The U.K. Information Commissioner’s Office (ICO) last week confirmed it was investigating allegations that Barclays Bank had effectively been spying on employees by using an intrusive software system that monitored workers’ activity.
Since last year, Barclays has been piloting a software system called “Sapience” that gives companies “insights into work patterns” and tracks employee productivity by monitoring their computer usage, according to the vendor’s website.
However, following staff feedback and critical media reports that accused the bank of using the technology to spy on employees without their consent or full understanding of how the system collects and uses their data, Barclays announced in February it was changing how it used the Sapience software so it would now track only anonymized data.
An ICO spokesperson confirmed the regulator has “an ongoing investigation relating to Barclays’ alleged use of employee monitoring tools.”
The spokesperson added: “People expect that they can keep their personal lives private and that they are also entitled to a degree of privacy in the workplace.
“If organizations wish to monitor their employees, they should be clear about its purpose and that it brings real benefits. Organizations also need to make employees aware of the nature, extent and reasons for any monitoring.”
It is not the first time the bank has gotten into hot water over the way it has tried to monitor staff efficiency. In 2017 Barclays faced widespread criticism when it rolled out a system known as OccupEye that tracked how long people spent at their desks.
Barclays was approached for comment but did not respond.
Questions CCOs should be asking about employee monitoring software
Camilla Winlo, director of consultancy at data protection and privacy specialist DQM GRC, says there are six issues organizations should consider before they rush to use IT solutions:
- Is this actually going to work?
- Is there a less intrusive alternative?
- How far can you restrict the number of individuals whose privacy is intruded upon?
- How much can you restrict the amount of time individuals’ privacy is intruded upon?
- Are there any other controls you can implement to reduce the privacy intrusion?
- How will you consult with and inform employees so they understand when they might be under surveillance and agree that that is proportionate in the circumstances?
Systems like the one being used by Barclays are becoming increasingly common among banks and other financial firms, which use voice recognition and other tools to watch for unusual behavior that could indicate misconduct. Some experts suggest more and more companies may want to roll out such technologies due to fears of being unable to adequately track employee behavior as people continue to work from home as a result of the coronavirus pandemic.
For example, Big Four audit firm PwC has created a facial recognition tool to help financial institutions track employees as they work from home. The software taps into employees’ webcams to capture face images and detects when employees are not in front of their screens during work hours. PwC said the technology aims to help traders abide by regulations “in the least intrusive, pragmatic way.”
Andrea Thomas, partner in the Employment and Immigration team at law firm Harrison Clark Rickerbys, does not believe using such technologies to monitor employee activity is in itself abusive, “so long as employees know that such monitoring is taking place, and that any data is anonymized, proportionate, is protected, and is not held longer than necessary.”
“I think the ICO will have more of a problem with the lack of transparency about why the system was being used, what data was being collected, and what efforts were taken to inform employees, rather than the capabilities of the software,” says Thomas.
Rachel Tozer, employment partner at law firm Keystone Law, says that since the introduction of the General Data Protection Regulation (GDPR), “employers can no longer rely on employees giving their consent via a data protection clause in their employment contract.”
Tozer says there are now additional legal considerations employers must follow if they want to monitor employees. These include identifying legal reasons for monitoring, carrying out a data protection impact assessment, and being transparent by giving employees sufficient advance information such as the type of monitoring, the reasons for it, and the use which can be made of the data obtained via the monitoring.
Tozer adds that multinational companies face two key risks in their use of such technologies: First, different countries where the organization may operate might take very different views as to how workers are monitored. Second, noncompliance with the GDPR poses significant financial risks to any organization that breaches strict data privacy.
“With fines calculated by reference to the annual worldwide turnover, there are potentially very serious financial consequences—as well as adverse publicity—to taking a bullish approach to workers’ data rights,” says Tozer.