Fashion Retailer Privacy Fine Points The Way For Pandemic Worker Monitoring And Profiling

Yesterday’s landmark €35M data privacy fine imposed on fashion retailer H&M by the Hamburg Data Protection Commissioner might be dismissed as an anomaly based on very unusual facts, but there are hidden lessons here for all organisations operating in Europe that have implemented new employee monitoring and profiling systems as part of their response to the Pandemic.

Back to work interviews

According to the findings of the German regulator, H&M runs a service centre in Nuremberg where, since 2014, its employees have been required to take part in back to work interviews following holidays and periods of sick leave. During these interviews notes were taken, gathering broad information about private and family lives. In cases of holiday leave notes were taken about the worker’s holiday experiences and in the cases of illness they would cover symptoms and diagnoses. Sometimes there would be follow-ups over time. The data was digitally stored, with some parts being readable by up to fifty managers, and it was used to evaluate work performance and subsequent decision-taking.

The story was uncovered following an incident in 2019, which led to the data being accessible company-wide for a few hours.

The regulator considered this to be a particularly intensive encroachment on employees’ civil rights, hence the amount of the fine, which now stands as the European record for unlawful employee monitoring and profiling. In addition to the fine, H&M also set up a compensation scheme.

How unusual is this case?

If an organisation has employees, it will process their data, period. So what about back to work interviews? Granted, holding these after a holiday does seem odd, but after sick leave, perhaps not odd at all. And perhaps the longer the period of absence and the more serious the illness, the more common this will be. Where there is health and safety legislation in place, or equality legislation, the back to work interview might not just be required as a matter of good practice, but as a matter of law, to ensure that reasonable adjustments are made, if necessary.

So this case isn’t really a judgment against the concept of the back to work interview, the building of profiles, the taking of decisions based on such information, or records keeping of the facts and results. Its about the boundary lines for these things, where they lie, what they consist of and whether they are understood.

Back to work talks and the Pandemic

So how extendable is this case?

Well, 2020 has been defined by the Pandemic, lockdowns, testing, contact tracing and self isolation. The workplace is one of the central environments affected by the Pandemic. And the rules that apply to these matters have not always been clear and obvious, whether by accident, negligence or design.

So it’s obvious how extendable the case is, but to spell it out, as part of organisational good practice for health and safety in the workplace interviews will be held about COVID sickness and absence, perhaps supplemented by temperature tests, medical tests and image data. Records will be created, stored and accessed. From time to time there will also be data handling blunders, with information being wrongly accessed and released.

When processes are spun up at a pace, under stress and within an imprecise or ambiguous set of rules, there will be inherent risks of misunderstanding and overstepping of the boundaries. H&M situations could easily be repeated many times, all over the world.

Working from home

The back to work conversation isn’t the only risk area for employers. Where working from home has taken over from office based work, privacy risks will abound. Our adoption of video conferencing tools has provided an unprecedented window into the heart of the home and family life. In this situation our conversations and communications are almost always processed, even where our lips still do the talking. Our computers and smartphones are a perpetual tether to the employer. Every key stroke and button pressed creates a record. All of this contains massive new monitoring potential and the risk of legal mistakes.

Source Article