Privacy in the workplace: new Italian and European regulation.
In 2015 Article. 4, Law 300 of 1970 (Workers’ Statute) was reformulated by the Jobs Act governing “Remote Controls”.
- There is no longer the general ban on the remote control of workers;
- There is the possibility of using audiovisual equipment and other tools of remote control of workers’ activity “exclusively for organisational and production needs for job security and the protection of company assets, with prior collective agreement with the internal trade union representation or the company union representatives or authorized Senior Labour Inspectors;
- Expressly excluded, is the necessity of agreement for trade union or ministerial authorization for the tools used by the worker for job performance (PCs, tablets, mobile phones …), even though the same also construes the possibility of a worker’s remote control;
- It is possible to use the information and data collected through audiovisual systems (previously authorised) and the working tools (which do not need authorisation) for “all purposes relating to the employment relationship” provided that the worker is given adequate information on the operating mode of the instruments and controls in effect and in accordance with the provisions of Legislative Decree 30 June 2003, n. 196.
Therefore, a prerequisite for the use of data resulting from these instruments (such as PC, tablet, smartphone) and in order to prevent misuse, there must be compliance with Italian law on Privacy.
Following the introduction of the new standard of the Privacy Authority, it has been applied several times in recent months with regard to the limits for the use of certain work instruments, sometimes even in “unusual” circumstances. For example the authorisation of the use of an “app” for detecting clocking in/out, which has been discussed in the media.
The Guarantor for Privacy expressed on September 8, 2016 against a request made by an administration agency, concerning the possibility of using a specific applications ? containing geographical location features ? installed on smartphone devices of employees, enabling a “stamping card and attendance recording”, by entering their login credentials and clicking on “button input” and “output” for use when travelling.
The Guarantor has provided that “The processing of personal data of employees is subjected to preliminary consents of the geographic location of smartphone devices of employee ownership (and, indirectly, the geographical position of such workers) through the activation of a direct application of the recognition of in-service presence.
Considering that the personal data relating to geolocation ? refers to the “geographical location of the terminal of an electronic communication service accessible to the public” under Article. 4, paragraph 2, letter. i) of the Code ? should be treated by taking special precautions and smartphone devices are, in view of their normal potential use and common use of the same, intended to “follow” the person in possession of it regardless of the distinction between time working and non working time. This treatment presents specific risks for the freedom, rights and dignity of the employee in accordance with Article 17 of the Code”.
It has been pointed out how the employer would need to detect that the clocking in and out was indeed carried out at the place of work and not elsewhere, to avoid abuse.
The Guarantor decided to authorise the use of the app, with some precautions, ie requiring that the administration agency limited itself to retaining only data related to geolocation logged into your workplace and at the time of clocking in/out, with date and hour, and should, pursuant to the principles of transparency and fairness, configure the system so as to make more it visible on the device screen, an appropriate icon to indicate that the tracking function is active, as well as to prevent accidental data treatment “beyond the scope” than the authorised treatment purposes.
A recent Order of 13 July 2016, has drawn a line between “legitimate” software and software that goes beyond the notion of a “work tool.”
Treatment under prior evaluation appeared to be carried out by software systems, with no user perceptible (cd in the background) and fit to engage in operations of “monitoring”, “filter”, “control” and “tracing” constant and indiscriminate access to the Internet or e-mail service by users.
The Guarantor considered that “such software can not be considered” tools used by the worker for job performance “(pursuant to Art. 4, paragraph 2, ln 300/1970 …)” and that such treatment would put them in violation of the principles of necessity, relevance and not excessive use provided by the Privacy Code that do not allow massive controls, prolonged, constant and indiscriminate, such as in the present case, the systematic recording of data related to the MAC Address and particulars of access to network services.
They are instead work tool software for strictly functional application to work performance, even under the security profile. From this point of view, and without limitation, “tools” may be considered to be the e-mail service offered to employees (through the attribution of a personal account) and the other services of the company network, including also the connection to Internet sites. The Guarantor specifies that “An integral part of these instruments are the systems and measures which allow physiological and safe operation in order to ensure a high level of security of the corporate network made available to the worker (for example: logging systems for the proper exercise of the e-mail service, with preservation of the only external data, contained in the so-called “envelope” of the message, for a short duration never exceeding seven days, and anti-virus filtering systems that detects security anomalies in the stations of work or on servers for the provision of network services; automatic inhibition systems consultation of irrelevant content network, no recording of access attempts).”
Even the National Labour Inspectorate has spoken on the subject in its Circular 2 of 7 November 2016. In particular, he stated that these instruments must be considered as work equipment, and devices that “constitute the indispensable means to the worker to fulfill the job performance of the obligation in the contract, and for this purpose placed in use, and made available.”
The geolocation systems represent an “added” element to the working tools, so that you need the union agreement or the authorisation of the Inspectorate of Labour.
If the tracking systems are installed to allow the concrete and effective implementation of job performance, in the sense that the same can not be made without the use of such tools or installation is required by specific legislative or regulations (eg. use of GPS systems for the transport of valuables than EUR 1,500,000.00, etc.), neither the agreement nor the authorisation are needed.
It can be assumed that they end up “transformed” into real working tools with the result that, pursuant to paragraph 2 of art. 4 L. n. 300/1970, it is not required to have the collective agreement or the administrative procedure of an authorisation character (provided for in paragraph 1 of the rule of law itself).
Consistent with the above, there is increasing attention to the issue of privacy from Italian and European legislators with its implications related to employment relationships.
New European Regulation 679/2016 relating to this came into force 25 May 2016
There is so much work to do, by businesses and public administration, to adapt not only to the new Italian rules on remote controls (and the guidelines set by the provisions of the Authority Guarantor) but also to the new European Regulations.