What an employer can legally ask to monitor about user activity

Question

I work for a Belgian company as systems engineer, and I'm asked by the HR department to give them logs of a specific user's activity. This is about a concern they have when it comes to this user's activity while working from home (VPN).

I'm aware the employer can't ask to audit a user activity without him being notified (I do not know the legal process/laws for this).

We've got tools such as Netwrix Auditor that could even get us a video of user's activity if enabled (currently disabled because we are unaware of the legal aspects, plus it takes a lot of storage).

My question is : what can my employer ask me to audit/monitor ? What is the legal process if the employer want to know details about a user's activity (European/Belgian laws)? What should I sign or ask prior to begin the investigation, so I'm somewhat protected as employee ?

In the meantime, can I simply give them Active Directory logons events, from the VPN IP pool, for that user ? Or is that already too much from a legal point of view ?

Thanks for your help !

Answer 1

Belgium enacted an implementing law, the Act of 30th July 2018 on the protection of natural persons with regard to the processing of personal data. This, along with the GDPR, are the key legislative references that relate to your question.

On 5th September 2017 the ECHR judged that it "considers that States should ensure that, when an employer takes measures to monitor employees' communications, these measures are accompanied by adequate and sufficient safeguards against abuse". This case set a precedent relevant to employee monitoring in Belgium.

This is most definitely a data protection or privacy law matter and the DPO should be consulted. If they have to do research, that shouldn't be your concern as that is their job. The company must support the DPO in what they need to do that job, as such is literally written into the GDPR. Furthermore, in this case it would, by my evaluation, be necessary to conduct a Data Protection Impact Assessment (DPIA) for the monitoring activity, and if one has been done, it should document the recommendations and requirements or what is already in place.

You as an individual may also ask a question of the Data Protection Authority:

• (NL) https://www.gegevensbeschermingsautoriteit.be/verzoek-klacht-indienen
• (FR) https://www.autoriteprotectiondonnees.be/introduire-une-requete-une-plainte

You might ask them about your position and liability as an employee, but I would be more concerned, if I were you, with verifying that your actions are above board rather than trying to cover your ass just in case they aren't. Do the right thing, even if that means questioning the direction you've been given.

AD logons still identify the person logging on, and may include source IP, which is specifically listed in the GDPR as within the scope of 'personal data'. So while there may be a legitimate need to process such data, it needs to be gone about in the right way.

Actions taken by an employee are taken by the organisation in terms of processing personal data, so whatever you are asked or ordered to do, will be done by the company. If you are being offered no legal justification for doing so, you might document the direction you are given and question it respectfully, pointing out that if found to be unlawful, it is the company that would be in trouble, all while knowing that should there be for example an unfair dismissal, you have a record of who asked you to do what, how you challenged or questioned it, and what was the outcome.

Answer 2

Ideally, an employer should have a code of conduct or policy that covers workplace monitoring. If a code or policy has been agreed, it will usually form part of your contract of employment. This means that where an employer is allowed to monitor your activities, these activities could be the subject of disciplinary action if you are using workplace equipment in ways that are not permitted in your contract of employment.

Answer 3

The GDPR is no blanket prohibition of data use, it requires a legal basis and/or the consent of the data subject for data processing.

Is your company large enough to require a data protection officer? If so, consult this officer. If not, talk to the legal department. Document that, and you should be legally on the safe side if they tell you to go ahead. An IT specialist is not required to second-guess the lawyers.