Europäische Union
Homepage

Wir über Uns
Berlin
National
Europäische Union
International
Recht
T.O Maßnahmen
Aktuelles
Kontrolle
Materialien
Service
Themen

Recommendations by the European Union Data Protection Commissioners on

TELECOMMUNICATIONS AND PRIVACY IN LABOUR RELATIONSHIPS

(based on the Report and Recommendations given by the International Working Group on Data Protection in Telecommunications)

Preliminary note

The object of this paper, which has been adopted by the Data Protection Commissioners of the European Union, is to provide for a number of recommendations regarding information technologies and telecommunications when being used at the workplace to generate information concerning the workers.

Their use has drastically changed und multiplied the methods to collect and process information at the workplace. Continuous supervision and collection of data concerning different aspects of the worker's activities, possibly without their knowledge, is feasible. The availability of these new methods becomes more general and they gradually gain acceptance at the workplace. They are implemented for security reasons, for controlling and allocating costs of different performances and communications, to measure and improve productivity. They however hold an enormous potential of collecting and processing data on the worker's personal behaviour, activities and characteristics. The risks of intrusions on the worker's privacy are enormous and therefore need to be taken into consideration from a data protection approach.

The notion of "workplace" when used in this context must be understood in a wide sense as any place where the worker is located when performing work by order of his employer. This can be the employers' sites, as well as the workers' vehicule or his private residence. In this regard, the recent developments towards teleworking deserve special attention.

The first part of the paper gives a survey of the data collection methods based on information technologies and telecommunications that are used at the workplace, and of their potential to generate information on the employees.

In a second part, a number of recommendations are given as to the respect of privacy at the workplace. In the first place some procedural conditions are formulated to be respected when implementing data recording devices at the workplace. Secondly, substance is given to the right of privacy of the worker.

In a third and final part three specific applications of these recommendations to information technologies and telecommunications are described.

Seitenanfang In this context, it must be mentioned that a Recommendation No. R (89)2 of the Committee of Ministers to Member States of the Council of Europe on the protection of personal data used for employment purposes was adopted by the Committee of Ministers on 18 January 1989 at the 423rd meeting of the Ministers' Deputies. The principles set out in this Recommendation apply specifically to the collection and use of personal data for employment purposes in public and private sectors.

Furthermore, the International Labour Organisation is currently discussing a draft Code of practice on workers' privacy.

Finally, the question of the protection of personal data at the workplace is currently being taken into consideration by the DG V of the European Commission.

The recommendations set out hereafter specifically focus on the implementation and the use of telecommunications and information technologies to collect and process information on workers. Their fast growing acceptance at the workplace, their enormous potential to collect and process personal data for different purposes make it necessary to take them into consideration from a privacy point of view. Given the current lack of regulation in this area, a set of recommendations could be a useful tool for employers willing to respect the rules concerning the protection of personal data at the workplace.

I. Methods of data collection and processing based on information technologies and telecommunications

  1. A wide range of data recording devices based on the use of computers, telecommunications or audio-visual technologies gain acceptance at the workplace:

    • Active badges (badge systems) (also called "tabs" or more neutrally "network location devices") about a few inches big developed for example by Olivetti and Bellcore containing a microprocessor and infrared transmitters broadcast the identity of its wearer and trigger all kinds of responses from other ICT devices like automatic telephone forwarding, authorizing the access to buildings and meeting rooms and all kinds of other convenience. These systems could cause a lot of trouble for the wearer in the wrong hands, especially when connected to a central computer system to collect data on the arrivals and departures of the workers. Within the buildings, they record the moves of the workers (to libraries, restrooms, different workstations, etc.) and the time they spent in each area of the buildings; badge systems based on the recognition of biometric identifiers (such as fingerprints) pose in themselves privacy risks given the collection and the retention of these identifiers.

    • computer-based systems used by the employers provide information on the work-rhythm by recording the time needed to fulfill a transaction, or the numer of tasks performed over a period (e.g. counting keystrokes, number of errors, lenghts of breaks, etc.). Aside from use-monitoring, computer systems can be used for remote access to a worker's files and e-mail correspondence, as well as the remote mirroring of the workers' actions. Project management or work flow automation software developed as a productivity enhancer may impede the right to privacy of users because of its potential to eavesdropping on the employee.

    • video-cameras placed for safety reasons at entrances or in places requiring a high level of security record personal data on the workers, such as work habits, behaviour, contacts with colleagues, as well as on persons other than the workers.

    • telephone-call accounting systems record time and duration of incoming and outgoing, internal and external calls; in addition telephone monitoring record the numbers of calling or called third persons as well as the content of professional and private conversations; with regard to other telecommunications, such as electronic mail, means can also be used for generating data on the workers' internal or external communication.

    • the introduction of computers and the extension of network-based or satellite communications devices at the homes, in the vehicles, (e. o.) allow for remote control of workers far beyond the sites of the employer.

    • telework is a catalyst for the computerization of the private homes of the workers and for the extension of network-based or satellite communications devices towards these private residences. They are implemented to create a professional environment outside the employers' sites and to facilitate communications between workers. Satellite technologies for mobile telephone allow to keep track of the location of the worker outside the firm.

  2. Privacy intrusion is a function of capability of technology and attitude of people. The following enumeration shows some features of the control possibilities offered by the information technologies and telecommunications and of their invasive character of the privacy of the workers.

    • The new technologies allow for the creation of increasing and more sophisticated information sources on workers. They hold unprecedented potential to gather, to measure and to evaluate a wide range of information not only on performances of the worker, but also on his personal characteristics, his behaviour, his relations with colleagues and even with third parties from outside the workplace;

    • the new information technologies allow for continuous monitoring and surveillance at the workplace. In certain cases, information on the workers' performance or personal behaviour can be gathered and used secretly or for purposes the workers are not aware of;

    • the evolution towards telework probably holds the most important risk of intrusions into the privacy of the worker. The physical distance between the employer and the workers, as well as between the workers themselves, will be a catalyst for the implementation of data recording devices, thus allowing for remote control by the employer. This poses in itself a risk to the privacy. Furthermore, as the boundaries between professional and private life fade, any inappropriate use of the recording devices in a telework context may allow for the processing of very different types of personal data that have no direct connection or no connection at all with the professional relationship.

    • A new kind of technology which has the potential of pivacy intrusion is the development of media spaces. A media space is a computer-controlled network of audiovideo equipment used to support communication and collaboration between people within a group separated by architecture in a building and by geographical distance through nodes.

    Every room has several audio and video cables running to and from a central switch as well as an access to digital networks. The resulting system provides all rooms with some form of an audio-video "node" consisting of a camera, monitor, microphone and speakers. The connections between the nodes are completely computercontrolied, so that people can display the views from various cameras on their desktop monitors, set up two-way audio-video connections etc. The advantage of this system is that it promotes focussed collaboration between the participants about who is around, what sort of things they are doing, whether they are busy and so on. This technology will be the forerunner of many commercial products aimed at wide markets. Without any privacy protection features this technology poses seriuous threats of intrusion into the user's privacy.

    This technology may lead to an unnoticed combined audio, video and computer surveillance, monitoring the worker's performance on the job. These features may foster unethical use of technology but, more significantly, they are also much more conducive to inadvertent intrusions on privacy. But a new class of privacy problerns emerges which is related to very different concerns about a fast growing, less well understood set of issues arising from user-interface design features which interfere with social behaviour. Disembodiment (for example only a face is seen on the monitor, or only your name may be presented on the screen with your voice only) may occur from the context into and from which one projects information and dissociation from one's actions may happen. The lack of feedback on one's own behaviour, like the unconsciously noted body-language cues from the one with whom you are communicating or from the used technology may lead to unawareness what and when you are conveying information about yourself.

    Similar disembodiment effects occur in the context of telephone and e-mail conversations, but did not draw very much attention so far. Dissociation occurs when only the results of actions are shared not knowing who did what to reach the results. This all may have negative effects on social behaviour.

    Privacy of the individual interacts with the technical and interface design aspects of the technology they use. Visitors to places where media spaces were used with a moment-to-moment continuous control felt uneasy about their ability to monitor and control their self-presentation and consequently their privacy. During extended durations of audio/video connection peopie tend to forget about their existence and associated implications.

II. Recommendations

  • Workers' representatives involvement

    The workers' representatives must be fully informed and consulted prior to any decision to introduce and use information technologies and telecommunications to generate information at the workplace. They must be able at any time to check whether regulations and guidelines to protect the workers' privacy are complied with. This checking ability is restricted insofar as doing so would in itself invade an employee's privacy. The information and consultation must bear on the reasons and the need for the introduction of the new data record system, the appropriateness of the proposed technology, the features of the technology, the nature of the data recorded and the extent to which they are recorded, the persons to which they are disclosed, and the workers' rights. Fundamental changes in the structure of information technology in use at the workplace should only be made with the consent of the workers' representatives.

  • Information of the workers

    Where information technologies or telecommunications are implemented and used at the workplace to generate data, the workers must prior be informed on the reasons for which these data are needed and the purposes for which they are used, the features of the technology used to generate the data, the nature of the generated data, the persons to which these data might be disclosed, their rights to have access to the data processed about him and to correct errors. The rights to have access and to correct must be ensured within a reasonable period of time.

    The employer has to inform his employees about the policy on the use of information technology (e.g. electronic mail or voice mail) at the workplace. He should also inform them about the principal and secondary uses to which the personal data generated by such systems are being put.

  • Respect of the workers' reasonable expectations of privacy

    The collection of data must be based on the principle of respect for the "workers' legitimate expectations of privacy".

    The legitimate character of a workers' expectation must be analysed according to the specific facts of the situation.

    The workers' expectations of privacy will be higher in case of closed workplaces than in workplaces open to others. On the other hand they will have to be harmonized with security needs in places where extreme security measures are regularly taken.

  • Finality principle

    Information technologies and telecommunications can only be used at the workplace to collect, use and disclose data for predefined lawful and legitimate purposes.

    The finality of the processing of the workers' privacy shall not be unfair and affect human dignity. lt must be necessary, proportionate and adequate to the good faith that should reign professional relations.

    Data should be necessary, relevant, adequate and not excessive given the finality for which they are collected.

    Where for security reasons machines are to be surveilled by cameras, it may be excessive to extend the surveillance to the persons working at the machines.

    Where badge systems are implemented in order to control the access to the workplaces, it may be aberrant to interconnect these badge readers to a central registration system. Data generated can only be stored in so far and for so long as they can be considered to be relevant and necessary for the realisation of the described purposes.

  • Restraint of collection of personal data concerning the worker

    When implementing or using information technologies or telecommunications at the workplace to generate data, the employer should refrain from collecting personal data that are not directly relevant within the professional reiationship such as the personal behaviour, personal characteristics as well as the personal internal and external contacts of the worker.

  • Use of personal data against an individual worker

    No information generated by the use of an information technology or telecommunications may be used against a worker if the latter has not previously received the information mentioned in point 2. The information generated may only be used against the worker after he has had the opportunity to have access to this information and to challenge it.

  • Covert surveillance of an individual worker

    Only exceptional circumstances may justify the employer's collection of or access to personal data concerning the employee without prior notice, or for other purposes than the purposes described. This requires that there is a serious suspicion that a grievous criminal activity has been or will be committed.
    The information can only be collected or accessed to when a written statement, signed by the authorised person can be produced. This written statement must explain:

    • the reasons why there is a serious suspicion that a grievous criminal activity is, has been or will be committed,
    • the reasons why collection or access to personal data concerning an employee is necessary,
    • the nature of the information gathered.

    In any case the gathered information may only be used in accordance with Recommendation 6 (above).

    Organisations of workers shall be informed.

  • Need for a surveillance-free zone

    The employer must assure that there is an appropriate zone where the privacy of the worker is guaranteed, where free communication with other persons is possible, where they have telecommunications means for sending or receiving personal messages at their disposal.

    III. Specific applications

    The importance of the recommendations given above may be illustrated by three examples of new technological developments which are already in use or will be used in the private as well as the public sector very soon.

    1. Media Space

      The European Data Protection Commissioners recommend the following measures concerning media space:

      1.1 Control and feedback

      What is needed is control and feedback of information captured in the ubiquitous computing environments, as there are no cues available which normally are noticeable in face-to-face meetings and have to be applied to each phase of the communication process. Without control and feedback the fear of the media space users of privacy intrusion can't be taken away from them.

      1.1.1 Control

      Control is "empowering people to stipulate what information they project and who can get hold of it." Control also implies that the user of the media space determines who may connect to him and what connections each person is allowed to make. No action from the user is interpreted by the system as an automatic rejection of connections with others.

      We should take into consideration four privacy aspects, namely

      • control over who can see and hear the user at a given time;
      • knowledge of when somebody is in fact seeing or hearing the user;
      • knowledge of the intention behind the connection and
      • to avoid connections being intrusions on the work of the user.

      No connections may be made without the permission of the user.

      1.1.2 Feedback and reciprocity

      Feedback is informing people when and what information about them is being captured and to whom the information is being made available. Feedback depends on the type of the connection made. The more interaction is needed, the more reciprocity (if I can see you, you can see me) should be required. At the moment a connection is made a warning signal should be displayed on the screen and an audio signal should be given.

      1.2 Design requirements

      The recommendation that control, feedback and reciprocity mechanisms have to be built-in in an ubiquitous computing environment is the only way to safeguard privacy and prevents that potential records of our activity may be kept and possibly manipulated and used at a later date and out of their original context.

      1.2.1 Need to know

      Further it is necessary to know what happens to the information gathered (is it encrypted, processed, stored, in what form), to whom is this information accessible (public, particular groups, certain persons, only oneself) and to what uses is the present information put and how it might be used in the future. lt is essential that the individual has an unalienable right to information self-determination, as has been pointed out in 1983 by the German Constitutional Court.

      1.2.2 Design criteria

      Based on the findings that control, feedback and reciprocity of the information capture by the individual and data security is crucial to prevent privacy intrusions, there are at least four design criteria:

      a) control,
      b) feedback,
      c) data security and
      d) means to prevent the collection of the data altogether,

      which should be taken into consideration whenever designing a product or service, all in the light of the fundamental right of the individuals to decide when and under what circumstances their personal data may be revealed.

      The fourth criterion (d) questions whether the required functionality can be achieved by a system where the data subject itself can verify that the privacy-related data that form the input of the system have not been available to someone else. The Dutch Data Protection Authority has issued a report on privacy-enhancing technologies which proves that such technology can be applied in any workplace environment.

    2. Telework

      When the worker is performing work at his private home, the employer is not entitled to install any recording devices unless he can guarantee that only data closely related to the employee's professional activities are processed. In case the employee uses a computer for telework as well as for private purposes with the employer's permission, the employee's private data must be effectively protected against inspection by the employer. On the other hand the employee has to provide for effective protection against members of his household inspecting or accidentally looking into personal data processed for telework purposes.

      The problems related to telework especially in a transborder situation need a study in greater depth. The Commissioners will monitor developments in this field closely.

    3. Communication of employee data by means of electronic directories

      The European Data Protection Commissioners refer to the Report given by the Working Group on Data Protection in Telecommunications to the 13th International Conference of Data Protection Commissioners in 1991 which highlighted the privacy issues arising from the use of electronic directories (e. g. X. 500). Having reconsidered the principles set out in this Report the Commissioners take the view that a distinction has to be made between data the communication of which is required by the particular professional requirements (e. g. in the scientific community) and other data.

      The employee's basic communication parameters (e. g. postal address, e-mail address etc.) may be transmitted via an electronic directory without the employee's consent insofar as the contract of employment requires the entry in the directory. Other (additional) data may only be published in the directory with the consent of the employee concerned provided that these data are related to the employee's profession (special areas of interest; publications etc.).

      In general the employer has to inform the employees thoroughly and comprehensibly about the range of data which are entered in the directory, if they can refuse to agree with an entry according to the distinction just made and what consequences a refusal may have. The employees must have the right to inspect their data, to correct them if necessary and to revoke their consent, as the case may be.

Zuletzt geändert:
am 13.02.97

mail to webmaster