Control Measures in the Workplace – Rules on Monitoring, Email Access, and Privacy

In employment relationships, the employer may need to implement various forms of control measures. This can include everything from time registration to camera surveillance and drug testing. Although the management prerogative provides the employer a basis to implement such measures, the Working Environment Act and privacy legislation impose important limitations. This article provides an overview of the legal framework for the employer's access to implement control measures, with a particular focus on the conditions for control, procedural rules, and the specific rules about access to email.

What is a control measure?

The term "control measure" in the Working Environment Act § 9-1 is not defined by the law, but according to preparatory works, it is meant to be extensive. It can include:

• Time registration systems

• Access control

• Production control and quality assurance

• Camera surveillance

• Drug testing

• GPS tracking and fleet management

• Access to email and electronically stored material

It can be challenging to delineate what constitutes a control measure, but this is considered less important since the employer is nevertheless bound by general fairness requirements in the exercise of the management prerogative.

Control measures and privacy

Control measures in working life raise two main issues:

1. Whether the employer has the right to implement the control measure itself (regulated by the Working Environment Act chapter 9)

2. Whether the employer can process personal data collected through the control measure (regulated by the Personal Data Act and the General Data Protection Regulation/GDPR)

For example, the right to drug test an employee is regulated by the Working Environment Act, while the processing of the test results is regulated by privacy legislation.

Conditions for implementing control measures

The Working Environment Act § 9-1(1) sets out two cumulative main conditions for control measures to be legal:

1. The requirement for factual basis

A control measure must have a "factual basis in the company's circumstances." This means:

• Business-related factual basis: The purpose must be anchored in the company's needs, not in general societal considerations

• Individual factual basis: The measure must be factually based on the individual employee it affects

• Suitability and necessity: The measure must be suitable and necessary to achieve the purpose

The requirement for a factual basis also involves a requirement for persistent factual basis: The control measure must cease if the factual basis is no longer present.

2. The proportionality requirement

The control measure must not involve an "unreasonable burden" on the employee. In this assessment, consideration must be given to:

• The purpose of the measure

• The nature of the control and how intrusive it is

• How the control is conducted

• Whether key privacy considerations are safeguarded

• The sum of all control measures in the company (not just the individual measure)

Procedural rules for control measures

The Working Environment Act § 9-2 imposes requirements on the procedure for implementing control measures:

Duty to discuss

The employer must discuss the following with the representatives:

• The need for control measures

• The design of the measure

• The implementation of the measure

• Significant changes to existing control measures

The discussion should take place "as early as possible," so that representatives have a real opportunity to provide input before a decision is made. It is the systems for control that should be discussed – not the individual control.

Even if agreement is not reached, it is the employer who ultimately decides whether the control measure should be introduced.

Duty to inform

Before the control measure is implemented, the employer must inform affected employees about:

• The purpose of the measure

• Practical consequences

• The duration of the measure

Duty to evaluate

The employer and representatives should regularly evaluate the need for the control measures that are implemented, to ensure that the requirements for factual basis and proportionality are still met.

Breaches of procedural rules do not automatically make the control measure illegal, as the provision is an order regulation. Nonetheless, breaches of procedural rules may have implications in assessing whether the measure is factual and proportionate.

Access to email and electronically stored documents

Scope

The employer's access to the employee's email and other electronic data is specifically regulated by the regulation on employer's access to email accounts and other electronic materials. The regulation covers:

• Email accounts that the employer has provided to the employee for use at work

• The employee's personal areas in the company's data network

• Other electronic equipment provided to the employee by the employer

• Deleted data that the employer can access through backups

The regulation applies to both current and former employees.

Conditions for access

The employer can only carry out access if one of the following conditions is met:

1. Necessary for daily operations or legitimate interests: Access must be necessary to uphold the daily operations or other legitimate interests of the company

2. Justified suspicion of misconduct: There must be justified suspicion that the employee's use of the email account constitutes a gross breach of the employment relationship or may provide grounds for dismissal or discharge

Procedural rules for access

When the employer is to carry out access, the following procedural rules must be followed:

• The employee shall "as far as possible" be notified and given the opportunity to express their views before access

• The notice shall include the employer's justification and information about the employee's rights

• The employee has the right to be present during the access

• The employee has the right to be assisted by a representative

• The employee has the right to object to the access

If access is performed without prior notice, the employee shall be informed in writing as soon as the access is completed. Information that is not relevant to the purpose shall be closed immediately and any copies shall be deleted.

When employment ends

When the employment relationship ends, the following rules apply:

• The email account shall be closed unless there is a special need to keep it open for a short period

• Stored information shall be deleted "within a reasonable time," unless operational considerations indicate that the information should still be retained

Control measures in case of suspicion of misconduct

In case of suspicion that an employee has committed misconduct (e.g., economic crimes), it is assumed that the employer has somewhat extended access to control. The prerequisites for this are:

• It must concern significant misconduct

• The suspicion must be well-founded (assumptions are not sufficient)

• The more serious the matter, the stronger the suspicion, and the more difficult it is to secure evidence by other means, the greater intrusion can be accepted

There is still a limit to how far the employer can go – the responsibility for investigation lies with the police.

Conclusion

The employer's right to implement control measures involves a balance between the employer's legitimate need for control and the employee's right to privacy and integrity. The Working Environment Act and privacy legislation set clear boundaries for this balance, with requirements for factual basis, proportionality, and correct procedure. Particularly sensitive areas, such as access to email, are subject to stricter regulation.

By following the regulations, the employer ensures that the control measures are lawful, while safeguarding the fundamental rights of employees.