The Information Commissioners Office (ICO) has launched a call for views on data protection and employment practices to help shape a new user-friendly resource to replace the ICO’s existing guidance on the topic. This will be “employer focused”. The update stems from concerns regarding digital surveillance of employees, particularly remote monitoring of employees working from home, and lack of guidance on this area.
The current employment practices guidance was published in 2011 and it, along with subsequent supplementary guidance, remains a key reference for employers in understanding their data protection obligations.
It now needs updating. Assisted by the views of those interested, the ICO hopes that the amendments will address the changes in data protection law, reflect the changes in the way that employers use technology and interact with staff, and meets the needs of the organisations who use its guidance.
The ICO intends to base its new guidance on the feedback obtained from people’s contributions which includes any interested parties (employers, recruiters, volunteers, employees, employment dispute bodies, trade union representatives etc.). There has been huge encouragement to provide views and commentary in the hope that this will assist the ICO in understanding the needs of all those affected by employee data protection matters.
The new user-friendly resource will help to collate all the changes that have occurred since the publication of the 2011 guide to produce an up to date and comprehensive guide. The key developments include:
- Introduction of GDPR in 2018, which made extensive changes to data protection in the UK and also imposed obligations for better data management and a regime of fines for those who breach GDPR. Employers must ensure that they comply with GDPR rules when storing or processing employee data (includes workers, former employees / workers, consultants and candidates). Breaching the rules could amount to a fine up to 4% of turnover or €20 million;
- Introduction of the Data Protection Act 2018 – this is the UK’s introduction of GDPR, everyone responsible for using personal data has to follow strict rules called 'data protection principles'. They must make sure the information is used fairly, lawfully and transparently;
- The ICO has asked those who contribute to the resource to outline any other developments / concerns which have had an impact on employment data protection, these include:
- The role of COVID and how to manage events like this going forward (the role of disclosing information for track and trace, hybrid working, holding information on whether an employee is vaccinated or not, surveillance and the use of thermal cameras, asking individuals if they have COVID symptoms etc.);
- The role of digital surveillance in the workplace; while the use of employee monitoring tools was already ramping up before COVID, a 2019 Accenture survey found that 62% of their enterprises were “using new technologies to collect data on their people and their work to gain more actionable insights”; the move to remote working has facilitated a dramatic increase in their use;
- The role of Brexit in relation to exporting personal data to the EU and further afield; and
- Giving employees a say on how they would like their data to be handled in the workplace to create a more transparent date protection process.
The new resource is set to be divided into specific topics such as recruitment and selection, employment records, monitoring of workers and information about worker’s health. The consultation closed on 28 October 2021 with no date as of yet for the publication of the amended guidance.
We hope that the new guidance will bring together the existing employee code and guidance into one document and provide comprehensive direction on all of the tricky areas of employee data laws outlined above.