Employees are monitored for a variety of valid reasons including performance, meeting KPIs and quality control, and behaviour, time keeping, dress and adherence to company codes of conduct. Proportionality is an important factor in determining the appropriate level of interference in the activity of employees in work. Proportionality is increasingly important and increasingly difficult to prove when monitoring steps outside of the work environment and into the private life of the employee, for example when we are working from home.
In a recent case, the French data protection authority decided that Ikea’s decision to collect data on its employees went far beyond monitoring. It involved Ikea sourcing records of employee bank accounts, paying for access to police files and planting fake employees to report on colleagues. Nor was the objective of the monitoring without criticism. In particular, prosecutors believed that the personal data gathered was used to target union representatives and employees involved in customer disputes in order to strengthen the company’s position in negotiations.
Ikea was fined €1 million by the French data protection supervisory authority and there were also criminal charges for some of its senior management. Its chief executive in France was found guilty of obtaining personal data unlawfully and given a two year suspended prison sentence and a €50,000 fine. The head of risk management whose department masterminded the spying operations was given an 18 month suspended sentence and fined €10,000. Other employees were found guilty of unlawfully obtaining personal data. Some of these were fined and others given suspended prison sentences.
Individual cases bring out the truly horrible nature of this activity. In one case the employer was investigating how an employee who had been in receipt of benefits could afford to drive a Porsche. In another case Ikea investigated whether an employee had a criminal record because he drove a BMW but had a low income.
We recommend that monitoring practices be kept under review. At departmental level the same issues could be considered as apply when accessing any personal data at work:
- Do I need to use and therefore obtain this data?
- Do I have the authority to obtain and use this data?
- Do I understand that the collection and use of this data is my responsibility?
The Ikea case shows that some level of peer group review is also required in case senior management has lost its sense of proportion. The internal discussion might well be difficult but in the long run it is preferable to having the conversation with the regulator, in court and in public. So the question businesses need to consider is “Who monitors the monitors?”
Mandy P Webster, Data Protection Consulting