What's the issue?
The UK's Information Commissioner is in the process of revising its guidance for employers on data protection. As part of this, it published draft guidance on monitoring at work for consultation in January 2023. Employer monitoring rose up the agenda during Covid with the necessary rise in working from home, but while many of the technologies used to do it are new, monitoring workers is not.
What's the development?
On 3 October 2023, the ICO published its final guidance on worker monitoring to help employers comply with data protection law if they wish to monitor their workers. This is aimed at both public and private sector employers and sets out how to conduct monitoring fairly and lawfully. It also includes good practice recommendations to help build trust between employers and workers.
The guidance applies to any form of monitoring of people who carry out work on behalf of an employer, whether systematic or occasional. It does not apply to recording information in a personal or household context unless there is a professional or commercial activity (for example monitoring of a visiting worker to the household). Monitoring of someone working from home is covered, processing carried out for law enforcement purposes is not.
The first part of the guidance covers relevant aspects of UK data protection law with a clear outline of potential lawful bases for monitoring and the condition for processing special category data. Selecting a lawful basis for employer monitoring is (intentionally) tricky. Consent is problematic in an employer/worker relationship due to the imbalance of power, and legitimate interests requires the interests of the employer to be balanced against the rights and freedoms of the person being monitored. The guidance also discusses how to meet principles of fairness, accountability and transparency, accuracy, purpose limitation and security requirements, as well as worker rights, and it covers automated decision making.
Conducting a data protection impact assessment is seen as a vital path to compliant monitoring, even in the (relatively rare) cases where it is not strictly required by law.
The second part of the guidance is more specific to situations covering:
- remote monitoring, especially in the home
- using commercially available tools
- monitoring telephone calls, emails and messages
- using video or audio surveillance
- monitoring work vehicles and using dashcams
- being asked to monitor by a (business) customer
- monitoring device activity
- monitoring time and restricting access
- monitoring to prevent data loss or detect malicious traffic.
The guidance then goes on to consider the use of biometric data for time and attendance control and monitoring before finally providing a series of checklists to help employers work through their obligations.
What does this mean for you?
Unsurprisingly, the ICO highlights the importance of transparency and respect for privacy, underlining that any monitoring must be necessary, proportionate and respect the rights of workers.
The guidance provides a helpful summary of the key aspects of data protection law which employers need to take into consideration when considering worker monitoring but perhaps the most useful part of the guidance relates to specific considerations for different ways or methods of monitoring which make the data protection law less abstract and more related to real-world use cases. The checklists may also prove a useful starting point.
Interestingly, the section on using biometric data for time and attendance control and monitoring comes while the ICO's draft guidance on biometric data and data protection (part one of two on biometric data guidance) is still out for consultation. It's unlikely it will change significantly before it is published in final form, and, as most of the practical examples relate to using biometric data in an employment situation, employers considering monitoring workers should refer to this draft guidance as well as to the final worker monitoring guidance.
