How does an employer balance the right to privacy of their drivers against the legitimate rights of their business, when using vehicle trackers? What principles do employers need to comply with in order to ensure compliance under the General Data Protection Regulation (GDPR)?
Vehicle tracking technology enables employers to ensure that their employees maximise engine efficiency and improve safety. They help employers and drivers save on fuel bills, reduce downtime and reduce accidents.
The driver’s right to privacy can be balanced against the legitimate rights of an employer to operate its business and protect the organisation from rogue employees!
To continue monitoring, employers need to ensure they comply with 4 of the 6 principles as follows.
Principles of compliance
- Necessity: employers must have demonstrated that the tracking is really necessary.
- Legitimacy: the processing must be fair and they must have identified the legal basis upon which they track data (this is likely to be ‘a legitimate interest’, as above, and needs to be specific).
- Proportionality: the collection and processing must be proportionate to the issue employers are trying to manage.
- Transparency: employees (or any data subject affected) must be clearly informed. It is wise for employers to keep evidence of this!
All but the latter are likely to be established through an internal document such as a data protection impact assessment (DPIA).
What the data subject must be informed of
As part of the transparency requirement, employers must inform employees of the following, which may be covered under the ‘Driving on Company Business Policy’:
- Reasons and purposes for which the surveillance is being carried out. If vehicles may be used for private purposes, then reasons for monitoring private use should be limited and specific i.e. ensuring security.
- The details of surveillance measures taken i.e. Who? What? How? When?
- The details of any enforcement procedures.
- The details of how and when drivers will be notified that they may have breached policy or procedures (and then how they will be given an opportunity to respond to any allegations, but this will essentially be covered by the disciplinary policy).
Do you need consent?
Consent will rarely be necessary anymore in employer relationships, the imbalance in power pretty much renders consent illegitimate, because it is unlikely to be freely given. You will not need to rely on consent if you have a ‘legitimate interest’ or another one of the lawful bases for processing personal data.
If you need HR support, we have experts who can help review your circumstances and provide you with practical support and advice. Call 0844 324 5840 or contact us online to find out how we can help your business.