Framework agreements as an overarching company rule

The use of information and communication technologies in Austrian enterprises is to be regulated by means of company agreements between the management and employees (§ 96a of the Austrian Labour Constitution Act (Arbeitsverfassungsgesetz). Negotiating a framework agreement for the use of personal data can facilitate the work of works councils and staff representatives. Such a framework agreement defines a set of general rules regarding the processing of personal data and the works council's rights of participation. Specific amendments relating to different information and communication technologies can be agreed on later to regulate the use and analysis of and access to particular data. Practical working examples include amendments dealing with payroll accounting, electronic systems for recording working time or access to company premises, the telephone, e-mail and the Internet, as well as the use of digital video surveillance. Separating the framework agreement and various amendments contributes to improving transparency in the use of personal data within the enterprise.

SAP R/3 and SAP ERP

The enterprise resource planning software SAP is on everyone's lips these days. Developed by the company of the same name, SAP refers to a software application designed to cover all major enterprise functions. In addition to solutions for human resources, financials and logistics, SAP can be adapted to any additional sector-specific requirements.

One of the main advantages of SAP is its central database, which facilitates access to and exchange of information between the various business functions. The wide range of applications offered by the system often makes it difficult for works councils and staff representatives to get a comprehensive overview of the range of personal data used by the system. One of the major challenges in drawing up works agreements is to clearly identify all personal data used and to agree on their use within the enterprise. In this context, it can be helpful to group data according to their relevance in terms of data-protection legislation.

These categories can then be used to decide on various levels of participation granted to works councils and staff representatives and to compile company guidelines for SAP users in their daily work. FORBA has 15 years of experience in advising and supporting representative bodies in regulating SAP use.

From CIM to MES: a new catchphrase in automated production

Manufacturing Execution Systems (MES) are advancing the IT-based integration of production-relevant tasks and machinery.

In the 1980s, CIM (Computer Integrated Manufacturing) promised the advent of IT use in manufacturing. On the shopfloor, though, the concept often failed as the necessary integration of areas of application and machinery was lacking. Today, Manufacturing Executive Systems (MES) control all relevant processes, including an almost real-time analysis of production processes. This involves the recording of detailed identifiable staff data (start and end of assignments, piece and reject rate, use of resources), which requires particular attention from a data-protection angle because it allows for a monitoring level that far exceeds necessary requirements.

If possible, companies should thus aim to:

  • keep identifiable personal data to a minimum,
  • integrate identifiable personal data into larger units as early as possible
  • minimise storage times of identifiable personal data, and
  • restrict the distribution (transfer, supply) of personal data as long as it includes detailed identifiable information

Web 2.0 and new Human Resources activities

The growing convergence of information systems at enterprise level has enabled companies to reorganise some Human Resource activities, by, for instance, 'outsourcing' certain HR tasks to their employees – similar to 'telebanking'.

Via the Inter- or Intranet, staff log on to so-called 'portals', which offer them direct access to a host of information and services. The responsibility for tasks such as, for instance, amending personal data is transferred to the workers themselves. In addition, information systems like these allow employees to directly influence enterprise processes. Thus, they can process e.g. requests for holidays or training measures as well as manager evaluations, staff surveys or preparatory work for staff appraisals, and thus initiate or support enterprise functions.

Such changes in work organisation raise new data protection issues that require the involvement of works councils. Whether (and which) new regulations are required in this context is a question that should be settled by management and works council in advance.

Video surveillance

Works councils and staff representatives frequently associate information and communication technologies (ICT) with the monitoring of staff. An area where this may well be the case is the surveillance of company premises by means of video cameras. Hardly a new issue, this matter has been given an added dimension by recent technological advances. A new generation of (digital) cameras, e.g. webcams, no longer record movement in analogous form but as a sequence of digital images (often several dozens of pictures/minute), with each image recorded as a separate data file. Thus, a company's computers and servers often store a vast number of electronic images, which may, for instance, show persons (incidentally) entering an area under surveillance. Usually, these people are completely unaware of the fact that their presence has been registered and electronically stored. While, in the past, movement in sensitive areas, such as cash desks or entrances, was recorded on video tape and viewed if so required (i.e. the tape was played), digital technology has radically altered the way video surveillance works. Digital images, or data files, are much easier to analyse, to view from external terminals (via networks such as the Internet) and thus to distribute to a much wider group of people. Works councils and staff representatives are faced with the dilemma of wanting to reconcile employers' demands for enhanced security with employees' fears of having their privacy violated. On the request of several works councils, FORBA has tried to compile all aspects surrounding the issue of digital video surveillance in a works agreement. This agreement is available from FORBA.

Data Warehouse

Enterprises increasingly employ Data Warehouse solutions in order to be able to access and analyse strategically significant data from various applications. As these can include personal data of employees, such systems also need to be scrutinised from a data-protection and data-security perspective. All areas of an enterprise, including HR, production, finance, sales or marketing, generate a multitude of data, which is collected, stored and analysed in various applications. With the help of Data Warehousing, data from different applications can be integrated and structured according to logical, self-contained aspects (e.g. development of sales figures, change in customer structure, analyses of productivity). This allows for an evaluation of strategically important information (including trans-national and trans-company information in multinational corporations). In assessing such systems, works councils and staff representatives need to question what kinds of personal data are being collected by these systems and how these data are analysed. Thus, for instance, many systems provide for technical solutions ensuring that information which only relates to smaller groups (3-5 people) and thus might be easy to trace to individuals, does not appear in analyses.

Voice over IP

Making phone calls over the Internet is enjoying growing popularity. Voice over IP (VoIP) has been made possible by the global availability of the Internet and the ever faster transmission of increasingly large data packets. The high-quality transmission of voice conversions was thus only a question of time. Whereas individuals mainly use services like Skype to make cheap phone calls, at enterprise level, VoIP does not only represent a cost-efficient means of transmitting conversations but offers a vast array of additional applications. Merging, as it were, the functions of computer and telephone, VoIP enhances workplace functionality. As not only voice data but also images and other information can be transmitted at the same time, users can now carry out previously isolated tasks simultaneously. Examples include video conferences, the exchange of text messages (e.g. chat) or the joint use of documents. This can both lead to work intensification and change the content of what we do at work. What is more, all transactions can be logged and monitored. FORBA offers works councils and staff representatives support in the analysis of the impact of the use of VoIP and in formulating works agreements to protect employees.

The use of biometric data in the enterprise

Biometric data, such as finger prints or iris scans, can be used to reliably identify individuals. They are used by high-tech access control systems which measure and process biometric patterns. Systems like these are increasingly employed to safeguard company data from unauthorised access. As these control systems combine the storage of physical traits with the processing of personal data, they require the involvement of works councils. The fact that such data can be used to excessively monitor employees and thus potentially violate human dignity was only recently confirmed by an Austrian Supreme Court ruling: If a form of 'monitoring is carried out with unwarranted intensity exceeding the degree typical of and appropriate for the respective employment relationship', works councils can refuse this form of monitoring. FORBA offers works councils and staff representatives support in the analysis of control systems and the drawing up of works agreements.