GDPR: Example email, internet and technology policies updated
We have revised our model policies on the use of email and internet, telephones and portable electronic devices to comply with the General Data Protection Regulation (GDPR). Our sample "bring your own device to work" (BYOD) and CCTV policies have also been updated.
Why review your documents?
The introduction of the GDPR means that employers should review their procedures and documentation to ensure that:
- data protection and privacy considerations are embedded;
- only the minimum amount of personal data is collected and processed for a specific purpose;
- there is a legal basis for processing personal data; and
- individuals whose personal data is being processed are provided with privacy notices.
The GDPR, which is in force from 25 May 2018, requires employers to be transparent about the personal data that they hold and how it is used. They also have to show that they are complying with the GDPR's data protection principles.
Information obtained from monitoring an employee's use of email and internet, telephones and portable electronic devices may amount to personal data. It is important that employees are told why data is processed and the legal basis for processing as well as what type of monitoring is carried out.
Employers will generally be able to justify processing data during monitoring on the legal basis that it is in the organisation's legitimate interests to do so. However, employee monitoring should not be disproportionately intrusive.
There are some specific issues for employers around "bring your own device to work" (BYOD) and CCTV policies. A BYOD policy should have strict limits on what "special category data" is processed on personal devices and safeguards in place to prevent data breaches. A CCTV policy should explain what the footage will be used for, who will have access to it, and how long it will be kept before being erased.
We have therefore updated our model policies on the use of technology and employee monitoring to take account of the GDPR as follows:
Email and internet use
Use of computers and other electronic devices
Policy on hand-held or portable electronic devices Updated with a new section to explain how personal data will be handled when monitoring the workforce's use of the organisation's hand-held or portable electronic devices.
Policy on the use of personal devices for work/bringing your own device to work Updated to set out:
- the implications of the GDPR;
- the strict limits on what data should be held on personal devices;
- to whom data breaches should be reported; and
- how personal data will be handled when monitoring use of personal devices for work.
Policy on CCTV use Updated to set out:
- details of the data controller;
- when CCTV will be used; and
- how footage will be stored and how long it will be retained.