New Guidelines and Recommendations on Data Protection at the Workplace

In brief, the Norwegian Data Protection Authority's updated guidelines on whistleblowing focuses on the rights to information and access, in particular with respect to the identity of the whistleblower. The study puts emphasis on the monitoring and control of employees' digital activities, i.a. that the legality of measures must be assessed before they are introduced. The Norwegian Data Protection Authority also highlights that businesses cannot assume that software is designed to meet the requirements of Norwegian law.

This article provides an overview of the key issues that are emphasised by The Norwegian Data Protection Authority in these two new publications that businesses should be aware of.

1. Guidelines on employee whistleblowing and data protection

The updated guidelines on employees' whistleblowing (Norwegian) are intended to provide support and guidance to businesses in their work with handling whistleblowing.

"Whistleblowing" is when an employee speaks up about censurable conditions in the workplace. According to the Working Environment Act, censurable conditions are those which are in breach of legal rules, written ethical guidelines in the undertaking or ethical norms to which there is broad adherence in society. Such situations may, for example, arise where there is: (a) danger to life or health; (b) danger to the climate or environment; (c) corruption or other economic crime; (d) misuse of authority; (e) an inexcusable working environment; or (f) a personal data breach.

Whistleblowing inevitably include personal data, and both the whistleblower and the person mentioned in the notification have rights pursuant to data protection legislation. The Data Protection Authority's updated guidelines focus on the rights to information and access, in particular with respect to the identity of the whistleblower.

Employers and employees are often unsure and disagree on how far such rights go, and the extent to which the employer may be exempted from the duty to inform and to give access.

As a starting point, the employer is obliged to inform both the whistleblower and the person mentioned in the notification. An important question is whether the person mentioned in the notification has the right to information about the identity of the whistleblower. According to Article 14/2(f) of the GDPR, the obligation to inform includes the information on "from which source the personal data originate". This may suggest that the employer has an obligation to inform the person mentioned in the notification of the identity of the whistleblower. The Norwegian Data Protection Authority emphasises, however, that the rights to information and access are not absolute, and that there are exemptions in the Norwegian Personal Data Act and the GDPR. Therefore, whether an employer can hold back information on the whistleblower's identity depends on whether the employer may avail himself/herself of any of these exemptions.

The employer must justify any such exemption. The exemptions in the Personal Data Act involve discretionary assessments that the employer must make in respect of each individual case that arises. The Data Protection Authority informs in its guidance, that due to the differences that may arise in each specific case, it is not possible to set down any general rule that the employer can be exempted from providing information or from access. One exemption from the duty to provide information and the duty to give access that is mentioned in the Personal Data Act, is when secrecy is required for the prevention, investigation, disclosure and prosecution of criminal offences.

In summary, this means that businesses must review their whistleblowing procedures, as well as procedures related to investigation, as relevant. They must ensure that they have clear routines in place, and that their obligations towards the whistle blower and the person mentioned in the notification are handled in accordance with applicable data protection legislation. Exceptions from the right to information and access must be assessed and documented.

2. Guidance on monitoring and control of employees' digital activities

Furthermore, The Norwegian Data Protection Authority recently published a study which includes a survey that maps employee experiences of digital monitoring and control, under the question "is the boss watching you?" (Norwegian).

Today, employers have the ability to collect large quantities of data on their employees' digital activity. Popular services from tech companies like Google, Microsoft and Zoom have inbuilt functionalities that give employers the possibility of monitoring employees' digital activities. The measures which can be used include GPS tracking, installing management software to the employee's mobile devices, checking presence through logins and examining activity logs.

The Data Protection Authority emphasises that the starting point must be that all employees have the right to privacy also in the workplace, meaning that employers are not free to adopt measures which will result in the monitoring of employees. Notwithstanding, the Authority recognises that the employers might have the right to monitor employees to protect their business against unwanted or illegal actions.

In light of the foregoing, The Data Protection Authority provides Businesses/employers in Norway with the following recommendations:

• Examine the legality of measures (new software/digital tools) before they are introduced;
• Avoid using employee consent as the legal basis for use of such measures: Employees may feel pressured to accept such measures, but consent must be freely given;
• Remember that covert surveillance of employees is illegal. Employees have a right to be informed on how their personal data is processed;
• Do not assume that software is designed to meet the requirements of Norwegian law: Employers must make an independent assessment of whether the software functionalities and tools that register the employee's digital activities are in line with Norwegian law.
• Remember the duty to use solutions that respect data protection by design and by default;
• Discuss the proposed solutions with the data protection officer, if such officer has been appointed, and with employee representatives, in accordance with employment law requirements;
• Contact the Norwegian Data Protection Authority or the Norwegian Labour Inspection Authority (Nw.: Arbeidstilsynet) for more information.

Businesses must consider what measures they currently have in place which fall or might fall within the scope of the Norwegian Data Protection Authority's guidance. In that regard it is important to be aware that the concept of "control measures" is very broad and not limited to measures with a control purpose as such. Businesses must study the Authority's recommendations and ensure that their processes are in compliance with the Norwegian Personal Data Act/GDPR and applicable requirements following from the Working Environment Act and associated regulations.

Wikborg Rein has extensive experience and expertise in data protection and privacy compliance related to the work place. Please feel free to contact our experts for assistance on the new guidelines and recommendations or for other work life privacy related questions.