What might seem like an ‘innocent’ act by an employer in the name of employee monitoring can be viewed as an excessive intrusion when placed under data privacy regulations lens. I relate a practical story for readers’ further comprehension.
The chief executive officer of a particular furniture shop in Lagos, Nigeria, places four cameras in their headquarters without informing staffs.
The CEO was in London some days ago. Through an app, he watched the activities in his store. He argued that his employees kept taking items from the shop and he needed to monitor them.
The best approach would be to inform employees about the camera. When challenged about this, he argued that there is no such definition of employee monitoring in the Nigerian Data Protection Regulation (NDPR). But the regulation is precise about two crucial things: consent and legitimate interest.
If the CEO understood these two concepts and their implications in monitoring employees, he wouldn’t place the camera in his work environs, and if he did, he would be quick to inform the employees about the camera. In this case, there is a violation of and disrespect of citizens.
The French Data Protection Authority (the “CNIL”) dismissed a case some years ago. The employer had placed monitoring tools on the computers without informing the employee. The employer found that the staff used certain information for his personal use and dismissed him. However, the employee argued that he was not aware of the monitoring device and that it was against his fundamental human rights and needed compensation. The judge ruled in favour of the staff.
In one of my articles in this space, I mentioned that the principle of transparency is the cornerstone of data protection schemes. If the CEO in the said case knows fairness and transparency, he would have informed his employees about such cameras.
Stakeholders need to take responsibilities for the protection of the freedoms and human rights of Nigerian citizens. Companies can ride on legitimate interests here, but there needs to be a level of transparency and fairness when depending on these grounds. Because consent is usually not the preferred way in the employer-employee relationship, an employer should monitor in a way that seems not too intrusive.
There are enough examples of employers placing many monitoring devices like Data Loss Protection (DLP) tools or Mobile Device Monitoring (MDM) tools on employee device without carrying out a proper Data Protection Impact Assessment (DPIA) before deploying those tools. These open the employers up for data privacy breaches.
There can be exceptions in monitoring. Some Data Protection Authorities (DPA) would allow tracking in the case of fraud and other malicious acts. The Nigerian Information Technology Development Agency (NITDA) is yet to give guidance on this issue. In the case of the CEO, the only evidence so far is instinct, and he followed no ethics or principles by showing this live feed to friends.
Employer monitoring via cameras should not be covert, and employers must do their best to ensure that these schemes are made known to employees. It is only fair to treat employees as humans.
Will Amazon be fined?
Luxembourg’s regulator has proposed what would be the largest ever fine under EU privacy laws on Amazon. There is an ongoing investigation to stipulate if Amazon breached certain principles of the regulation. The company faces the potential to be fined $425 million for violating the General Data Protection Regulation (GDPR). The exact violation is unknown, but the Luxembourg Data Protection Commission (CNPD) has drafted the same decision and forwarded it to 26 other national data protection authorities in the European Union. We wait with bated breath to see the findings.