ICO guidance on workplace monitoring: key points for employers
Blog
Introduction
With the rise of remote working and increasingly sophisticated tracking technologies, the ICO’s recently published guidance (available here) on the monitoring of employees provides some timely steers for employers in what can be a sensitive area.
The ICO defines "monitoring employees" as any form of monitoring of people who carry out work on an organisation’s behalf. References in this article to employees, therefore, not only includes workers but also any person who performs work for an organisation, regardless of the nature of the contract. Monitoring can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings, or using specialist monitoring software to track activity.
The Guidance is helpfully structured in a Q&A format, within four sections broadly summarised as:
- Key data protection principles,
- Automated processing,
- Considerations arising from specific monitoring scenarios, and
- Using biometric data.
It is also worth noting that the guidance distinguishes between what employers must do (ie where there is a specific legislative requirement); what they should do (stopping short of a direct legal requirement but where the ICO expects employers to do something unless there is a good reason not to); and what they could do (where options or examples are provided for employers to consider to help them comply effectively).
We draw out some of the specific elements of the Guidance below.
Section 1: Data protection principles
In very headline terms, as the ICO notes, data protection law does not prevent monitoring, but it does provide a framework to ensure that it is conducted lawfully and fairly, and with sufficient transparency for the individuals concerned. The latter point is particularly important given that individuals’ expectations of a certain degree of personal privacy (most obviously when working at home) may not always align with employers looking to use monitoring technology as an attendance or productivity / accountability tool or ensuring their workplace devices and systems are only being used for work purposes.
Employers have to balance their business interests with employees’ rights and freedoms, and ensure that they identify (and can demonstrate) a lawful basis for processing personal data in this context. Employers must make sure that staff are aware of how and what personal data is collected during any monitoring (eg via the relevant privacy notice or internal policy). The guidance states that if considering introducing new forms of monitoring employers should seek and document the views of staff unless there is a good reason not to.
Employers are responsible for ensuring fair and lawful monitoring when using third party technology or services. Compliance with data protection law and appropriate contractual provisions are necessary. Employers must also be aware of the restrictions that apply to transferring personal information outside the UK if it is being sent outside the organisation.
Section 2: Automated monitoring processes
As technological tools have become more sophisticated it is increasingly common that "people analytics" tools (eg monitoring attendance and performance) could constitute a form of solely automated decision-making or profiling (ie where there is no meaningful human involvement). The guidance notes that such tools can enhance organisational performance and demonstrate HR policy compliance, however: “Such tools have the capacity to process large amounts of workers’ information by monitoring in real time. This can be used to make predictions, inferences and decisions about workers on both an individual and a collective level.”
The UK GDPR restricts data controllers from carrying out solely automated decision-making that has legal or similarly significant effects on people. This would certainly include a decision as fundamental as, say, dismissing someone but it would also include other significant workplace decisions, for example increasing or decreasing pay based on performance.
Individuals will generally have the right to object to such solely automated decision making or profiling and employers must ensure that they do not disadvantage workers who ask for human intervention in decision-making.
Section 3: Considerations for different methods of monitoring employees
This section will probably provide the most useful guidance for employers asking themselves if they can perform a particular type of monitoring, as it runs through some specific examples and considers the practical issues involved. This includes monitoring telephone calls, emails and messages, use of dashcam recordings, and wider issues of audio and video surveillance.
For the purposes of this summary we focus below on a couple of the most common instances that employers often ask about.
Can we monitor telephone calls?
The guidance says that monitoring or recording call content is not usually proportionate. However, business calls can be monitored if needed for evidence of transactions, training, or quality control. It is essential to inform employees about call monitoring in privacy policies and other relevant internal documents like employment handbooks, codes of conduct and guidance, to enable employees to understand the purpose and extent of such monitoring. Personal calls should not be routinely monitored. When monitoring calls, individuals who call or receive calls from the organisation must be informed about call recording and the reason.
Can we monitor emails and messages?
Employers may consider monitoring emails and messages for purposes such as protecting corporate information, data security and identifying suspicious activity. The purpose for doing so should be clear, necessary, and proportionate. Employees must be informed of this purpose. The ICO considers that a Data Protection Impact Assessment (DPIA) is essential here as monitoring messages poses a high risk to employees' data protection rights and may involve the processing of special category data (eg health information).
Practical considerations for employers:
- Are there less intrusive means to achieve your ends (eg monitoring network-level traffic data rather than the content of messages)?
- Are there any lines of communication that you will not monitor (eg emails from workers to trade union representatives)?
- Does your system enable employees to mark emails as personal or private?
Can we monitor device activity?
Device activity monitoring can include capturing workers’ web browsing and use of applications. There is clearly an important distinction to be made between personal and work devices / systems, and organisations will adopt different approaches, eg to whether work devices are permitted for any personal use at all (and if so, on what terms) or conversely whether there is an expectation of employees needing to use personal devices for work (which obviously raises a number of other issues, including around data security). In the case of the latter, the guidance states that when workers are using their own personal devices for work, employers should ensure they are not capturing workers’ private use of their device.
More broadly, the guidance lays down a set of key principles and considerations that should be applied to any routine device monitoring, including being clear about the purpose, considering whether any less intrusive means could be used to achieve the same aim, and informing staff about it (including, if applicable, how it is used for any decisions which affect them).
Section 4: Use of biometric data
Biometric data includes information such as fingerprint data, facial and voice recognition. It is personal information that’s unique to someone (ie relating to their biology or behaviour).
Use of biometric data in a workplace context may most commonly arise in systems where it is used for access control (ie iris or fingerprint scanning to govern access to a building, rather than an old fashioned swipe card). Biometric data that is used to uniquely identify someone is special category data, which means the compliance obligations for collecting and storing such information are higher.
In the case of access controls, the Guidance states that employers should provide an alternative for those who do not want to use biometric systems, such as swipe cards or pin numbers. Workers who choose to use an alternative method should not suffer any disadvantage from doing so.
Biometric processing is considered inherently high risk and therefore employers should conduct a DPIA at the outset.
Conclusion
This guidance from the ICO is likely to be a key port of call for employers considering their data protection obligations in this area. With remote working becoming much more common and embedded in many sectors, it will clearly be an important area of ongoing focus for employers, staff and indeed the ICO itself.
With thanks to trainee Matthew Konadu-Yiadom for his work on this article.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, December 2023