It’s been widely reported that several employers in the UK and Ireland are using office access data to monitor employees’ office attendance and adherence to hybrid working policies.
Given the growing desire amongst employers to encourage employees back into offices, it’s likely that more employers will follow suit, however, caution should be exercised by employers before implementing and subsequently relying on such monitoring practices for disciplinary purposes.
Case study
The Irish data protection authority, the Data Protection Commission (‘DPC’) has published a case study on the use of an employee’s swipe-card data for disciplinary purposes.
In this example, an employee was subject to disciplinary proceedings concerning their poor time-keeping by their employer, who wanted to rely on swipe card data showing the times that the employee arrived and left the workplace. As part of the internal appeal process, the employer agreed not to use this information for this purpose and removed it from the employee’s disciplinary record.
The employee subsequently made a complaint to the DPC to investigate this matter further.
One of the key principles that featured in the DPC’s investigation was that data should be obtained and processed fairly and that employees should be given appropriate information including the purpose for which data is intending to be processed.
In this situation, the employer hadn’t provided information to the employee (or any other employees) about the potential use of swipe card information in disciplinary proceedings, although this was the only situation in which the swipe-card data was being used for this purpose. The DPC therefore concluded that, since they had not been transparent about the purpose for which the swipe-card data had been collected, the employer had not obtained and processed that data fairly.
Recommendations
This case study serves as a reminder to employers to ensure that their privacy notices are regularly reviewed and updated, and that any potential uses of data are properly notified to employees.
When conducting a disciplinary process, employers should be mindful of this issue and ensure that any use of data has been properly been made aware to employees. Employers should also make note of the storage limitation principle in the GDPR, which requires personal data to be retained for the least amount of time required to achieve the objective.
