ICO Consultation: Employee Monitoring

What happened

• The UK Information Commissioner’s Office (ICO) launched a public consultation on its new draft guidance this month, concerning employers’ obligations when monitoring staff in the workplace.
• The guidance aims to assist employers in complying with the UK GDPR when monitoring their workforces, as well as other relevant legislation such as the Human Rights Act 1998 and the Regulation of Investigatory Powers Act 2000. It covers both systematic and occasional monitoring and adopts a practical approach, including a number of compliance checklists.
• The guidance stresses that the GDPR does not expressly prohibit employers from monitoring their staff, instead, it sets out the specific requirements that must be met to ensure that monitoring activities are conducted lawfully.
• The ICO offers the following advice about the core principles of employee monitoring:
• It will usually be intrusive to monitor workers.
• Workers have legitimate expectations that they can keep their personal lives private, and they are entitled to a degree of privacy in the work environment.
• If employers wish to monitor their workers, they should be clear about the purpose and satisfied that the monitoring arrangement is justified by real benefits that will be delivered.
• Workers should be aware of the nature, extent and reasons for any monitoring, unless, in exceptional cases, covert monitoring is justified.
• In any event, workers’ awareness will influence their expectations.
• The guidance emphasises that employee expectations of privacy are likely to be significantly greater when working at home as opposed to in the workplace.
• The guidance goes on to address the following key considerations:
  • Identifying an appropriate legal basis for processing personal data (including special category data).
  • Fairness, transparency, and accountability requirements, such as the need for a corporate policy outlining the nature and scope of any monitoring, the provision of privacy information, and the completion of a DPIA.
  • Requirements for using tools that involve automated decision making, like absence monitoring tools, which have legal or other similarly significant effects on employees.
  • Use of biometric data to monitor and control workers’ access to buildings and systems.
  • Specific, scenario-based data protection considerations by type of monitoring e.g. through telephone calls, emails and messages, as well as through work vehicles and device activity.

Why it matters

• The new guidance, when finalised, will replace the ICO’s guidance on monitoring contained in its Employment Practices Data Protection Code of 2011. The proposed changes reflect the UK GDPR and Data Protection Act 2018, as well as adjustments to working procedures and ten years’ worth of technological advancements.
• Over the last decade, the world of work has changed considerably, with a significant transition from office working to home working occurring as a result of the pandemic.
• Employers increased their usage of monitoring software as a result, with demand rising globally by 108% in April 2020 and a further 70% in May 2020.
• In 2022, as more staff than ever before continue to work remotely and flexible working models look set to stay, employers are using increasingly sophisticated and innovative tools to monitor and track their workforces.
• Employers are unlikely to be able to defend invasive monitoring if less intrusive monitoring would allow them to achieve their goals, according to the guidance’s core principles, which emphasise the significance of implementing a balanced and appropriate approach to employee monitoring.
• “If excessive, monitoring has an adverse impact on the data protection rights and freedoms of workers. Excessive monitoring is likely to intrude into workers’ private lives and undermine their privacy,” the guidelines say, as well as cautioning that, “just because a type of monitoring is available, does not mean it is the best option to meet your objectives”.
• The consultation on the draft guidance will remain open until 5pm on 11^th January 2023.
• The ICO invites views on whether the guidance is clear, whether it covers the relevant issues and whether it should provide further examples or cover additional scenarios.