Workplace Surveillance and Employee Privacy; understanding the balance of privacy rights.

Technology advancements have transformed corporate services. The use of telecommuting tools like Microsoft teams, Google meets and Slack has made it easier for companies to communicate with internal and external stakeholders, regardless of location. The ability to access company networks, emails, and projects from any device has allowed employees to work more flexibly. However, the rise of technology use has also increased workplace surveillance, raising concerns on employee privacy rights.

While monitoring tools help ensure productivity, data security and regulatory compliance, excessive surveillance can lead to breach of privacy, stress and loss of trust in the employer-employee relationship. Employers justify such surveillance as necessary, but where should the boundary be drawn? This article explores the legal landscape governing workplace surveillance in Kenya, analyzing the balance between an employer’s interests and an employee’s right to privacy under the Data Protection Act, 2019.

1. Legal Framework governing Workplace surveillance in Kenya

Employee privacy rights in Kenya are governed by the Constitution of Kenya (CoK), the Data Protection Act 2019(DPA) and the Employment Act 2017. These laws set out the extent on workplace surveillance while safeguarding employee rights.

The Constitution of Kenya

Article 31 of the CoK guarantees every individual the right to privacy, including the right not to have their personal information unnecessarily required or revealed. This constitutional right applies to employees as well. However, this right is not absolute, especially within the employment context, where company policies, fiduciary duties, and legitimate business interests come into play.

Data Protection Act 2019

The DPA operationalized the right to privacy. It governs employee surveillance by requiring processing of personal data to be done in accordance with principles of data protection. Key provisions relevant to workplace surveillance include:

? Lawful Basis for Data Processing (Section 30): Employers must have a legitimate legal basis for collecting employee data through surveillance.

? Consent & Transparency (Section 32): Employees must be informed of the nature, purpose, and extent of surveillance.

? Necessity & Proportionality (Section 25): The data collected should be limited to what is necessary for the employer’s legitimate interest.

Employment Act

Although the Act does not explicitly regulate processing of employee’s personal data, it provides for fair labor practices and protection of employees' rights. Section 10 mandates employment contracts to include details such as name, address and gender, which are categorized as personal data under DPA.

2. Workplace Surveillance

Workplace surveillance involves methods used by employers in monitoring employees’ activities for productivity assessment, resource management, security and safety, legal compliance and data protection. They include:

a) Video surveillance (CCTV Monitoring)

CCTV monitoring is one of the most commonly used surveillance tools. While it enhances security, it also raises privacy concerns. If CCTV footage identifies an individual, such data qualifies as personal data, requiring compliance with data protection laws.

In cases where CCTV systems has incorporated facial recognition, the data processed is considered biometric data. Such data is considered high-risk and processing must be subjected to Data Protection Impact Assessment Test. Employees also have to consent to the processing. The Office of the Data Commissioner also requires employers to display clear notices on CCTV surveillance.

b) Internet and Email Monitoring

Employers may monitor work email and internet usage to counter misuse of company resources and data leaks. This practice has been upheld in various legal precedents.

? Michael A. Smyth v. The Pillsbury Company. In this case, Smith was a regional manager at Pillsbury Company and had a company email account he could access both at home and at work. Whilst working from home, he received emails from his supervisor and unaware that his email was intercepted, he made threatening comments to his supervisor. Pillsbury intercepted his email account and found a trail of the same leading to his termination. Smith filed a suit on a violation of his privacy. Federal Court ruled that at will employee has no right to privacy with regard to content of email when it is sent over an employer’s email system.

? In Bourke v Nissan Motor Corporation (1993), a state judge in California ruled that a company has right to read emails where the Company owned and operated the computer equipment. This however raises the question of what would justify email monitoring in event employee is using their own email system for work purposes? To what extend can an employer monitor emails in such a scenario without overstepping the right to privacy owed by this employee?

c) Biometric Monitoring and GPS Tracking

Some employers use fingerprint scanners, facial recognition, and GPS tracking to monitor work attendance. This has become common in Kenya with many offices adopting fingerprint scanners to access offices and monitor work attendance. However, the use of biometric attendance has raised a lot of concern on data privacy, including excessive data collection and data storage duration.

3. Employer Interests and Employee Privacy

It is necessary for companies to monitor employee behavior at work place, however, just like there are limitations to employees’ rights to privacy, there are limitations to the rights of employers in monitoring their employees.

Employers have to ensure that the data processing is in accordance with data protection laws. Employers must ensure that data processing complies with the following principles:

? Processing must be done in accordance with data subject rights;

? Processing must be lawful, fair and transparent;

? Collection must be for a specific and legitimate purpose;

? Collection must be limited to what is necessary;

? Data must be kept accurate and up to date;

? Cross border data transfer requires employee consent or proof of adequate safeguards.

Lawful Basis for Processing Employee Data

Employers can lawfully process employee data if they rely on one of the following legal bases:

i. Consent (Section 32)- Employers must seek freely given, specific and informed consent from employees. This requires:

- No coercion or undue influence;

- A clear explanation of purpose of processing;

- Documentation of consent, preferably in writing.

ii. Performance of Contact- Processing is necessary for fulfilling employment contract.

iii. Compliance with Legal Obligation- for example, safety requirements within a workplace necessitates installing CCTV cameras.

iv. Legitimate Interests- such may include security necessitating collection of biometric data

v. Public interests- Such as processing payroll systems for government audits.

Data Protection by Design and Default Measures to be taken

Employer should also consider structuring their operations to ensure compliance with data protection using methods such as:

1. Training their Human Resource departments on how to handle employee data

2. Appointing a Data Protection Officer (DPO) to oversee compliance with the law. DPO can be outsourced or a member of staff.

3. Developing internal policies for employee data handling

4. Conducting regular audits to ensure compliance

5. Implementing systems incorporating privacy by design and by default

written by: SHEKINAH KITING'A