Technological advances mean that employers are more able to monitor employees, but how far can control measures actually go before they encroach on personal privacy? In this article, Lindahl’s experts provide an overview of employers’ rights and obligations when it comes to controls on work equipment, drug tests, background checks and controls on working hours – as well as what laws, such as GDPR and good practice in the labour market, mean in practice.
Privacy issues in working life have begun to attract greater interest. One reason for this is the fact that new technology provides new ways of monitoring and carrying out controls on employees. Furthermore, strong employment protection means that it is more in employers’ interests to obtain various types of information on job applicants and to subject employees to more stringent controls.
The question that many employers ask themselves is to what extent is an employer allowed to carry out controls on employees in the form of drug tests or surveillance of work tools, for example. That question is not altogether easy to answer because there is no uniform legislation in the area relating to employees’ personal privacy.
When it comes to control measures, it will be important to carry out a new assessment in each individual case based on labour law legislation and other relevant laws such as GDPR and the European Convention.
The starting point under labour law is that an employer can adopt various types of control measures pursuant to the right to direct work, collective agreements or individual agreements. However, the employer may not implement the measure in a way that is contrary to law or good practice in the labour market. In order to determine whether the control measure is contrary to good practice, a balance is established between the employer’s interest in carrying out the control and the employee’s interest in protecting his or her personal privacy.
The fact that the controls must not be against the law makes it necessary to take into account the requirements set out in the General Data Protection Regulation (GDPR), for example, if the control measure to be adopted by the employer involves processing personal data. Since the vast majority of control measures involve such processing, the GDPR takes on crucial significance for the admissibility of the control measure
The essential thing about the GDPR is the weight of the employer’s reasons and interests, the necessity of the measure and the proportionality in relation to the employee’s interests. Information for employees on what controls can be carried out with the aid of the data collected by the employer is also of great importance. The assessment under the GDPR is very like the assessment carried out in questions of good practice in the labour market.
An overview of the most important aspects in four key areas
1. IT controls and work equipment
Pursuant to the right to direct work, the employer has a right to decide on the use of IT equipment in the workplace, including computers, telephones and networks. One important basic rule is that the employer establishes guidelines on how these tools are used and the employees are required to comply with those rules. It also means that the employer is entitled to carry out controls to ensure that the rules are complied with and verify how the work is carried out. In order for the controls to be legal under the GDPR, employees must be informed in advance that controls can take place and in what way. The purpose of the controls must be clear and the controls must not be more intrusive than necessary. In the event of suspected breach of the employment contract, for example in the event of disloyal conduct, the employer normally has a legitimate interest in carrying out IT controls.
2. Alcohol and drug tests
Test results from alcohol and drug tests are considered to be sensitive personal data under the GDPR. There must be support in law in order for a private employer to be entitled to carry out such tests. That support may derive from collective agreements or the right to direct work. Requiring tests as a matter of routine is not permitted without good reason and tests must be proportionate and must respect employees’ privacy. In situations where work involves a risk to safety, for example in the construction or nuclear power industries, the Labour Court has ruled that employers are entitled to require drug tests.
3. Background checks during recruitment
Background checks have become a standard part of recruitment processes, though they are subject to limited regulation in Swedish labour law. The GDPR also establishes the frameworks in this area and the employer must have a clear purpose for processing personal data at the time of a background check. The collection of data must be proportionate and must limited to what is required for the post. More extensive background checks, such as credit reports or criminal records, may be necessary for some roles, but the employer must comply with strict rules on how that data is processed. A particular problem arises in the case of processing of criminal data, which is usually prohibited by law with few exceptions.
4. Controls on working hours
Employers can carry out controls on employees’ working hours using systems such as entry and exit systems, logs from work computers or extracts from GPS systems in company cars. Such measures involve processing personal data and are therefore subject to the GDPR. The starting point is that controls may take place if there are specific suspicions of serious abuse (cheating) in reporting of working time. Nevertheless, it is important for the employer to inform the employees in advance that such controls may be carried out. Intrusive and extensive monitoring of employees for reasons other than safety is not compatible with good practice in the labour market. Nor is the performance of continuous random controls on employees’ working hours permitted.
Conclusion
Control measures in work situations must always be balanced against the individual’s right to privacy and must take place within the framework of the law. In order to minimise legal risks, employers should clearly inform employees of what controls may take place and ensure that those controls are supported in law. Regardless of the control measures in question, a clear and transparent privacy policy is key to ensuring both legality and trust in the workplace.
Would you like to know more or discuss how control measures should be handled in your business? You are welcome to contact one of our experts.
