The Information Commissioner’s Office (ICO) has this month published its guidance: ‘Employment practices and data protection’ on lawfully monitoring workers. The guidance will assist employers to conduct monitoring lawfully, in compliance with the UK General Data Protection (GDPR).
Monitoring can take many forms and most employers conduct some form of monitoring of employees (e.g. CCTV). Other examples include tracking calls, messages and keystrokes, taking screenshots of webcam footage, vehicle tracking or key card data.
Given the risk of fines and reputational damage if an organisation is found to be in breach of GDPR, the new guidance should be essential reading for employers.
Following the pandemic we have experienced a distinct rise in ‘working from home’, with remote and hybrid working becoming commonplace amongst office based workers. With more work being carried out away from the office, employers are tasked with finding alternative ways to monitor the performance of remote employees. Technological developments and the wider availability of devices such as vehicle trackers and dashboard cameras mean that employers have at their disposal far more methods of monitoring employees.
Employers must consider the balance between monitoring their workforce and respecting the privacy of employees. This is just the starting point for compliance with UK GDPR.
The ICO outlines the steps that employers should take if they are looking to monitor workers, these include:
- Ensuring workers are aware of the nature, extent and reasoning for monitoring
- Having a clearly defined purpose for monitoring and implementing the least intrusive means of monitoring to achieve these aims
- Only keeping that data which may be important to this purpose
- Ensuring a lawful basis for processing workers data, this could be consent or legal obligation
- Informing workers clearly about any monitoring in an accessible way
- Carrying out a Data Protection Impact Assessment for any monitoring that is likely to result in a high risk to workers’ rights
- Ensuring that the personal information collected through monitoring is available to workers if they wish to make a data access request.
Alongside the launch of the ICO’s guidance, the Deputy Commissioner- Regulatory Policy at the ICO (Emily Keaney) stated that whilst UK GDPR does not prohibit monitoring, the position of the guidance is clear in that monitoring must “necessary, proportionate and respect the rights of workers.”
Employers should take note of the guidance and should be aware of the various enforcement powers available to the ICO in respect of a breach of data protection legislation. These powers include the ability to issue substantial fines if organisations neglect to comply with UK GDPR. The ICO has stated that it will take action against employers if people’s privacy is being threatened by monitoring measures.
The ICO urges employers to consider where monitoring may become excessive, reporting that over two thirds of people (70%) surveyed felt that monitoring in the workplace would be intrusive. The research further reports that one in five people (19%) felt that they had been monitored by an employer at some time, and that less than one in five people (19%) would feel comfortable taking a new job where they knew that they would be monitored by an employer. Meaning that monitoring is a recruitment and retention issue as well as a legal one.
Overall the ICO guidance emphasises that to be compliant, employers should ensure that they have a legitimate purpose for monitoring workers and should consider implementing measures that present a low risk to the privacy of workers.