Every breath you(r employees) take… The legal implications of monitoring staff in smart buildings

Proptech makes a revolutionary promise: to change fundamentally the way buildings interact with their occupiers.

Savvy landowners are already future proofing their bog standard bricks and mortar with proptech. Sophisticated security systems are installed and environmental impact information is tracked. In our gig economy world of flexible working arrangements and lease terms, such technology can be key to attracting tenant loyalty. Occupiers expect a differentiated offer and with the right smart phone apps, landlords can become fully integrated service providers. In live/work buildings, tenants are attracted by holistic lifestyle solutions.

But just as proptech can empower and incentivise individuals to put down roots, it also creates a tantalising repository of data and, in the commercial property world in particular, this swiftly encroaches on employment relationships. The Trades Union Congress (TUC) reports that more than half of UK employees fear workplace surveillance, whether being monitored online or even tracked in person (with facial recognition security systems or even mood monitoring software). The gauntlet has been thrown for property developers to create an ethical environment that respects individual rights in more efficient (and marketable) physical workplaces. In the meantime, how is the legal landscape accommodating new smart technology? 

Happy haptics talking

A fair number of column inches have debated the microchipping of employees and similarly touch feedback wristbands that help employees navigate their working environments.  Physical nudges can contribute to broader operational efficiencies, but they can also, it transpires, start the clock ticking on toilet breaks.  While this may have legitimate safety applications, such as arguably the Crossrail project involving workers wearing wristbands which sensed fatigue, in the brave new world of proptech the relationship rules are not always clear.

And if the sound of haptic nudges and implants is a little off key to our ears, the TUC believes it is nothing less than a Munch style screech to employees. How long before the impact on workplace morale morphs into broader reputational risk for the corporates involved? It takes a certain level of market confidence to spearhead this technical push for efficiency.

There exists a very real tension between the scope of proptech and the privacy rights of individual employees. Many would acknowledge that the link between time at your desk and actual productivity can be rather flimsy, but there is something reassuring for employers about face-to-face (over the shoulder) management and it tends to be less intrusive from a data perspective. This is already hard fought ground. Monitoring remains a key area of dispute in the UK and Europe – but employment courts are increasingly presented with proptech data grabs as evidence of idleness or misbehaviour. In parallel, the civil courts see a rise in allegations of data breaches and misuse.

Still, traditional ways of running workplaces are being eroded with the shift towards agile working and for some, proptech can abate (or affirm) management anxieties. Did Bob's meeting really last the whole day? You could always check the facial recognition security cameras to see when he left the building… How long exactly did Jane spend at lunch? Just download stats from her desk's motion sensor (the one installed to stress test the company's property footprint), or have a sneak peak of the smart card canteen records…

It's obviously tempting, but there is no legal right for employers to monitor output in this way and in fact there are clear risks in doing so. 

Generally, when it comes to monitoring staff, you must spell out clearly what you are doing and when it might be used. So if you want to mine CCTV footage later, you need to have already told them the systems are operational, made notifications clearly visible (and brought them actively to their attention) and explained that resulting footage may be used for employment management purposes. 

Monitoring should be limited, targeted, time bound and proportionate. If checking messages, for example, consider whether employees have an expectation of privacy.  Monitoring of activities outside the workplace (whether that be purchasing choices, location tracking or other forms of monitoring), even if in the same building, will in almost all cases not be justifiable.  Whilst a reasonable suspicion of criminal activity might be an acceptable basis for monitoring, checking up on productivity is generally less acceptable as far as the courts are concerned.

Get it wrong, and you will be in trouble.  Aside from the data protection risks, even if you catch an employee red handed on CCTV, if you haven't warned staff appropriately about the use of the CCTV tribunals may be unwilling to find that you carried out a fair process or had sufficient grounds to discipline or dismiss fairly.  This can have significant financial implications. The ICO, as well as tribunals and courts, don’t tend to have much sympathy for employers who want to use monitoring data to dismiss without informing staff of the risk beforehand. 

Do also consider the employee relations aspect. As demonstrated by TUC, staff tend to be suspicious of employers tracking their movements or spending habits. Given the need to inform employees, think about how your proposals will come across; if you think they will baulk, you are far more likely to run into complaints and claims further down the line.

Data, data everywhere, but not a drop to drink

There are also data protection implications. Engagement apps, acting as a customised employee concierge, generate considerable data on purchasing and lifestyle habits. Those processing such personal data are under strict obligations to identify a clear legal basis for doing so; inform data subjects what data is being collected, and why and how it is being processed; store it securely; and keep it for no longer than necessary. The General Data Protection Regulation 2016 ("GDPR") introduces significant sanctions for breach (including fines and potential suspension of data transfers or processing activities). 

Landlords are clearly attracted by the ability to collect personal data and generate new (valuable) models on the spending patterns of individuals, but it may be hard to identify a legal basis for doing so. A legitimate interest in processing data is difficult enough to justify for consumer data; it is even harder for employers. Consent is not a viable option for most employees – the obvious power imbalance makes it difficult to argue that their consent to workplace monitoring was "freely given". The Information Commissioner's Office has taken a clear stance on this point. 

Landlords and employers who get this wrong may face criticism and penalties in the civil and employment courts. Attempts to use personal information for a different purpose than it was collected for risk a clear GDPR breach, as does selling harvested information. Landlords and tenants alike need to ensure they have GDPR proofed their intended activities.

Consider that snazzy coffee ordering app. All that caffeinated data could easily drive future targeted sales promotions in the canteen. There's nothing unduly nefarious about this in principle, the driver may be creating a happier, more productive workforce, but companies collecting and processing such data still must properly comply with GDPR. The risks to individuals in processing their data would likely be deemed to outweigh the landlord/employer's legitimate business interest.

Not just watching, but paying attention

Just a few years ago, tenants could probably not even name their landlord. Now, proptech is successfully ramping up occupier engagement, driving real estate marketability. Landlord brands are strengthening and the workplace spaces made possible by proptech are bringing a fair amount of 'cool' to serviced office providers such as WeWork. Still, where technology directly impacts on employment relationships, by accident or design, users must understand existing legal frameworks to maximise and benefit from the technology. Ask not just who is watching, but also who is paying attention to the minefields of employment law, reputational risks and data protection. Responsible landowners must interrogate proptech and its data uses, and protect themselves accordingly. For the time being, chasing down its possibilities across the wide open legal field can be more challenging than installing it within four walls in the first place. 

Clare Harman Clark is a senior professional support lawyer in the real estate group and Stephanie Creed, who is a senior associate in the employment group at Taylor Wessing.