Knowledge

All employers, to some degree, need to keep track of what their employees are doing on their systems: email monitoring and internet tracking history are obvious examples in an office environment. But employee monitoring can also extend to other things, including, for example, camera surveillance, access controls, and key stroke monitoring. To ensure that employee monitoring is carried out in a fair, transparent and lawful manner, all Channel Islands based employers should:

1. determine the purpose before implementing any monitoring system;
2. ensure that the purpose falls within the scope of the requirements for a lawful basis and legitimate purpose as required in the Data Protection (Jersey) Law 2018 and/or the Data Protection (Bailiwick of Guernsey) Law, 2017 (the "Law");
3. consider the imbalance of power which is inherent in all employer/employee relationships and whether the purpose requires further explanation and/or explicit consent before employees can determine their position;
4. determine how much personal data (as defined within the Law) needs to be captured for the stated purpose and, in so doing, ensure that only the minimum amount of personal data is captured;
5. consider whether the information captured is reasonable or whether the purpose may be achieved an alternative way without the need to collect any personal data;
6. complete a data protection impact assessment;
7. introduce policies and a privacy notice with clear and accessible language;
8. ensure that all policies and privacy notices are easily accessible by all employees and/or available in other forms which take account of any reasonable adjustments required by the workforce;
9. encourage open dialogue and communication amongst employees and their supervisors about the policies and privacy notices;
10. when onboarding new employees, make sure that all relevant policies and privacy notices are provided to the new employee and/or they are informed where to access such documents;
11. consider the introduction of covert monitoring only where criminality and/or gross misconduct is suspected. It is also recommended that steps 1 to 6 are repeated before implementation of covert monitoring and that periodic reviews are undertaken to ensure that the determined purpose remains relevant at all times of the covert monitoring process;
12. when using third-party service providers, ensure that all contractual documentation includes a data protection clause which ensures compliance with the Law and requires immediate notification of any breach of the Law;
13. limit access to the collected personal data to those who have a specific requirement only;
14. implement and use a retention policy to ensure that personal data is only stored for as long as reasonably necessary and required for the stated purpose; and
15. review applicable policies, notices and procedures regularly and at least upon any change in the Law or business circumstances.

If you are finding navigating the data protection landscape difficult, please get in touch with your usual Bedell Cristin contact or one of the contacts listed.