Datatilsynet Norway has issued a helpful guide on the data protection aspects of employee monitoring, which are helpful for GDPR, but also for California employers with CPRA bringing employee rights into play in 2023.
In addition to this handy checklist, employers should also remember:
- Beware of data that is sensitive or deemed especially personal (personal email?)
- Beware of real time monitoring. Recording zooms and chats may be covered under US wiretapping laws and require two-party consent.
- Disclosure is almost always required, and CCPA/CPRA require it in real time (as do some other state laws).
Datatilsynet’s Checklist for Employers
- Is the inspection in accordance with the requirements of the Working Environment Act, Chapter 9?
- Have you given the employees enough information about the inspection routines? Have you made guidelines?
- Is it necessary to make an inspection? Or can you achieve the same result with less intrusive measures?
- Is the inspection legal? What legitimate interest do you have that makes it necessary to inspect? Why does this interest take precedence over the interests of the employee?
- How do you ensure the requirement for data minimization and proportionality in implementation?
- How will you meet the procedural requirements? Should an employee be notified and given the opportunity to be present? If not, why not?