) most employers simply want to use an ‘old fashioned’ method of monitoring the data collected via the ID passes employees use to access the office. Many employers already collect this data (for example, to monitor who is in the building for health and safety purposes), making it an ‘easy’ way to monitor who is complying with the RTO Policy. However, just because this method of data collection is technically straightforward doesn’t mean it’s legally so…

Key considerations

The list of things to consider goes far beyond the scope of this article. However, some fundamental things to consider include:

• Transparency: To comply with data protection legislation it is key to be transparent about what you are doing with employees’ data and why (in some jurisdictions more than others, and more on this below). It is fundamental to ensure your workplace privacy notice addresses this use of employee data and is available somewhere – such as your internal intranet – for employees to view whenever they need to. Equally it’s important to ensure that:
  1. employees are aware of your RTO Policy and know where to access it;
  2. the policy highlights that you’re monitoring their compliance and explains how you’re doing so; and
  3. the policy details the consequences of non-compliance.

  Similarly, while not a data privacy consideration per se, you may have a Works Council in some of the territories in which you have an office which you are obliged to inform or consult about your plans, or even obtain the approval of in order to process employees’ data in this way.

  Further, the importance of having the trust of your workforce can’t be overstated. Transparency will be crucial to avoid breaching the implied duty of mutual trust and confidence with employees (which we've discussed in this context previously here). There is also potential reputational damage to consider from an employee posting about your ‘covert’ monitoring on social media (if you opted not to be more transparent). Anything can go viral and if you have a strong external brand or culture you won’t want to be this week’s talking point. A negative post seen by thousands or even millions has the potential to have a long lasting, detrimental impact on your business.

• Lawful basis: Time should be taken to establish the lawful basis on which you are planning to process personal data, which will likely differ between jurisdictions. For example, in the UK, you may consider it to be in your legitimate interests (provided processing is within employees’ reasonable expectations) or that it may be necessary for performance of a contract. Whereas if you have an office in Israel your only lawful basis would be consent (albeit this can be implied consent in Israel) or in Portugal where you might be complying with your legal obligation (i.e. the legal duty on employers to track employees’ working times).
• Accuracy: It is important to also consider whether the data you are collecting is accurate. If employees need to use their ID pass to gain access to the building via a turnstile (one at a time) it’s likely the data you are collecting about who is in the office is accurate. However, if you only need to use your pass to, for example, access a floor in a building – where it’s highly likely that one employee may hold the door for other employees entering behind them – the data you collect as to who is in the office or how often someone is there may infringe the accuracy principle in the GDPR/UK GDPR (or other relevant laws).
• Scope: Will you be considering attendance going forward or will you be looking retrospectively to see who hasn’t been complying with your RTO Policy since it was introduced? If the latter, you’ll need to be cautious of re-purposing ID pass data. For example, if you’d previously collected this data for health and safety purposes, re-purposing that data to monitor compliance with your RTO Policy may breach the purpose limitation principle in the GDPR/UK GDPR (or other relevant laws). Irrespective of whether you are looking at employees’ compliance retrospectively or will be monitoring this going forward, consideration should also be given to your data retention policy to consider how long you’ll need to retain the ID pass data to effectively monitor compliance with the policy.
• Access: You should consider who will need access to which team’s data. It may be appropriate for the HR team to have access to the ID pass data for all employees, but heads of departments’ or team leaders’ access should be limited to their direct reports (for example).
• Data Protection Impact Assessment (“DPIA”): Wherever processing is ‘likely’ to result in a high risk to employees’ rights and freedoms you must carry out a DPIA. Nevertheless, the Information Commissioner’s Office in the UK consider it good practice to complete a DPIA for any major project which requires the processing of personal data. A DPIA (or similar under relevant legislation) is, therefore, always advisable. Whether or not processing for the purpose of monitoring compliance with your RTO Policy amounts to a high risk will likely be inherently linked to the consequences for any employee found to be in breach of the policy (as discussed below).
• Consequence of non-compliance: You’ll need to determine how the data you are collecting is going to be used. If employees may face disciplinary action for failure to comply, you must conduct a DPIA (as this is clearly a high risk to their rights and interests) and consider any employment rights the relevant employee may have (seeking external advice, where required). However, it is ‘safer’ to instead use this monitoring to target your efforts to address why people are not coming in by working directly with those who have not followed the policy.
• Consistency: Again, this isn’t necessarily a data privacy issue but the success of any RTO Policy (and the limitation of potential complaints about how you monitor employees’ compliance) hinges on buy in from managers. If you’ve got managers in different teams being more flexible on the policy, for example, it won’t be long before the “well so and so in XYZ team doesn’t have to come in…” complaints will start flooding in!
• International offices: There is no one size fits all approach to monitoring employees’ ID pass data, particularly when you are going to be monitoring employees in various international offices. Certain offices will have particular considerations which are exclusively relevant to their jurisdiction. For example, in Germany where something is deemed a ‘secret observation’ in the employment relationship, this is considered a severe violation of data protection laws. This issue may necessitate very clear and explicit communication to be sent to employees, including a link to the updated workplace privacy notice, which explains the monitoring to ensure it is not deemed to occur in secret.

Don’t rush!

These are only a few of the many issues to consider. The issue of monitoring ID pass data to measure compliance with an RTO Policy is not something which can be viewed in isolation. It’s crucial to consider your data privacy, among other, obligations carefully and seek external guidance where a second opinion on local market practice might be useful in deciding the way forward.

In terms of where to start, an effective way to begin the process of complying with your data privacy obligations would be to use the TRAP approach. This requires you to think about:

• Transparency: Are you being transparent about what you’re doing and how you’re monitoring employees from the outset?
• Reasons: What is the purpose of the monitoring, and do you have a valid legal basis to do it?
• Accountability: Are you able to demonstrate you have complied with your obligations as data controller, or do you need to take further action?
• Proportionality: Is this method of monitoring employees proportionate to the purpose for which you are doing so, or is there a fairer alternative method to achieve the same result?

If you can address each of these issues, its likely you’ve thought about a reasonable amount of your data privacy obligations already, and then need to consider whether there is anything else or anything more complex you need to factor into your plans.

An effective way to consider any remaining obligations would be to complete a DPIA. While not necessarily a legal requirement in every instance, a DPIA will always be a useful tool to assess risk and demonstrate your consideration of, and hopefully compliance with, data protection law. However, this may only be the starting point for you to consider a variety of other factors (the draft Information Commissioner’s Office guidance on monitoring at work provides some useful suggestions as to other things you will need to consider). Similarly, this should not be a project implemented solely by the ‘head’ office. Teams in each territory have crucial local knowledge as to the legal and practical considerations the ‘head’ office may not have appreciated.

If you’re considering monitoring employees’ compliance with your RTO Policy, or monitoring employees in any way, and have any questions or concerns as to your data privacy (or other legal) obligations, please do get in touch with your usual Lewis Silkin contact who would be happy to help.