The Information Commissioner’s Office (ICO) is building a resource of topic-specific guidance documents on employment practices regarding data protection. These draft guidance documents will reflect different topic areas and are to be released in stages, with the resource building over time.
This article explains what the ICO’s most recent draft, the “monitoring at work” guidance, means for employers.
About the ICO’s monitoring at work guidance
The ICO has recently released a draft guidance document on “monitoring at work”, and the ICO began a consultation on 12 October 2022 to last until 20 January 2023.
The draft document titled “Employment practices: monitoring at work draft guidance” provides advice on how employers seeking to monitor their employees at work can comply with the UK GDPR principles and how to identify a lawful basis.
What is monitoring?
Staff will generally expect that there will be some form of monitoring in the workplace, in that they will likely expect their employers will carry out checks on the quality and quantity of their work at some stage, whether this be for quality control or performance management.
The ICO guidance goes beyond this in their scope, as they also refer to monitoring staff to protect health and safety, meet regulatory obligations (specifically in the financial services industry) and to form security measures.
Monitoring in the scope of the ICO guidance is not simply a manager’s supervision, but extends to any form of recording, logging or footage of staff, whether manually entered or automatically captured. The likely examples of such monitoring include:
- camera surveillance including wearable cameras for the purpose of health and safety;
- technologies for monitoring timekeeping or access control;
- keystroke monitoring to track, capture and log keyboard activity;
- productivity tools which log how workers spend their time; and
- tracking internet activity and keystrokes.
It is easy to see how, where this becomes excessive, the data protection rights and freedoms of staff could be adversely impacted.
How can employers ensure they are lawfully monitoring workers?
As is the case any time that an employer processes personal data, you must ensure that you have a lawful basis (consent, contract, legal obligation, vital interests, public task and/or legitimate interests).
In pursuit of best practice for employers to act in a UK GDPR compliant manner, employers must ensure they have a consistent purpose for the monitoring of data, and this purpose is transparent.
Once you have identified your lawful basis/bases it is good practice to complete a data protection impact assessment (DPIA). Strictly speaking, DPIAs are only required where the processing of data is a high risk to employees, but it is good practice to complete one anyway.
This will help an employer establish their purpose clearly and also to consider anyone else captured by monitoring plans (such as customers or members of the public).
Where one of the lawful bases to process data is “legitimate interests”, it is also good practice to complete a legitimate interests assessment (LIA).
The benefit of this exercise is it encourages employers to balance the necessity of any monitoring against the interests and rights of the data subjects, specifically assessing the likelihood a worker would expect, or object to, their monitoring or usage of their data in this way.
This ensures the above “Purpose” and “Transparency” considerations are met.
UK GDPR principles
The UK GDPR Principles require consideration in these potential monitoring activities, these are:
- Fairness and transparency
- Employers must ensure they only monitor workers in ways they would reasonably expect and without adverse impacts on their rights and freedoms.
- The key expectation to meet accountability is to ensure that appropriate policies, procedures and measures that demonstrate compliance with the UK GDPR are in place.
- Data Minimisation
- Where a purpose is established, as described above, it is crucial that an employer does not collect more data than is needed for this purpose.
- From an employment perspective specifically, accuracy considerations are key.
- The general rule to abide by is that data must only be kept the minimum length of time required to achieve the purpose for which it was captured. Once the data is no longer required for that purpose, it must be deleted.
- An employer must have the appropriate organisational and technical measures in place to protect any data collected through monitoring
Data subject requests
You should always consider how your workers would be able to exercise their data subject rights in a request for copies of the data you have recorded.
There may be specific concerns or issues about whether the data is not stored in a way that makes personal data easily retrievable.
If a data subject objects to the processing outright, you also may have to balance the data subject’s rights against your legitimate interests for the processing.
As established above, the key considerations for UK GDPR compliance in any monitoring activity are a consistent purpose and transparent processing. We recommend that advice is sought prior to beginning any form of monitoring in the workplace.
Data protection advice
Our Data Protection team can support with bespoke advice about specific types of monitoring, and with the appropriate assessments and notices described above.
If you have any queries, please do not hesitate in contacting us.