Employers sometimes use cameras on their premises. Consider, for example, a store owner who has installed a camera or a camera that is placed at the entrance to a business complex. Camera surveillance around the workplace can help in preventing theft or material damage to property, but at the same time may compromise the privacy of employees and visitors. This is why the use of cameras in business environments is only allowed under specific conditions. In this blog, we will look at the nature of these conditions, while also discussing considerations related to the use of smart cameras and new technologies like face recognition
Privacy matters – in the workplace as well
Everyone has the right to privacy or, as it is also referred to, ‘’the right to be let alone’’. This is true for personal circumstances, but it equally applies to the work environment, meaning that employers in general have to respect the privacy of their staff. In principle, they have nothing to do with personal relations of, and among, their employees, nor can they flat-out refuse a certain extent of private telephone or email use. The right to privacy in the workplace means that employers, to a certain extent, have to respect personal routines of the people that work for them and, if in reasonable proportion, have to accept that their employees will sometimes take care of personal affairs during working hours. This includes, for example, a brief phone call to a family doctor or a WhatsApp message to a partner.
The right to privacy, however, is not absolute. Employers do have the right, under certain circumstances, to impose conditions on private use of phone and email in the workplace. They are also entitled to monitor their business and their staff in various ways – by using time registration systems for instance, through the use of GPS and by keeping track of internet and telephone traffic. And they can also use cameras. Often, cameras will primarily be installed to protect business property and support operational safety, much less for employee observation. However, monitoring employees with cameras to observe their behaviour is not prohibited. Doing so, on the other hand, may compromise the privacy of employees and visitors inasmuch as their movements are being recorded. This is why camera surveillance in the workplace is only allowed under specific conditions, with businesses being required to minimise the extent of privacy violation. Cameras cannot, for example, be installed in restrooms or dressing rooms, for obvious reasons of decency. Furthermore, recorded footage cannot be retained beyond the period of practical necessity, which by general guideline is restricted to four weeks.
Absence of privacy risk
Camera surveillance (in the workplace) does not necessarily always lead to an invasion of privacy. The images captured on camera may not always be recorded for example, and there are ways of making people unrecognisable. This goes a long way in protecting privacy and therefore privacy will not be at stake so readily. After all, no recording of activity is taking place or the images recorded do not allow for identification of individual (natural) persons.
General Data Protection Regulation (GDPR)
With camera surveillance, in some cases camera images are being captured and recorded in which natural persons are identifiably visible. When these images are made, there is usually some form of (automated) processing of these images which by their nature qualify as – special categories of – personal data. Employers (within the EU) processing personal data in this manner, have to comply with the requirements of European privacy law, the GDPR (Articles 2 and 3,1 GDPR).
Legal bases for the processing of personal data
An employer who processes personal data by implementing cameras in the workplace must always have a legal basis for doing so. The GDPR specifies six legal bases that can serve to legitimise the use of camera monitoring (for instance consent from the data subjects, necessity for compliance with a legal obligation or existence of a ‘’legitimate interest’’). Although there are additional bases for personal data processing in the GDPR, in the context of camera surveillance legitimate interest is the most commonly used legal basis.
If the interest an employer has in camera surveillance is significant and substantial and this interest can only be served by the practice of camera surveillance, the existence of ‘’legitimate interest’’ may apply. For it to actually do so however, the answer to all of the following questions has to be ‘’yes’’:
- Is there a ‘’legitimate’’ interest in camera surveillance? In order to claim legitimate interest as the legal basis for processing personal data, the interest has to actually, demonstrably exist. As noted by the Dutch Data Protection Authority (AP), the sole purposes of serving commercial interest, profit maximisation and employee behaviour monitoring without specific and relevant motivating reasons do not qualify as ‘’legitimate interest’’.
- Is camera surveillance necessary? For this to be the case, there has to be a clearly defined prior purpose. The employer, in other words, needs to consider what his exact objective is in implementing camera surveillance and whether camera surveillance does indeed contribute to meeting this intended objective.
- Does the employer’s interest outweigh the interests of the data subjects? Answering this question calls for a balancing of interests in the result of which the positive of camera surveillance needs to be more significant than the negative of potentially diminished privacy on the part of the data subjects. This is also referred to as the proportionality test.
- Have other, less intrusive measures been taken which are also sufficiently effective, like for instance additional lighting in parking lots or regular patrols by security guards? If the same result can also be accomplished by alternative, less drastic means, then installation of cameras in the workplace is not a legitimate option. This is also referred to as the subsidiarity principle.
Which circumstances are relevant in determining whether, in a given situation, an employer has a legitimate interest in camera surveillance, can be distilled from the AP Policy Guidelines on Camera Surveillance (2016). Factors taken into account there include the number of cameras installed, the duration of image recording (continuously or limited to specific time slots) and the number of people that can be captured on camera. Also, employers should periodically reassess the necessity of continued camera surveillance.
Works Council approval and DPIA
For camera surveillance in the workplace to be permitted, it is not sufficient to just have a legal basis. Employers considering camera installation in their business environment also have to discuss their plans prior to implementation with the Works Council, where approval of policies on handling and protection of personal data may be granted or withheld. The Works Council, in other words, has to approve plans for camera installation prior to their implementation. If an organisation does not have a Works Council, employers must at least discuss such plans in a general staff meeting. There are also cases in which carrying out a ‘’Data Protection Impact Assessment’’ (DPIA) is legally required prior to implementation of camera surveillance. The AP has compiled a list of processing activities for which DPIAs are always mandatory, as in the case of long-term, large-scale and/or systematic camera-facilitated monitoring of the workplace. Carrying out a DPIA is also mandatory where the use of hidden cameras is part of an intended security solution, even if these invisible cameras will only be used occasionally. In principle, covert surveillance is not allowed in the workplace, but there are exceptions to the general rule. If there is well-founded suspicion of theft or fraud, employers can, under certain conditions and as a last resort, opt for the use of hidden cameras.
Smart cameras and face recognition
These days, cameras are capable of more than simple image recording. Face recognition is common on modern mobile phones and there are smart cameras that can detect ‘’suspicious’’ behaviour. Legitimately deploying such technologies in the workplace however, apart from requiring prior DPIAs, may also have the side-effect of special categories of personal data being processed, as the identification logic used in smart cameras is partially based on race-related and biometric data. In this sense, face recognition, because of its unique identification capabilities, brings with it serious risk to the fundamental rights and freedoms of data subjects. After all, the same physical characteristics used to establish identity may also provide information on health status and physical condition, for example. Therefore, strict rules apply to the processing of special categories of personal data, the basic rule being that it is simply not allowed, unless under very specific conditions.
Rights of the data subjects
Employers also have to make sure that employees and visitors are aware of the camera surveillance itself and the purpose it serves. Moreover, data subjects have to be aware of their rights and know how to exercise them. Think of the right of access to the data being collected, in this case the camera images, the right “to be forgotten”, the right to restriction of processing and the right to object to the use of personal data.
Big Brother in the workplace is not unconditionally okay. Installation of cameras in the business environment, in cases where these cameras are being used for the processing of personal data, always requires a legal basis. Employers contemplating the implementation of camera surveillance should therefore as a first step assess the existence of a legitimate basis for deploying cameras on their premises or in their offices. Is there for example a ‘’legitimate interest’’ in the installation of security cameras? Another important task to be carried out prior to implementation is the identification of potential privacy risks. In many cases, employers will be legally required to perform a preliminary investigation in the form of a DPIA and to ask the Works Council for approval of the camera surveillance proposals. Particularly in case of the intended adoption of new technologies like face recognition, it is very important to first carefully consider how ‘’smart’ the surveillance should be in order to best meet the organisation’s demands while staying within the boundaries of what is legally permitted in terms of the processing of special categories of personal data, which is at least a common side-effect of state-of-the-art systems. Finally, it is important to make sure that the data subjects are properly informed on the presence and purpose of surveillance cameras and on the rights they have in relation to the processing of their data.