Following a call for views from stakeholders in 2021, the Information Commissioner's Office (ICO) has launched a consultation on its new guidance on monitoring at work. This was published on 12 October 2022 and updates the ICO's earlier guidance contained in the Employment Practices Code and Supplementary Guidance. The new guidance reflects:
- the increase in home and hybrid working (acknowledging that the expectation of privacy is likely to be higher when monitoring workers at home rather than in the workplace); and
- new methods of monitoring, including the use of biometric data.
This blog picks out five key takeaways from the new guidance, which is aimed at employers in the private, public and third sectors outside of law enforcement processing.
1. Carry out a data protection impact assessment
The concept of employee monitoring covers a wide range of checks – including monitoring emails, recording productivity (such as time spent on different programmes or keystroke monitoring), recording telephone calls, capturing images via CCTV, body worn devices to track location, dashcams, and hidden audio recording.
Organisations should remember that the fact a technology is on the market or being promoted by a vendor does not mean it is lawful. It is the employer, as controller, that is responsible for ensuring any monitoring technology it deploys is compliant with data protection law. Organisations should therefore be wary about relying on claims made by vendors around data protection compliance.
A data protection impact assessment (DPIA) is mandatory if the monitoring involves the processing of personal data which is likely to result in a high risk to individuals’ rights and freedoms (taking into account the nature, scope, context and purposes of the processing). The new guidance states that it is 'good practice' to carry out a DPIA even if it is not mandatory.
The ICO's view is that if employers are planning to introduce monitoring, they should seek and document the views of workers or their representatives unless there is a good reason not to. Consultation can form part of the DPIA.
DPIAs are seen as one of the main ways controllers can demonstrate and justify why a particular processing decision was taken and document the approach taken to ensure compliance with data protection laws. Carrying out a DPIA requires employers to think critically about the basis for, and specific purpose of, the monitoring and is something which should be revisited to ensure there is no function creep over time.
2. Have a legal basis for processing personal data captured through monitoring
Employers must identify a lawful basis for monitoring workers.
There might be a specific legal obligation to conduct monitoring (for example transport sector employers monitoring drivers' driving time to ensure compliance with the laws on drivers' hours). Otherwise, the most likely legal basis for processing will be 'legitimate interests' (which might be to check productivity / attendance, for health and safety reasons or to allow access control, for example). While the guidance confirms that this is the most 'flexible' basis and that it can apply in a wide range of circumstances, it won't apply if the same result can be reasonably achieved in a less intrusive way.
If an organisation is relying on 'legitimate interests', then the specific legitimate interest should be identified (and specified in a privacy notice). In other words, what is the purpose of the monitoring? Why is it necessary? What interest is being protected? What benefits is it likely to deliver?
The organisation will also need to carry out a legitimate interests assessment to weigh its legitimate interests against the potential intrusion and impact on data subjects. We discuss this in more detail in the next section.
If monitoring captures special category data (for example, health information, information about racial or ethnic origin, biometric data used for the purposes of identification, such as fingerprints), then a special category processing condition must be identified as well as a lawful basis (e.g., 'processing is necessary in relation to the employer's employment law rights or obligations or those of the individual'). This is the case even if the special category data is captured inadvertently, for example if device monitoring captured emails about health conditions or to union representatives.
The legal bases for processing special category data are much narrower and mean that organisations cannot rely solely on legitimate interests. While explicit consent is one option, it is unlikely that consent from a worker will be freely given and valid unless they genuinely have a free choice as to whether to agree to the processing.
3. Balance the employer's interests v individuals' rights
The ICO recognises that employers may have legitimate reasons for invoking employee monitoring but is also clear that employers must ensure their interests don’t negatively impact on the workforce's rights and freedoms.
What are the privacy implications for workers? How intrusive is the planned monitoring? Is there a less intrusive way of achieving the aim? For example:
- To target productivity when working from home, employers could consider blocking websites for personal email, social media and entertainment sites, to aim to minimise unacceptable usage, rather than actively monitoring for it.
- Following thefts from staff changing rooms an employer could install cameras outside the changing rooms. This would act as a deterrent and narrow the scope of any investigation of further thefts – and is less intrusive than the alternative of installing CCTV in the changing rooms themselves where workers would have a reasonable expectation of privacy.
4. Be transparent
The guidance highlights the fact that workers have the right to be informed about the collection and use of their information. Workers must understand what monitoring is happening and what data is being processed.
How this is done will depend on what kind of monitoring is taking place.
In the changing rooms example above, being transparent means putting up clear signs to draw individuals' attention to the fact CCTV is in operation. It would also mean ensuring that the worker privacy notice and relevant policies (e.g., Acceptable Use of IT policy, CCTV policy) had all the relevant information.
The privacy notice should contain details of the information that will be processed; the legal basis and purpose of the processing; access procedures, security and retention rules etc, while the policy would give workers detailed information about how the monitoring will be carried out.
5. Consider particular issues in relation to new technologies
- Biometric processing includes using fingerprints and facial and voice recognition techniques. It is increasingly used in an employment context, for example to allow access to the workplace or to monitor attendance for payroll purposes.
- Biometric data used for the purposes of identification is special category data. As noted above, the legal bases for processing special category data are much narrower. Organisations must therefore identify what legal basis they are relying upon when using biometric data.
- The ICO's guidance says that explicit consent might be able to be relied on as the basis for processing biometric data only if workers are offered a 'real' choice (without suffering a detriment). For example, if workers don’t want to share their fingerprints for logging in and out of the workplace, they can use a pin code instead. If this is not an option, then organisations will need to identify another legal basis.
- The growth of videoconferencing platforms such as Microsoft Teams and Zoom to support homeworking has increased the focus on audiomonitoring (the recording of face-to-face conversations).
- The guidance confirms the use of continuous audio recording is highly intrusive (and more intrusive than purely visual recording), and so requires a greater justification. It should be switched off by default and only used in exceptional circumstances.
Don’t forget your other controller duties
As well as carrying out a DPIA and updating privacy notices, it is important to remember to update any other policies and documents that might be impacted by new monitoring activity. For example, organisations should ensure that they record an agreed retention period for personal data collected through monitoring in their organisational retention policy and update their record of processing activities.
The consultation is open for responses until 11 January 2023.
Although the guidance is still in draft form, it is worth reviewing policies and privacy notices just now to identify any gaps which may have arisen because of changes in working practices or new technologies.
If you would like to discuss anything raised in this blog or the use of new monitoring technologies, please contact a member of the IP, Technology and Data or Employment and Immigration teams. Users of Workbox by Brodies, our award-winning HR and employment law site, will find useful FAQs and guidance at Data Protection: Employee Monitoring.