Employer Vehicle Tracking
While employer vehicle tracking is a necessary implication of modern business, it can have substantial consequences for the privacy of employees.
Every employee has a right to privacy, whether under a public organization or in a private working environment. Article 8 of the European Convention of Human rights establishes the right of employees to a reasonable expectation of privacy in the workplace. It is a law that has been confirmed by the European Court of Human Rights, alongside other regional and international human rights treaties.
These laws impose an obligation on employers to avoid abusing in-vehicle tracking systems in company-owned vehicles. Indiscriminate use of such systems interferes with the privacy and data protection rights of an employee. According to the General Data Protection Regulations (GDPR) and Data Protection Act 2018, location data the location data qualifies as personal data once it involves an individual.
Employers are to note that by making use of the vehicle tracking, they are not just collecting data about the vehicle but also taking personal note of the employee’s behavior. As a result, it is critical to understand what is allowed and actions that might be illegal when using vehicle-tracking systems.
This guide explains the laws surrounding employer vehicle tracking and provides a checklist of actions that employers can refer to in determining what is lawful.
Laws regulating in-vehicle tracking
There are legal bases for implementing in-vehicle tracking that employers must follow. The employers’ real interest to process personal data to develop the employment relationship and the business operation has justifiable limitations to the privacy of the individuals at the workplace.
However, the data protection principle requires transparency, fair and lawful processing of data, and mandates that any intrusion into an employee’s privacy is fair and proportionate.
According to the guidance on the legal bases for processing personal data, Article 4(11) GDPR talks about the difficulty in obtaining ‘freely given’ consent, due to the nature and power imbalance found in the relationship between an employee and an employer. It should be noted that consent is revocable by an employee at any time and they shouldn’t suffer any implications for doing so.
Employers must identify the legal basis and ensure that the processing of their employees’ data complies with Article 5 GDPR. This includes; lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.
Article 6 GDPR says that the processing of personal data should be on legal bases which include: consent, contract, legal obligation, vital interest, public task, or legitimate interest. Article 6(1)(f) GDPR is a legal basis for processing location data which is a necessity to process vehicle data location as it concerns the business interest.
Article 21 GDPR provides a right for an employee to object to data processing carried out in the interest of the business. This also includes the right to object on vehicle tracking based on the same grounds.
Purpose limitation and data minimization
Employers are to ensure that their data processing meets the obligation of purpose limitation and data minimization according to Article 5 of GDPR. The specific purpose of vehicle tracking and the collection of personal data should be identified before the implementation of technology that allows for such. Data collected shouldn’t be used for something else other than the purpose it was created for.
The original purpose is for security reasons in case the vehicle gets stolen but monitoring and evaluating an employee’s act is incompatible with the original purpose. In conjunction with the principle of necessity and the principle of data minimization, employers should note that vehicle tracking shouldn’t be carried out if the purpose of it can be achieved by a lesser means.
Transparency and the Right to be Informed
The implementation of in-vehicle tracking by the employer should follow the rules of transparency obligation under GDPR, and be sure it meets the employee’s right to be informed. Employees must be informed of the existence of the tracking device in their vehicle. They should be informed of its operation and its purposes on their data.
They should know about the records being created, why it is necessary, what it is used for, the duration it should last, who has access to them, and for what reason. On no account should an employee be left in the dark about the tracking’s existence or the purpose of its implementation. They should be notified and given clear and concise comprehensive information about the type and purpose of the tracking.
Article 29 Working Party (WP29) recommends that such information should be displayed in every car within the eyesight of the driver. This may not seem compulsory but it is surely good practice for the compliance of transparency requirements. Employers should make available to drivers the policy of using vehicle tracking.
Data Protection Impact Assessment (DPIA)
A DPIA is carried out by an employer when there’s a need to monitor vehicle location data. Article 35(1) GDPR states that a DPIA should only be carried out when processing is likely to result in a high risk to the rights and freedoms of individuals.
When is a DPIA needed?
The European Data Protection Board, after replacing the Article 29 Working Party, endorsed the guidelines that show the processing that is likely to result in a high risk for the GDPR. They include:
- Evaluation and scoring
- Systematic monitoring
- Sensitive personal data
- Innovation and technology
- Data containing vulnerable data subjects
How should a DPIA be Carried Out?
A DPIA should be able to identify the risks of an employee’s rights and freedom. A DPIA should be conducted before implementing an in-vehicle tracking policy and must be kept accurate and up-to-date. DPIAs should contain:
- A description of the processing operation alongside the purpose of the processing and, the interest of the processing.
- A full check on the necessity and proportionality of the processing about the purpose.
- A full check on the risks attached to the rights and freedoms of the data subject; and,
- The measures that are to be taken to curb the risk.
Practical steps to compliance for employers
Below are a few practical tips for employers who are considering the choice or have already implemented vehicle tracking. This is to ensure that it is done in a limited, equal, and lawful manner:
#1 Limit the time and/or location when tracking takes place
The location data should be accessed by an employer only during an emergency. This can be done by activating the vehicle’s location visibility, accessing its already stored data in the system when the vehicle leaves its supposed region.
This limited access to location data will take you away from a potential infringement of employee’s data protection and privacy rights. The processing must be done proportionately and necessarily.
#2 Be careful when implementing new technologies
Some technologies do not respect transparency rights and may be considered high risk. Employers should note that the data that is strictly necessary for this purpose is processed and the employee informed of its existence, its purpose of implementation (tracking), which is by the employer’s full transparency obligation.
#3 Implement an opt-out measure
Whereby a work vehicle is used for private use outside of working hours, employers should be vigilant enough to ensure compliance with GDPR. In the case of a privately owned vehicle used for work purposes, an opt-out measure should be provided. This is allowing the tracking device turned off or disabled with a privacy switch. Employees should not only be informed of the tracking device and its use but also be trained on how to use the privacy switch.
#4 Limit tracking and avoid intrusion into employee’s life
The legal basis grounded in Article 6 GDPR says that it is quite unlikely for the tracking of an employee’s vehicle to be lawful outside of work hours. This may lead to interference with the right to privacy and data protection rights of the employee.