Assess data protection impact before conducting internal investigations

When companies suspect employees of of criminal behaviour, such as bribery, corruption or fraud, this usually triggers the need to carry out a full investigation which commonly includes monitoring of the content, senders and recipients of emails. In carrying out such an investigation, businesses want to avoid inadvertently committing an offence of 'tipping off' and so, monitoring is usually carried out covertly. 

Data protection impact assessments under the GDPR

The GDPR, which applies from 25 May, mandates organisations to conduct DPIAs in specified circumstances.

It says that organisations will be obliged to carry out DPIAs if their planned processing involves: "a systematic and extensive evaluation" of personal aspects based on automated processing, including profiling, resulting in decisions that significantly affect individuals; large scale processing of sensitive data or data on criminal convictions/offences; or systematic large scale monitoring of a publicly accessible area, such as through the use of CCTV.

The GDPR also requires DPIAs to be undertaken if planned data processing activities are otherwise "likely to result in a high risk to the rights and freedoms of natural persons". Covert monitoring, by its nature, is likely to result in such a high risk and as such, a DPIA will be required by law.

The introduction of DPIAs as a requirement marks a change from the position that applied prior to the GDPR, where their use was recommended as 'best practice' but not mandated under law. Indeed, the UK's Information Commissioner's Office (ICO) has produced a code of practice on privacy impact assessments.

DPIAs and internal investigations

In practical terms, the DPIA process will require businesses to consider and document the nature and scope of the investigations they propose, the reasons why they are pursuing them, and their assessment of the necessity and proportionality of the measures and of the impact on individuals' privacy. In addition, it requires businesses to outline the steps they plan to take to address the privacy risks.

In this context, it will often be appropriate for businesses to limit the timeframe over which they will engage in covert surveillance of employee communications, and only apply the surveillance measures to a single person or small number of staff and not broadly across the workforce. Technology can also be deployed to restrict what communications are read by 'keyword' filters too.

Central to the DPIA process is good governance. The process should be fully documented. If the organisation is legally required to have a data protection officer, they should seek the advice of those officers on their DPIAs. However, businesses should also consider potential conflicts of interest and the need for DPOs to operate independently when determining the role of DPOs in shaping DPIAs relating to covert employee monitoring.

External legal advisers can help businesses ensure their governance around DPIAs is sound.

Lessons from case law in getting things wrong

Under the GDPR businesses that fail to carry out DPIAs when they are legally obliged to face fines of up to €10 million, or 2% of their annual global turnover of the preceding financial year, whichever is higher. They will also suffer reputational damage from the publicity surrounding a finding of infringement.

However, a failure to carry out a DPIA around planned covert employee monitoring, and to advise employees of the potential scope of monitoring activities, can have further implications too, as demonstrated by previous cases.

In 2017, the European Court of Human Rights ruled that a business that monitored an employee's personal communications during work time breached his rights to privacy under article 8 of the European Convention on Human Rights.

Romanian engineer Bogdan Bărbulescu was dismissed from his job in 2007 for breaching the terms of his employment contract after his employer showed that he had been using a messaging service for personal communications during work time, against company policy.

The Grand Chamber concluded that Bărbulescu's rights to privacy had been violated after assessing whether his employer had informed him in advance of the true extent and nature of its communications monitoring and whether the monitoring activity was carried out in the pursuit of legitimate interests that justified the intrusion of privacy.

The court said that it did not appear the employer had given Bărbulescu sufficient advanced notice of "the extent and nature of [their] monitoring activities, or of the possibility that [it] might have access to the actual content of his messages".

It also determined that while businesses are entitled to set out internal policies that restrict the rights of staff to use the internet for personal purposes, "an employer’s instructions cannot reduce private social life in the workplace to zero". The employee's rights to privacy in their communications "continues to exist, even if these may be restricted in so far as necessary", it said.

Engaging in covert monitoring that infringes the privacy rights could ultimately undermine any disciplinary action that they take on the basis of evidence gathered.

In addition, an unjustified privacy intrusion can potentially expose businesses to claims for compensation either under the Convention or the GDPR. The GDPR entitles individuals to compensation from either a data controller or processor where they experience "material or non-material damage" as a result of an infringement of the Regulation.

Laura Gillespie is a regulatory law expert at Pinsent Masons, the law firm behind Out-Law.com.