Research commissioned by the ICO reveals that almost one in five (19%) people believe that they have been monitored by their employer. Over two thirds (70%) of people said they would find workplace monitoring intrusive and fewer than one in five (19%) people would feel comfortable taking a new job if they knew that their employer would be monitoring them.
With the rise of remote working and developments in the technology available, many employers are looking to carry out checks on their workers.
However, while data protection law does not prevent monitoring, it must be done in compliance with data protection laws that do apply. If monitoring is excessive, and undermines employee privacy, then it may contravene data protection laws. This could then stand in the way of an employer looking to rely on data obtained from monitoring, for example, for disciplinary purposes, and could lead to regulatory action in the event of a complaint.
Monitoring can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings, or using software to monitor productivity. It includes the use of biometric data for building access controls and to monitor timekeeping and attendance.
The ICO highlights that the rise in remote and home working has led to an increase in monitoring workers. The ICO points out that workers’ expectations of privacy when working at home are likely to be higher than in the workplace. And that the risk of capturing family and private life information is higher as it can be inadvertently captured as part of what might be legitimate monitoring.
In October 2023, the ICO published revised guidance for employers on monitoring workers lawfully. This was long overdue as the previous guidance was issued pre-GDPR / pre-Covid.
Key takeaways from the new guidance are as follows
Lawful basis
To monitor workers, you must identify a “lawful basis” under GDPR. “Consent” is unlikely to be appropriate in the context of the employment relationship. The “legitimate interests” basis is the one that is likely to apply in most circumstances. When considering this ground, you must balance your legitimate interests and the necessity of the monitoring against the interests, rights and freedoms of workers. You can do this by carrying out, and documenting, a “legitimate interests assessment” (LIA). An LIA can be done in conjunction with a DPIA (see further below).
If you rely on legitimate interests, then workers will have a right to object to the monitoring on this ground. This isn’t an absolute right and you can resist the objection if you can demonstrate compelling legitimate interests for the processing, which override the interests, rights and freedoms of the worker or if the processing is for the establishment, exercise or defence of legal claims.
Special category data
The ICO points out that monitoring can involve capturing “special category data” such as a worker’s political opinions, religious or philosophical beliefs, or information about a worker’s health, sex life or sexual orientation.” Even if not intended, this can happen incidentally in the course of the monitoring.
Also, if you use biometric data for identification, such as for access control, it is classed as special category data.
In such case, as well as having a lawful basis, you must identify a special category processing condition. This can be more problematic. Again, obtaining the worker’s “explicit consent” to the monitoring is unlikely to be appropriate in most cases.
A special category condition may apply if you are monitoring to ensure the health and safety of workers for compliance with a legal obligation. Otherwise, you may have to comply with one of the “substantial public interest” conditions set out in Schedule 1 of the Data Protection Act; for example, if you use CCTV to detect and prevent crime and incidentally capture special category data, you could rely on the public interest condition of “preventing or detecting unlawful acts”. If relying on a substantial public interest condition, you will also have to have in place an “appropriate policy document”.
Fairness
Fairness is a key data protection principle. It means you should only monitor workers in ways they would reasonably expect. For example, CCTV in staff changing rooms – designed to prevent theft – is unlikely to meet this requirement. However, CCTV positioned outside the changing room could be justified.
Transparency
Transparency is about being clear with workers about how and why you process their information. It is fundamentally linked to fairness. Apart from exceptional circumstances where covert monitoring is justified, you must inform workers about the monitoring. You must be clear about why you are monitoring and what you intend to do with the information you collect. This is normally set out in an employee data protection statement, staff handbook or in an acceptable usage / communications policy.
Data minimisation
Monitoring technology has the capability to gather more information than may be necessary to achieve your purpose. The ICO highlights that this risks “function creep”, where information is used for wider purposes than the original intention. So, the monitoring must be proportionate to the objectives. For example, there should be no need to monitor the content of a communication if monitoring the traffic / log file will be sufficient for your purpose. Similarly, you must not collect information, or hold on to it for longer than is necessary, just in case it might become useful in the future.
Data security
In the interests of data security and proportionality, access to the information gathered from monitoring should be restricted to those who need access. You will need to identify the most appropriate person / people to access the information you collect (for example, the HR team) and train them how to handle the information in compliance with data laws.
Using third party processors
If you outsource your monitoring activities to a third party data processor, for example, using technology such as software as a service (SaaS) under which the service provider handles the data, then as the controller you must have in place a data processing contract with the third party as required by GDPR.
Data protection impact assessment (DPIA)
Under GDPR, you must carry out a DPIA before undertaking any processing likely to cause a high risk to workers’ and other people’s interests. This is particularly the case when using new technologies. The ICO gives examples of high-risk processing which include processing biometric data, keystroke monitoring, or monitoring that may result in financial loss (such as performance management). Even if you are not strictly required to carry out a DPIA, it is regarded as good practice to do so.
The ICO also advises that, as part of your DPIA, you should seek and document the views of your workers before introducing monitoring, unless there is a good reason not to. They say this can potentially avoid complaints from workers at a later stage, and allows you to consider potential issues before they arise. This is a new recommendation, and likely one which most employers will not previously have followed.
Data subject access
Remember, you may have to make the personal information you collect through monitoring available to workers if they make a data subject access request (DSAR), unless an exemption applies.
Practical next steps
In the light of the ICO’s new guidance, it is timely to review your practices and policies on employee monitoring. This may involve adjusting the scope of the monitoring to ensure it is proportionate to the objective, reviewing and updating (or, if you don’t already have) documenting your legitimate interests assessment (LIA), and data protection impact assessment (DPIA), as well as your employee privacy notices, communications and related policies to ensure full transparency on the monitoring is provided.
Nigel Miller is a founding partner of Fox Williams and leads the firm’s technology and data protection group.