Employee surveillance is a contentious topic given the inherent tension between the employer’s interest in protecting its operations and productivity and the employee’s privacy interests. This has been brought into sharper focus since the arrival of COVID-19 and the significant shift (at least temporarily) of numerous employees working remotely (see our previous blog post).
Finding a balance between employer business interests and employee privacy rights applies equally in the UAE’s major free zones: the Dubai International Finance Centre (DIFC) and the Abu Dhabi Global Market (ADGM), which are separate legal jurisdictions from 'onshore' UAE.
Set out below we highlight some of the key features of the employee surveillance legal regime in the DIFC and ADGM, including a key aspect of the DIFC's new data protection law, which came into effect on 1 July 2020.
Relevant laws in the DIFC and ADGM
There is no specific law governing employee surveillance in the DIFC and ADGM. Rather, the data protection laws in the DIFC and ADGM (which are substantially similar) set out the basis and use of personal data and thereby effectively govern employee surveillance in those jurisdictions. This is because employee surveillance involves the collection and processing of data, which inevitably includes personal data – defined as information referring to an identified, or identifiable, directly or indirectly, natural person.
These laws permit employers to monitor the use of their property by employees where:
- the employees are on notice;
- where data is personal or particularly sensitive, typically with their consent; and
- so long as employee surveillance is carried out in accordance with the principles of purposiveness, fairness, transparency and proportionality.
Notice/Consent and requirements
Starting with notice, to comply with DIFC and ADGM data protection laws, employers are required to provide full information to employees about any monitoring. It is not enough, for example, to simply notify employees their email is being monitored. Rather, employees must have a clear understanding of:
- when information about an employee will be obtained (eg email content, phone use, internet browsing history, or physical presence through CCTV);
- why it is being obtained;
- how this information may be used; and
- to whom it may be disclosed.
A DIFC or ADGM-based employer might take the following reasonable approach to meet the notice and consent requirements:
- Include the requisite notice of monitoring in its electronic communications policy (or other similar policy).
- Make that policy readily available to employees (for example, on its intranet).
- Require employees to review that policy.
- Include a provision in each employment contract that the employee is subject to the employer’s policies and has a duty to abide by them.
Bear in mind though that where data is highly sensitive (because it pertains to an individual’s personal or family life), employers must meet higher requirements of freely given (voluntary), clear, specific consent, unless the data processing is necessary for business purposes (such as visa processing) or compliance with laws.
Of course, other than ordinary business processing requirements, employers do not typically collect or monitor sensitive personal data. Where they do, however, more onerous requirements apply. General consent given under an employment contract likely would not suffice.
Emergency measures during COVID-19
The DIFC COVID-19 Directive, which was issued on 21 April 2020 and which, at present, will expire on 31 July 2020, is an exception to the general law. This allows employers to take emergency measures to protect against COVID-19 health and economic concerns without consent. However, employees still must either be given at least five days written notice of the employer’s intention to monitor or the employer must be able to show that the purpose and benefit of such monitoring outweighs the employee’s privacy rights.
The ADGM has not introduced a similar directive, however, the ADGM Office of Data Protection has said it will take a pragmatic approach during these times.
New requirement for an impact assessment for high risk monitoring or processing
In the DIFC, where high-risk employee monitoring occurs, effective from 1 July 2020, employers are likely required to undertake an impact assessment. The purpose of such impact assessment is to assess the necessity and proportionality of the monitoring and processing of personal data.
High-risk monitoring arises where new technological methods of data processing are used which increases the risk to the privacy rights of the employee; where considerable amounts of personal data are processed; where the processing of data acquired through data monitoring involves extensive evaluation of personal aspects relating to the employee; or where special categories of personal data are processed.
The impact assessment should:
- identify the purpose behind the monitoring or processing and the benefits likely to be delivered;
- identify any likely adverse impacts;
- consider alternatives to monitoring or processing or different ways in which it might be carried out;
- consider safeguards and security measures;
- consider the obligations arising from monitoring or processing; and
- judge whether the monitoring or processing is legally justified.
Impact assessments are not a once off activity and should be repeated when there is a change in the risk profile relating to data processing. From a practical perspective, impact assessments prompt employers to consider less intrusive ways of employee monitoring. For example:
- To monitor the content of emails, random, as opposed to continuous, monitoring is less intrusive. So is automated monitoring that is calibrated to block emails of a large size or with obscene language, and systems that monitor email traffic as opposed to content.
- Monitoring websites visited by an employee is less intrusive if undertaken by someone who is more distant from the employee, such as a member of the human resources team or a senior line manager.
- It is less intrusive to monitor a smaller number of employees or by monitoring on an aggregate (ie less individualised) basis.
Data transfer out of the DIFC and ADGM
The DIFC and ADGM laws permit the transfer of data out of the jurisdiction but make it subject to strict conditions. For more details on this, see our previous blog post on the topic.
Employee surveillance is effectively permitted in the DIFC and ADGM but only where notice and consent requirements are met and where this is carried out in accordance with principles of purposiveness, fairness, transparency and proportionality. Practical solutions can always be found to meet these requirements in striking the right balance between an employer’s legitimate business interests and an employee’s privacy rights.