Is the Geolocation of Employees Lawful?

Geolocation is the identification of the geographic location of an object (like a computer) or a person (like an employee). It is obviously very useful to know where something is. Knowing that John is on the 15th floor in boardroom A when you urgently need to speak to him is very useful. There aren’t usually privacy concerns when you identify the location of an object, but what about the location of a person (like an employee)? Is it lawful to geolocate your employees? Are employees exposed to risks if some people can track their movements? What if you can track a person by tracking an object that they always have with them (like a phone)?

Who uses Geolocation Data?

Many people use it, but for different reasons. Organisations may use this data to locate their assets or employees. Marketing agencies can also use this data for marketing purposes. Even farmers can use it for tracking their livestock.

Geographic location relies on gathering data from many different sources. GPS coordinates and cell phone tower signals are very useful and are some of the most widely used methods to successfully track an object or a person. When GPS coordinates are not available, users depend on cell phone tower signals to triangulate an object or person’s position. Internet Protocol (IP) addresses are also quite useful because geolocation pairs this address with a geographical location.

Is Geolocation of Employees Lawful?

The short answer to this question is: Yes, but it depends on a few factors. What factors does lawfulness depend on, you ask?

Privacy and data protection law is the most relevant. In South Africa, the Protection of Personal Information Act (or POPI Act) is the law that applies to this question. In Europe, it is the General Data Protection Regulation (GDPR) – which is very similar to POPI. In the US, the government is in a process of passing two new laws that relate to geolocation. One is the Geolocation Privacy and Surveillance Act and the other is the Online Communications and Geolocation Protection Act. Both the GDPR and POPI include location information in the definition of personal information or data, so data protection law does have an impact on geolocation.

They set the requirements for processing lawfully so that data subjects can be safe from harm. Processing includes the collection, use, and storage of geolocation data. The requirements for lawful processing include ensuring that the personal information is:

• complete and accurate,
• that the data subject knows why it is being processed, and
• that there’s a good reason for the processing (for example the data subject consented, it is the responsible party’s duty to process, or it is to the benefit of the data subject).

The list of factors to consider does not end here. Data protection laws require you to ensure that the security of the information is adequate for the level of risk it is exposed to. POPI, of course, also requires you to ensure that the security is reasonable, not just appropriate.

Questions you need to ask yourself

If all data subjects need to know why their personal information is being processed, your employees clearly enjoy the same rights under data protection law. You need to let them know that you are processing their location information and also give them the reasons behind the processing. So what are your reasons? Do you want to use geolocation, for example, to track the movements of employees who work away from the office, to ensure that they’re where they need to be? Do you want it to track the time of your office employees to ensure that they’re present at work and logging onto the system at the right times?

But what are some of the other important questions you need to ask:

• Do you get your employees’ consent to process their location information?
• Do you have adequate security measures (such as workplace policies and systems) in place that protect all the location information you process?
• Do you have a privacy policy, geolocation policy, or even an incidence response policy, for example?
• Do you understand which laws you have to comply with – POPI or the GDPR, for example?
• Do you only process the location information for good reasons?
• Do you have measures in place for safely removing the information from your systems?
• Do you have controls in place to prevent others using the data for other purposes?

By asking yourself these questions, you are a few steps closer to lawfully processing your employees’ personal information. You reduce the risk of your organization suffering reputational damage, and possibly having to deal with lawsuits from angry employees who suffered harm, because of your non-compliance with data protection law.

Can you use Geolocation Data as Evidence?

In South Africa, the answer is: Yes, you can use location information as evidence in court proceedings or at disciplinary hearings, but it depends on various factors. The provisions, for example, of the Electronic Communications and Transactions Act (ECT Act), POPI and the Constitution of the Republic of South Africa apply and are important. The ECT Act gives you even more power to use location information as electronic evidence by stating that it cannot be disregarded just because it is in electronic form. The accuracy of the location information is a key factor. If you are going to use location information as evidence against your employee at a disciplinary hearing, make sure that it is accurate. You don’t want your employee to challenge its accuracy in court and win.

Other factors to consider in using location information as evidence, include whether or not you obtained the information in violation of data protection law or, ultimately, the right to privacy in the constitution.

Actions you can take

• Find out more about the law related to geolocation by attending a workshop of ours.
• Use geolocation lawfully in your workplace by getting our advice.
• Manage your geolocation activities with a legally compliant geolocation policy by asking us to draft one for you.
• Get an answer to a specific question that you have by getting a written opinion from us.
• Comply with labour laws by getting our advice.
• Have an employee privacy policy that covers all you processing activities (including geolocation) by instructing us to draft, amend or review it for you.
• Be ready for data breaches by having a legally compliant incidence response policy.