Print management solutions deliver significant benefits to employers and employees across the globe. However, with the introduction of GDPR just a few months away, concerns about employee monitoring and potential breaches of the Regulation are growing.
The collection of significant volumes of data takes place each day using such solutions whilst they deliver security, mobility and print reduction benefits.
- Who is printing the documents?
- What applications did they print from?
- When did the printing activity take place?
- How many pages did the employees print?
- Which print devices did the they use?
This data helps to build a print behaviour profile for a company, department and crucially, an individual.
How does GDPR define Personal Data? What do the new Regulations say about such workplace monitoring?
The Regulation defines Personal Data as ‘any information relating to an identified or identifiable natural person‘. As outlined above, these systems collect significant volumes of data each day relating to employees in companies across the world. Either directly or indirectly, the data will allow the identification of the individuals themselves.
Personal data collected as part of employee monitoring activities should therefore be processed in accordance with GDPR and local employment laws. This relates to user email, internet and print usage, to name but a few. Above all, employers must be aware of employee rights and freedoms.
Ensuring the secure storage of employee personal data, accessed by those with legitimate reasons to view it, and deleted when there is no valid reason to hold it is a minimum requirement.
Likewise, employers must answer whether print monitoring is valid in the first instance. As a result, employers must ensure they are compliant with the following data protection principles:
- Can an employer demonstrate that the employee monitoring is truly necessary?
- Does the employer have legitimate grounds for collecting and processing personal data?
- Are the employer’s monitoring activities proportional to address their concerns?
- Is the employer transparent about the employee monitoring which is taking place?
What is the purpose of the monitoring activity and is it really necessary? Are other, less intrusive means available to the employer?
Of course this is a challenge when considering the data being collected and processed by the print management systems. The initial personal data allows these systems to work effectively. However, employers collect further personal data every time employees use the system. Often, this builds indefinitely in databases for analysis and interrogation at later stages.
An employer should complete a Data Protection Impact Assessment (DPIA) when there is a risk to the rights and freedoms of the employees. Given the collection of Who, What, When and Where data each working day, a DPIA would seem like a minimum undertaking by organisations using such solutions.
What is the lawful basis for monitoring? Have employers engaged local workers’ councils?
The collection and processing of personal data is vital for print management solutions to work effectively. Authenticating with print devices to release print jobs and access workflow capabilities requires certain data interactions to function.
In contrast, the ongoing storage of personal data relating to a print job plays no role in the effectiveness of the system on future instances. This calls into question the legitimacy of building significant databases of personal data relating to print behaviour.
However, the storage of this data could be used to ensure that employees are not using the devices to print personal documents. Or perhaps to check for the printing of confidential information. Each organisation must confirm their own lawful basis for monitoring print usage. The question to answer next relates to proportionality.
Is the monitoring proportionate to the concerns or interests of the employer? Will collecting minimum levels of personal data allow the employer to achieve their interests?
This raises a number of subsequent questions. What level of data storage takes place? Does the data collection cover purely simple meta-data relating to the print job such as the quantity of pages and the document characteristics? Or do these systems capture details such as the name or a unique identifier of the user, the document name or even the contents of the document? Likewise, what retention period is in place for the collected data?
Understanding the processing purpose allows the definition of a ‘minimum data requirement’. As outlined in the section above, the mass collection of personal print data may be considered disproportionate to the interests of an organisation who wants to stop personal documents being printed.
Has sufficient information about the monitoring activity been provided to employees? Are new and existing employees aware of an Acceptable Use Policy?
Being open and honest with employees about how personal data is used is a key component of GDPR. This transparency also helps set employee expectations about how their time at work will be monitored. This is central to ensuring that employee monitoring is lawful.
Implementing a print management solution must coincide with a notification process regarding the use of company equipment and that monitoring of their use will take place. Employee handbooks and intranet sites should also contain such notifications.
Employers may introduce an Acceptable Use Policy (AUP), thus ensuring that employees understand how much private use of employer equipment is permissible. This often covers the use of company phones, internet and email, as well as print usage.
So, does the use of print management solutions contravene GDPR Employee Monitoring Regulations? As is often the case, the answer is not black and white. However it is the employer which is accountable for demonstrating alignment with the Regulation.
It feels clear that where print management systems are in use, the employer must answer a series of important questions. Assuming some basic personal data is required to keep the systems functioning and delivering their stated benefits, is the ongoing storage and analysis of print behaviour data really necessary? How do employers use the data and is it legitimate?
If legitimate reasons are in place, is the monitoring proportionate to the interests of the employer? What is the minimum amount of data that would meet the employer needs and could they permanently delete the data after a shorter period of time?
And finally, if the monitoring is proportionate, have the employees been notified? Are they aware of the monitoring which takes place and what ‘acceptable use’ looks like? Only by answering each of these questions can an organisation answer the wider question of potential regulation breaches.
For further information on how IBC Group can advise on your readiness for GDPR, please contact one of our advisers. You can do this through our online contact form, by emailing firstname.lastname@example.org or by calling +44 (0) 330 223 4922.