|
Recommendations by the European Union Data Protection Commissioners
on
TELECOMMUNICATIONS AND PRIVACY IN LABOUR RELATIONSHIPS
(based on the Report and Recommendations
given by the International Working Group on Data Protection in
Telecommunications)
Preliminary note
The object of this paper, which has been adopted by the Data Protection
Commissioners of the European Union, is to provide for a number
of recommendations regarding information technologies and telecommunications
when being used at the workplace to generate information concerning
the workers.
Their use has drastically changed und multiplied the methods to
collect and process information at the workplace. Continuous supervision
and collection of data concerning different aspects of the worker's
activities, possibly without their knowledge, is feasible.
The availability of these new methods becomes more general
and they gradually gain acceptance at the workplace. They are
implemented for security reasons, for controlling and allocating
costs of different performances and communications, to measure
and improve productivity. They however hold an enormous potential
of collecting and processing data on the worker's personal behaviour,
activities and characteristics. The risks of intrusions on the
worker's privacy are enormous and therefore need to be taken into
consideration from a data protection approach.
The notion of "workplace" when used in this context
must be understood in a wide sense as any place where the worker
is located when performing work by order of his employer. This
can be the employers' sites, as well as the workers' vehicule
or his private residence. In this regard, the recent developments
towards teleworking deserve special attention.
The first part of the paper gives a survey of the data collection
methods based on information technologies and telecommunications
that are used at the workplace, and of their potential to generate
information on the employees.
In a second part, a number of recommendations are given as to
the respect of privacy at the workplace. In the first place some
procedural conditions are formulated to be respected when implementing
data recording devices at the workplace. Secondly, substance is
given to the right of privacy of the worker.
In a third and final part three specific applications of these
recommendations to information technologies and telecommunications
are described.
|
|
|
In this context, it must be mentioned that a Recommendation No.
R (89)2 of the Committee of Ministers to Member States of the
Council of Europe on the protection of personal data used for
employment purposes was adopted by the Committee of Ministers
on 18 January 1989 at the 423rd meeting of the Ministers' Deputies.
The principles set out in this Recommendation apply specifically
to the collection and use of personal data for employment purposes
in public and private sectors.
Furthermore, the International Labour Organisation is currently
discussing a draft Code of practice on workers' privacy.
Finally, the question of the protection of personal data at the
workplace is currently being taken into consideration by the DG
V of the European Commission.
The recommendations set out hereafter specifically focus on the
implementation and the use of telecommunications and information
technologies to collect and process information on workers. Their
fast growing acceptance at the workplace, their enormous potential
to collect and process personal data for different purposes make
it necessary to take them into consideration from a privacy point
of view. Given the current lack of regulation in this area,
a set of recommendations could be a useful tool for employers
willing to respect the rules concerning the protection of personal
data at the workplace.
I. Methods of data collection and processing based on information
technologies and telecommunications
- A wide range of data recording devices based on the
use of computers, telecommunications or audio-visual technologies gain acceptance
at the workplace:
- Active badges (badge systems) (also called "tabs" or
more neutrally "network location devices") about a few
inches big developed for example by Olivetti and Bellcore containing
a microprocessor and infrared transmitters broadcast the identity
of its wearer and trigger all kinds of responses from other ICT
devices like automatic telephone forwarding, authorizing the access
to buildings and meeting rooms and all kinds of other convenience.
These systems could cause a lot of trouble for the wearer in the
wrong hands, especially when connected to a central computer
system to collect data on the arrivals and departures of the workers.
Within the buildings, they record the moves of the workers (to
libraries, restrooms, different workstations, etc.) and the time
they spent in each area of the buildings; badge systems based
on the recognition of biometric identifiers (such as fingerprints)
pose in themselves privacy risks given the collection and the
retention of these identifiers.
- computer-based systems used by the employers provide information
on the work-rhythm by recording the time needed to fulfill a transaction,
or the numer of tasks performed over a period (e.g. counting keystrokes,
number of errors, lenghts of breaks, etc.). Aside from use-monitoring,
computer systems can be used for remote access to a worker's files
and e-mail correspondence, as well as the remote mirroring of the
workers' actions. Project management or work flow automation software
developed as a productivity enhancer may impede the right to privacy
of users because of its potential to eavesdropping on the employee.
- video-cameras placed for safety reasons at entrances
or in places requiring a high level of security record personal
data on the workers, such as work habits, behaviour, contacts
with colleagues, as well as on persons other than the workers.
- telephone-call accounting systems record time and duration of
incoming and outgoing, internal and external calls; in addition
telephone monitoring record the numbers of calling or called third
persons as well as the content of professional and private conversations;
with regard to other telecommunications, such as electronic
mail, means can also be used for generating data on the workers'
internal or external communication.
- the introduction of computers and the extension of network-based
or satellite communications devices at the homes, in the vehicles,
(e. o.) allow for remote control of workers far beyond the sites
of the employer.
- telework is a catalyst for the computerization of the private
homes of the workers and for the extension of network-based or
satellite communications devices towards these private residences.
They are implemented to create a professional environment outside
the employers' sites and to facilitate communications between
workers. Satellite technologies for mobile telephone allow to
keep track of the location of the worker outside the firm.
- Privacy intrusion is a function of capability of technology
and attitude of people. The following enumeration
shows some features of the control possibilities offered by the
information technologies and telecommunications and of their invasive
character of the privacy of the workers.
- The new technologies allow for the creation of increasing and
more sophisticated information sources on workers. They hold unprecedented
potential to gather, to measure and to evaluate a wide range of
information not only on performances of the worker, but also on
his personal characteristics, his behaviour, his relations with
colleagues and even with third parties from outside the workplace;
- the new information technologies allow for continuous monitoring
and surveillance at the workplace. In certain cases, information
on the workers' performance or personal behaviour can be gathered
and used secretly or for purposes the workers are not aware of;
- the evolution towards telework probably holds the most important
risk of intrusions into the privacy of the worker. The physical
distance between the employer and the workers, as well as between
the workers themselves, will be a catalyst for the implementation
of data recording devices, thus allowing for remote control by
the employer. This poses in itself a risk to the privacy. Furthermore,
as the boundaries between professional and private life fade,
any inappropriate use of the recording devices in a telework context
may allow for the processing of very different types of personal
data that have no direct connection or no connection at all with
the professional relationship.
- A new kind of technology which has the potential of pivacy intrusion
is the development of media spaces. A media space is a computer-controlled
network of audiovideo equipment used to support communication
and collaboration between people within a group separated by architecture
in a building and by geographical distance through nodes.
Every room has several audio and video cables running to and from
a central switch as well as an access to digital networks. The
resulting system provides all rooms with some form of an audio-video
"node" consisting of a camera, monitor, microphone and
speakers. The connections between the nodes are completely computercontrolied,
so that people can display the views from various cameras on their
desktop monitors, set up two-way audio-video connections etc.
The advantage of this system is that it promotes focussed collaboration
between the participants about who is around, what sort of things
they are doing, whether they are busy and so on. This technology
will be the forerunner of many commercial products aimed at wide
markets. Without any privacy protection features this technology
poses seriuous threats of intrusion into the user's privacy.
This technology may lead to an unnoticed combined audio, video
and computer surveillance, monitoring the worker's performance
on the job. These features may foster unethical use of technology
but, more significantly, they are also much more conducive to
inadvertent intrusions on privacy. But a new class of privacy
problerns emerges which is related to very different concerns
about a fast growing, less well understood set of issues arising
from user-interface design features which interfere with social
behaviour. Disembodiment (for example only a face is seen on the
monitor, or only your name may be presented on the screen with
your voice only) may occur from the context into and from which
one projects information and dissociation from one's actions may
happen. The lack of feedback on one's own behaviour, like the
unconsciously noted body-language cues from the one with whom
you are communicating or from the used technology may lead to
unawareness what and when you are conveying information about
yourself.
Similar disembodiment effects occur in the context of telephone
and e-mail conversations, but did not draw very much attention
so far. Dissociation occurs when only the results of actions are
shared not knowing who did what to reach the results. This all
may have negative effects on social behaviour.
Privacy of the individual interacts with the technical and interface
design aspects of the technology they use. Visitors to places
where media spaces were used with a moment-to-moment continuous
control felt uneasy about their ability to monitor and control
their self-presentation and consequently their privacy. During
extended durations of audio/video connection peopie tend to forget
about their existence and associated implications.
II. Recommendations
- Workers' representatives involvement
The workers' representatives must be fully informed and consulted
prior to any decision to introduce and use information technologies
and telecommunications to generate information at the workplace.
They must be able at any time to check whether regulations and
guidelines to protect the workers' privacy are complied with.
This checking ability is restricted insofar as doing so would
in itself invade an employee's privacy. The information
and consultation must bear on the reasons and the need for the
introduction of the new data record system, the appropriateness
of the proposed technology, the features of the technology, the
nature of the data recorded and the extent to which they are recorded,
the persons to which they are disclosed, and the workers' rights.
Fundamental changes in the structure of information technology
in use at the workplace should only be made with the consent of
the workers' representatives.
- Information of the workers
Where information technologies or telecommunications are implemented
and used at the workplace to generate data, the workers must prior
be informed on the reasons for which these data are needed and
the purposes for which they are used, the features of the technology
used to generate the data, the nature of the generated data, the
persons to which these data might be disclosed, their rights to
have access to the data processed about him and to correct errors.
The rights to have access and to correct must be ensured within
a reasonable period of time.
The employer has to inform his employees about the policy on the
use of information technology (e.g. electronic mail or voice mail)
at the workplace. He should also inform them about the principal
and secondary uses to which the personal data generated by such
systems are being put.
- Respect of the workers' reasonable expectations of privacy
The collection of data must be based on the principle of respect
for the "workers' legitimate expectations of privacy".
The legitimate character of a workers' expectation must be analysed
according to the specific facts of the situation.
The workers' expectations of privacy will be higher in case of
closed workplaces than in workplaces open to others. On the other
hand they will have to be harmonized with security needs
in places where extreme security measures are regularly taken.
- Finality principle
Information technologies and telecommunications can only be used
at the workplace to collect, use and disclose data for predefined
lawful and legitimate purposes.
The finality of the processing of the workers' privacy shall
not be unfair and affect human dignity. lt must be necessary,
proportionate and adequate to the good faith that should reign
professional relations.
Data should be necessary, relevant, adequate and not excessive
given the finality for which they are collected.
Where for security reasons machines are to be surveilled by cameras,
it may be excessive to extend the surveillance to the persons
working at the machines.
Where badge systems are implemented in order to control the access
to the workplaces, it may be aberrant to interconnect these badge
readers to a central registration system. Data generated can only
be stored in so far and for so long as they can be considered
to be relevant and necessary for the realisation of the described
purposes.
- Restraint of collection of personal data concerning the
worker
When implementing or using information technologies or telecommunications
at the workplace to generate data, the employer should refrain
from collecting personal data that are not directly relevant
within the professional reiationship such as the personal behaviour,
personal characteristics as well as the personal internal and
external contacts of the worker.
- Use of personal data against an individual worker
No information generated by the use of an information technology
or telecommunications may be used against a worker if the latter
has not previously received the information mentioned in point
2. The information generated may only be used against
the worker after he has had the opportunity to have access
to this information and to challenge it.
- Covert surveillance of an individual worker
Only exceptional circumstances may justify the employer's
collection of or access to personal data concerning the employee
without prior notice, or for other purposes than the purposes
described. This requires that there is a serious suspicion
that a grievous criminal activity has been or will be committed.
The information can only be collected or accessed to when a written
statement, signed by the authorised person can be produced. This
written statement must explain:
- the reasons why there is a serious suspicion that a grievous
criminal activity is, has been or will be committed,
- the reasons why collection or access to personal data concerning
an employee is necessary,
- the nature of the information gathered.
In any case the gathered information may only be used in accordance
with Recommendation 6 (above).
Organisations of workers shall be informed.
- Need for a surveillance-free zone
The employer must assure that there is an appropriate zone where
the privacy of the worker is guaranteed, where free communication
with other persons is possible, where they have telecommunications
means for sending or receiving personal messages at their disposal.
III. Specific applications
The importance of the recommendations given above may be illustrated
by three examples of new technological developments which are
already in use or will be used in the private as well as the public
sector very soon.
- Media Space
The European Data Protection Commissioners recommend the following
measures concerning media space:
1.1 Control and feedback
What is needed is control and feedback of information captured
in the ubiquitous computing environments, as there are no cues
available which normally are noticeable in face-to-face meetings
and have to be applied to each phase of the communication process.
Without control and feedback the fear of the media space users
of privacy intrusion can't be taken away from them.
1.1.1 Control
Control is "empowering people to stipulate what information
they project and who can get hold of it." Control also implies
that the user of the media space determines who may connect to
him and what connections each person is allowed to make. No action
from the user is interpreted by the system as an automatic rejection
of connections with others.
We should take into consideration four privacy aspects, namely
- control over who can see and hear the user at a given time;
- knowledge of when somebody is in fact seeing or hearing the
user;
- knowledge of the intention behind the connection and
- to avoid connections being intrusions on the work of the user.
No connections may be made without the permission of the user.
1.1.2 Feedback and reciprocity
Feedback is informing people when and what information about them
is being captured and to whom the information is being made available.
Feedback depends on the type of the connection made. The more
interaction is needed, the more reciprocity (if I can see you,
you can see me) should be required. At the moment a connection
is made a warning signal should be displayed on the screen and
an audio signal should be given.
1.2 Design requirements
The recommendation that control, feedback and reciprocity mechanisms
have to be built-in in an ubiquitous computing environment is
the only way to safeguard privacy and prevents that potential
records of our activity may be kept and possibly manipulated and
used at a later date and out of their original context.
1.2.1 Need to know
Further it is necessary to know what happens to the information
gathered (is it encrypted, processed, stored, in what form), to
whom is this information accessible (public, particular groups,
certain persons, only oneself) and to what uses is the present
information put and how it might be used in the future. lt is
essential that the individual has an unalienable right to information
self-determination, as has been pointed out in 1983 by the German
Constitutional Court.
1.2.2 Design criteria
Based on the findings that control, feedback and reciprocity of
the information capture by the individual and data security is
crucial to prevent privacy intrusions, there are at least four
design criteria:
a) control,
b) feedback,
c) data security and
d) means to prevent the collection of the data altogether,
which should be taken into consideration whenever designing a
product or service, all in the light of the fundamental right
of the individuals to decide when and under what circumstances
their personal data may be revealed.
The fourth criterion (d) questions whether the required functionality
can be achieved by a system where the data subject itself can
verify that the privacy-related data that form the input of the
system have not been available to someone else. The Dutch Data
Protection Authority has issued a report on privacy-enhancing
technologies which proves that such technology can be applied
in any workplace environment.
- Telework
When the worker is performing work at his private home, the employer
is not entitled to install any recording devices unless he can
guarantee that only data closely related to the employee's professional
activities are processed. In case the employee uses a computer
for telework as well as for private purposes with the employer's
permission, the employee's private data must be effectively protected
against inspection by the employer. On the other hand the employee
has to provide for effective protection against members of his
household inspecting or accidentally looking into personal data
processed for telework purposes.
The problems related to telework especially in a transborder situation
need a study in greater depth. The Commissioners will monitor
developments in this field closely.
- Communication of employee data by means of electronic directories
The European Data Protection Commissioners refer to the Report
given by the Working Group on Data Protection in Telecommunications
to the 13th International Conference of Data Protection Commissioners
in 1991 which highlighted the privacy issues arising from the
use of electronic directories (e. g. X. 500). Having reconsidered
the principles set out in this Report the Commissioners take the
view that a distinction has to be made between data the communication
of which is required by the particular professional requirements
(e. g. in the scientific community) and other data.
The employee's basic communication parameters (e. g. postal address,
e-mail address etc.) may be transmitted via an electronic directory
without the employee's consent insofar as the contract of employment
requires the entry in the directory. Other (additional) data may
only be published in the directory with the consent of the employee
concerned provided that these data are related to the employee's
profession (special areas of interest; publications etc.).
In general the employer has to inform the employees thoroughly
and comprehensibly about the range of data which are entered in
the directory, if they can refuse to agree with an entry according
to the distinction just made and what consequences a refusal may
have. The employees must have the right to inspect their data,
to correct them if necessary and to revoke their consent, as the
case may be.
|