Under UK GDPR employers introducing new data-collecting or automated technologies in the workplace, or other new data processing activities, need to consider whether to carry out a data protection impact assessment and, if they do, whether it is an appropriate step to seek the view of workers or their representatives on it.
Workplace AI and surveillance technology
Artificial Intelligence is increasingly being used in the workplace, for example to automate parts of shift allocation, task management, performance management and recruitment. Employee monitoring (which can take many forms including tracking individuals/devices, keystroke monitoring and facial recognition) also appears to be becoming more widespread - a recent report indicated that 60% of workers believe they have been subject to some form of surveillance and monitoring at their current or most recent job.
Prospect has recently published new guidance for union representatives on digital technology which notes that, "Data-collecting and automated technologies are transforming how we are managed and work."
What is a data protection impact assessment?
A data protection impact assessment (DIPA) is a process for assessing the impact of data processing activities. A DPIA will help you to identify privacy risks, and steps to minimise those risks, and evaluate whether your activities are justified under data protection law.
DPIAs will help you comply with UK GDPR. A DPIA will also help with compliance with the accountability principle, as it will document how you have assessed the risks and identified what steps need to be taken to ensure compliance.
When do we need to carry out a DPIA?
You don’t need to carry out a DPIA in respect of all data processing. However, a DPIA will be mandatory if the processing of personal data is likely to result in a high risk to individuals’ rights and freedoms (such as privacy). The ICO has published guidance and examples to help identify which processing operations are likely to be high risk. These include:
- The use of innovative technologies, or the novel application of existing technologies (including AI)
- Automated decision-making such as profiling which could lead to decisions about an individual’s access to a product, service, opportunity or benefit
- Systematic monitoring
- Large scale use of biometrics or profiling
Whenever you are undertaking a new project, consider whether you need to carry out a DPIA. If you decide not to do one, document your reasons. As you often won’t know if a project is high risk until you do an assessment, many organisations carry out a short pre-DPIA assessment to decide whether a full DPIA is necessary. Again, documenting this helps to demonstrate your approach to compliance.
Do we need to consult workers or their representatives on a DPIA?
UK GDPR says that you should seek the views of data subjects or their representatives on a DPIA ‘where appropriate’. The associated ICO guidance states that you should consult 'unless there is a good reason not to'. You should, therefore, consider in each case whether this is an appropriate step.
Employee consultation can often be a good way of assessing risk and ensuring that your view of how your workforce may view the deployment of new technology is accurate. It can also help when conducting a legitimate interests assessment, where the legitimate interests of the controller need to be weighed against the impact on the rights and freedoms of the data subject.
If you consult, you should document the outcome of this. If your decision differs from the views expressed by consultees, document the reasons. If you decide that it is not appropriate to consult, keep a record of why you came to that decision.
Consultation in this context means seeking and documenting the views of workers or their representatives – there is no obligation to try to reach agreement. However, simply seeking the consent of individuals to processing does not amount to consultation.
If your DPIA indicates that processing would result in a high risk, and it is not possible to mitigate that risk, you must consult with the Information Commissioner before you start the processing.
Increased focus on DPIAs
The Prospect guidance highlights the obligation on employers to consider whether they need to carry out a DPIA and engage with the workforce when introducing new technologies. The guidance also advocates including provisions around technology in collective agreements, alongside pay and conditions.
In addition, the TUC is calling for greater regulation of workplace technological surveillance, in particular a statutory duty to consult trade unions before introducing artificial intelligence and automated decision-making systems, and a right to a human review of high-risk decisions made by technology.
All this means that going forward there is likely to be an increased awareness of an employer's data protection and consultation obligations when introducing new workplace AI and surveillance.
Employers may face pressure from unions and workers to consult with them on DPIAs concerning proposed new digital technologies, or face objections to new systems which are introduced without any dialogue. There is also the possibility of facing an ICO complaint if potentially invasive technology is rolled out without some form of engagement with the workforce.
More information
If you would like to discuss anything raised in this blog, please contact Martin Sloan (IP, Technology and Data) or a member of the employment and immigration team.
Users of Workbox by Brodies, our award-winning HR and employment law site, will find useful FAQs and guidance at Data Protection: Impact Assessments.
Contributors
Partner
Practice Development Lawyer