The draft guidance is aimed at all organisations, both public and private sector that have employees, workers, contractors or volunteers. The ICO makes it clear that employee monitoring is permitted under UK data protection law. However, it highlights that any decision to monitor workers should involve "a careful balancing between the business interests of an employer and the workforce's rights and freedoms in relation to their personal data."
Working practices have changed greatly in recent years with the emergence of new technologies, altered employment relationships, new data protection laws and the pandemic acting as a catalyst for working from home on an unprecedented scale. According to the ICO impact scoping document a 2020 survey commissioned by YouGov suggests that 12% of all firms (16% of larger firms) that have employees working remotely have implemented online software to track employees and monitor productivity. It is perhaps unsurprising that with the shift to home working there is an increased interest in monitoring. Against this backdrop, the draft guidance recognises that workers' expectations of privacy are likely to be significantly greater at home than in the workplace and the risks of capturing family and private life information are higher.
The draft guidance covers the following key areas:
Lawfully monitoring workers
The guidance goes into detail on how employers can lawfully monitor their workers. It sets out the six lawful bases for collecting and processing information when monitoring workers - consent, contract, legal obligation, vital interests, public task and legitimate interests. The guidance gives advice on how to identify the relevant lawful basis and gives examples of when the basis may apply.
Legitimate interests is considered the most flexible lawful basis for monitoring and the draft guidance makes it clear that the employer's legitimate interests and the necessity of the monitoring must be balanced against the interests, rights and freedoms of workers, considering the particular circumstances. Whilst legitimate interests is still recognised as a potential lawful basis for monitoring, save for most activities of employers in the public sector, the guidance makes it clear that this should not be relied upon if the employer is monitoring in ways workers do not understand and would not necessarily expect, or if it is likely some workers would object to if it was explained to them.
Automated processes in monitoring tools
The draft guidance acknowledges that monitoring tools have become increasingly sophisticated with automated processes (sometimes known as "people analytics"). Such tools are often used for data security purposes, managing performance and monitoring absence. The guidance provides details of how the UK GDPR must be complied with when making solely automated decisions that have a legal or similarly significant effect. This type of decision making can only be carried out if the decision is:
- necessary for the entry into or performance of a contract;
- authorised by law and automated decision making is the most appropriate way to achieve your purpose; or
- based on the individual's explicit consent.
Workers must be informed if the employer is processing their data in this way.
Specific data protection considerations for different types of workplace monitoring
The draft guidance provides updated examples and provides useful guidance on various issues from monitoring telephone calls to monitoring emails and messages (including chat functions on collaboration tools). The guidance highlights that the continuous video or audio monitoring of workers is only likely to be justified in rare circumstances and the importance of carrying out a Data Privacy Impact Assessment before such monitoring is carried out. The draft guidance considers monitoring time and attendance and sets out possible uses and reminds employers of the importance of clarity around the purpose of recording the information. For example, if an employer is collecting this information for the purpose of security it should not subsequently be used for a different purpose such as monitoring office attendance unless this is compatible with the original purpose.
Using biometric data for time and attendance control and monitoring
The guidance closes with directions on the use of biometric data by employers – for example, using fingerprints to access the workplace. The draft guidance recognises the increased use of biometric data to monitor and control workers' access to building and IT systems and outlines the importance of determining if using such data is both necessary and proportionate.
The guidance provides a number of useful checklists.
Transparency, fairness and accountability are core themes throughout the draft guidance. It is of paramount importance that employers take the opportunity to consider what workplace monitoring is taking place and whether it falls within the legal parameters. Although the guidance is subject to consultation until 11 January 2023, data protection law in the UK already curtails the extent to which an employer can monitor its workforce. Employers should ensure:
- they are aware of what monitoring is taking place across the workforce and how the data is subsequently processed;
- the lawful basis for collecting and processing information when workforce monitoring is identified;
- policies and procedures are up to date (for example – data protection, computer use and employee monitoring policies); and
- staff are appropriately trained on what is and what is not acceptable monitoring.
If you wish to respond to the consultation, please click here.
Should you have any queries arising from the above update please do not hesitate to get in touch with JP Buckley, Leanne Francis or your usual DWF contact.
Authors: Charlotte Lloyd-Jones and Sam Morrow