As businesses grapple with the current economic challenges, the support measures previously offered to employees during the pandemic are being tightened.
However, as companies adopt more stringent monitoring practices, the question arises: where is the line drawn between necessary oversight and the invasion of employee privacy?
Headlines have been lighting up over the last year as different sectors start to call a quit on flexible working, as some staff have been ordered back to the office full-time.
Since the pandemic made working from home common, some think remote workers are lazy. Earlier this year, a viral video showed JP Morgan’s boss, Jamie Dimon, calling Gen Z workers lazy and claiming they ‘slack off’ at home.
As a result, many employers have resorted to calling workers back into the office, with some companies employing increasingly strict processes to facilitate their return.
Earlier this month, news broke that Big Four firm PwC UK was increasing its monitoring of employees’ office attendance by tracking key card usage and WiFi connections to ensure staff comply with in-office requirements.
Monitoring office key cards is not a new practice, nor is it unique to PwC UK; it is a typical practice across most businesses. However, due to the nature of this business, especially its consultancy arm, associates and partners, when requested, often work from their clients’ offices.
As part of the attendance dashboard system, PwC is tracking work laptop WiFi connections, which indicate whether staff members are at their client’s office.
For a firm, like most of the Big Four firms, struggling with its profitability issues and the problems arising from the surge in AI, it is not surprising that the firm is getting stricter with its staff.
Big Brother
From watching how often someone’s mouse moves to Barclays installing tech to watch its workers’ activity on their computers, having a monitoring system in place is not a new concept.
As Mayer Brown’s partner Miriam Bruce stated, businesses want to ensure that employees are productive and are complying with the employer’s policies.
But what are an employer’s obligations when monitoring its staff, and does that monitoring cross the line into privacy laws?
“Location data that is tracked via logins or wifi connections would generally be personal data, so employers need to be aware of legislative requirements under both the UK GDPR and Data Protection Act,” Matthew Berridge, Baker McKenzie partner, explained.
UK GDPR, effective since January 1, 2021, mandates data protection for UK-based organisations and those offering services or monitoring behaviour in the UK.
Some of the key aspects include protecting personal information, enhancing individual rights over their data, and outlining obligations for organisations to process data lawfully.
The fines for breaching the GDPR, set out by the Information Commissioner’s Office (ICO), can reach up to £17.5m or four per cent of the company’s annual global turnover, whichever is higher.
Privacy laws
The Data Protection Act 2018, sitting alongside GDPR, governs how organisations use personal data to protect people’s privacy.
Bruce highlighted that “employers must identify a lawful basis for any processing of personal data under UK GDPR”, and she added, in addition, that “any monitoring technologies which require the processing of special category personal data, including biometric data, will be subject to additional obligations, and employers will need to identify an appropriate condition under GDPR for such processing activity.”
Berridge explained that employers will need to make sure employees are aware of the collection and use of their personal data.
However, “depending on the specific monitoring, there is a good chance that employers will also have to carry out data protection impact assessment (DPIAs), all of which will need to be done before the tracking is put in place.”
DPIA is required before undertaking any high-risk processing, as in Bruce’s example, if an employer intends to process biometric data of employees or undertake keystroke monitoring.
This comes as the biometric systems used to monitor staff data are under review by the ICO following its clampdown on businesses that use them.
Speaking last year, John Edwards, UK Information Commissioner, described biometric data as “wholly unique to a person, so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.”
In February 2024, the ICO ordered public service provider Serco Leisure and its trusts to cease using facial recognition technology and fingerprint scanning for employee attendance monitoring. This came after the regulator investigated the company and found it was “unlawfully” processing the biometric data of more than 2,000 employees at 38 leisure facilities.
Through the ins and outs of the law around acting as Big Brother over employees, Merrill April, partner at CM Murray, said businesses need to think carefully about the impact, as the bigger issue is cultural.
“If tracking makes people feel they must show up just to ‘clock in’, rather than to do their best work, it fosters presenteeism and quickly becomes counterproductive. Heavy-handed monitoring can fuel anxiety, mistrust, and ultimately drive good people away and put off potential good candidates,” she explained.
“Open communication and genuine engagement will always achieve more than dashboards and surveillance,” April added.