Regulatory investigation: privacy and remote control tools in the workplace
By decision dated 13 July 2016 (Doc. web no. 5408460) the Guarantor for the protection of personal data, examining a case of processing data on the use of email and the internet by employees of a university, provided a definition of “working tools” in accordance with art. 4, second paragraph, of the Workers’ Statute.
Article. 4 Stat. Lav. introduced by Legislative Decree. n. 151/2015 stipulates that the framework referred to in the first paragraph (ie, the need for a union agreement or authorisation of the Territorial Directorate of Labour in the case of the use of audiovisual equipment or other tools if there is a possibility of the remote control of workers) does not apply to “working tools” (including means of recording access and attendance).
In the note dated 18 June 2015, the Ministry of Labour said that new art. 4 Stat. Lav. does not “liberalise” checks by the employer but simply clarifies what “cannot be considered” remote control tools, “those tools
that are assigned to the worker” to allow work performance. (Once these would have been called “work tools”). These include PCs, tablets and mobile phones.
The Ministry then stated that, where such items are changed (for example, with the addition of special localisation software or filtering) to control the worker, such changes could be made only with the agreement of unions or with the authorisation of the Territorial Directorate of Labour.
In the case examined by the Ombudsman it showed that, based on the specific system configuration, data on the use of electronic mail and the internet was recorded in a system and kept for five years. Furthermore, the system made it possible to trace the identity of the user’s location, via system administrator intervention.
For these reasons, the Ombudsman considered that this method of treatment of the data is likely to allow a control of the activity and the use of network services performed by identifiable individuals, resulting in violation of the principle of lawfulness, of Articles. 11, paragraph 1, lett. a) and 114 of the Privacy Code and Art. 4 Stat. Lav., as a result of changes made by art. 23 of Legislative Decree. N. 151/2015.
In particular, the Guarantor pointed out that the concept of “working tools” in art. 4 Stat. Lav., second paragraph, can only consist of services or software that have a strictly functional application to work performance, even under the security profile. From this point of view and as an example,”tools” can be applied to the e-mail service offered to employees (through the attribution of a personal account) and the other services of the company network, including connection to Internet sites. They constitute an integral part of the functionality of the items, systems and measures allowing the physiological and safe operation while ensuring a high level of security of the corporate network (for example: logging systems for the correct operation of the service e-mail, with preservation of only external data, contained in the so-called “envelope” of the message for a short duration never exceeding seven days. Anti-virus filtering systems that detect security anomalies in workstations or servers. Provision of network services providing automatic inhibition systems. Consultation on irrelevant content network rather than institutional recording of access attempts.)
The intervention of the Supervisor is clearly not decisive, however it is necessary for an assessment to be made case by case since the “narrow functionality” of a software and / or application with respect to the working performance (also in terms security) cannot do without verification of the specific activity undertaken by the worker and / or the industry in which he/she operates.