17. Should employers notify their employees before commencing the above-mentioned work monitoring measures? How should employers manage the data collected?
  
Employers should inform their employees of any monitoring policy. It is good practice to prepare a comprehensive written privacy policy/employee monitoring policy and release it to the employees, preferably before any monitoring begins. As recommended by the PCO, such policy should explicitly refer to the following matters:
- the business purpose(s) that employee monitoring seeks to fulfill;
- the circumstances under which monitoring may take place and the manner in which monitoring may be conducted;
- the kinds of personal data that may be collected in the course of monitoring;
- the purpose(s) for which the personal data collected may be used.
An example of a privacy policy statement concerning e-mail monitoring is provided in Appendix I of the "Privacy Guidelines – Monitoring and Personal Data Privacy at Work" (which is published by the PCO).
Unless an employer has obtained the express consent of an employee (and the consent is given voluntarily), or unless there is an applicable exemption provided for under the law, an employee's personal data collected by monitoring measures can only be used for the purposes stated in the employee monitoring policy, or for a directly related purpose.
Personal data collected should not be kept any longer than is necessary for fulfilling the stipulated purpose. For example, recorded information contained on CCTV tapes should be routinely erased according to a pre-determined schedule. A longer retention period may be appropriate in special circumstances (e.g., where the recorded information is required for evidentiary purposes in legal or disciplinary proceedings).
Employers should also implement security and access control measures to safeguard the protection of the personal data collected. For example, CCTV tapes should be securely locked in a storage facility located in a controlled access area.
|