Driving data protection compliance: employee vehicle monitoring
What is vehicle monitoring and why?
Vehicle monitoring refers to the practice of collecting and analysing data related to the operation and usage of vehicles. Businesses are increasingly using employee vehicle monitoring to improve productivity, optimise management, and ensure safety, including the use of telematics systems consisting of GPS technology, onboard vehicle diagnostics and other inbuilt software. GPS technology enables organisations to monitor and manage their vehicles by collecting real-time data on location, speed, fuel use, and more. This data can be used for optimising routes, improving safety, and cutting costs. Vehicle telematics systems that combine GPS technology with other technology telematics, enable organisations to gain more sophisticated insights into driver behaviour, vehicle diagnostics, and fuel use. Apart from speed, a telematics system can capture details such as accelerator and brake usage frequency. Other monitoring tools, like dashcams and in-cabin cameras, can enhance security by recording footage inside and around the vehicle.
The monitoring of vehicle telematics systems enables organisations to gather a wealth of data, encompassing not just vehicle-related data, but also personal data such as employee whereabouts, driving habits and other activities. It may even be possible for organisations to collect personal data about third parties, such as passengers or other road users.
What do you need to consider?
Data protection principles: Under the UK General Data Protection Regulation ("UK GDPR"), businesses must ensure that the collection and processing of personal data is lawful, transparent, and for specific purposes. In particular, businesses should consider the following:
- Lawful basis: In determining the most appropriate legal basis (or bases) for processing personal data obtained through employee vehicle monitoring, businesses should consider the extent to which vehicle tracking is necessary for a specified purpose, whether employees reasonably expect such monitoring due to the nature of their work and whether such monitoring is essential for organisations to adhere to a legal requirement or for insurance purposes.
Consent will not usually be appropriate within the employment context due to the imbalance of power between employers and employees. As consent must be freely, genuinely given and can be refused without any negative consequences, it is often challenging for employers to rely on their employees' consent for vehicle monitoring.
- Transparency: Employees should be informed about the purpose of monitoring, types of data collected, how the data will be used, and their rights in relation to their personal data. Typically, this can be achieved through privacy notices, data protection policies, and open dialogue with employees. This is especially crucial when employers plan to use any personal data they have gathered for purposes such as internal disciplinary actions. Apart from complying with the law, transparent and open communication helps build trust and ensures that employees understand their rights and how their data is being handled.
- Data Minimisation and Purpose Limitation: Businesses should collect only the necessary data to achieve their stated objectives, avoiding unnecessary or excessive data collection. Where possible, employers should look to the least intrusive method when monitoring vehicles. For example, could the same goal be achieved by having employees manually submit the mileage or distance covered during work hours? A possible issue in this context is whether vehicle monitoring should extend beyond work hours. The ICO's guidance on employee monitoring points out that if employees are permitted to use company vehicles for personal use, monitoring during such personal use is seldom justifiable.
- Data Protection Impact Assessments (DPIAs): As good practice, businesses should consider carrying out DPIAs to identify and mitigate potential risks associated with their monitoring systems. This is especially crucial when the monitoring system in question poses a high risk to the privacy rights of employees, third parties both inside and outside the vehicle, and the risk of breaching any data protection principles. Businesses should consider if the monitoring tool captures, for instance, any audio or video of the driver and any third parties, and whether that is necessary. For example, in 2017, Uber was said to have discontinued the use of the surveillance tool known as "Heaven" within the Uber app after facing allegations of its employees unlawfully using it to track the movements and journeys of passengers traveling in an Uber vehicle. As a consequence, the use of "Heaven" prompted an official investigation by the FTC in the US.
- The Privacy and Electronic Communications Regulations (“PECR”): The European Data Protection Board, in its guidance, considers vehicles equipped with connectivity features that enable data sharing with other devices, like mobile applications, as “terminal equipment”, therefore falling within the ambit of PECR. This situation typically arises when, for example, a driver installs a telematic device or mobile application for the purpose of vehicle monitoring by the employer. In this case, while employers may not be able to rely on consent under UK GDPR as the lawful basis for processing, PECR may still require consent of employees for employers to access and collect data of whatever nature about the vehicle. Employers must also provide an opt-out option, allowing employees to withdraw consent at any time without negative consequences.
When implementing employee vehicle monitoring, or any form of employee monitoring, it is common to encounter certain risks to the privacy rights of the employees and even third parties, along with the potential to violate certain data protection principles under the UK GDPR. It is, therefore, important to carry out DPIAs to address these potential risks and apply suitable mitigation. Any less intrusive methods that could achieve the same objectives should always be considered and utilised unless there are justifiable reasons not to, taking into consideration the rights of the employee. If you have any queries relating to employee monitoring, feel free to get in touch with us.