ICO publishes new guidance on employee monitoring
On 3 October 2023, the Information Commissioner's Office (the "ICO") published new guidance on employee monitoring. This aims to provide practical advice to ensure that employers comply with their obligations under the UK GDPR and Data Protection Act 2018.
This guidance comes as new research commissioned by the ICO reveals that almost one in five (19%) people believe that they have been monitored by an employer. Monitoring has become more prominent in recent years with the rise of work from home and improvements in monitoring technology. Regulatory obligations may also require the implementation of staff monitoring tools, for example in a financial services context (for further information on this, please refer to our article: Financial sector feels pressure to monitor use of WhatsApp).
The ICO's guidance emphasises that employers should respect their employees' rights to privacy outside of employment and that "workplace monitoring should not intrude into employees' private lives." If monitoring is carried out in the workplace, it should not be excessive, nor undermine employees' privacy. The guidance aims to provide greater certainty on how monitoring can be conducted fairly across all sectors.
Monitoring is broadly defined to include any tracking of employees' activities, including calls, messages, videos, screenshots or recordings, or any software tracking activities such as keystroke.
Emily Keaney, Deputy Commissioner for Regulatory Policy at the ICO said, "We want people to be aware of their rights under data protection law and empower them to both identify and challenge intrusive practices at work. We are urging all organisations to consider both their legal obligations and their workers’ rights before any monitoring is implemented. While data protection law does not prevent monitoring, our guidance is clear that it must be necessary, proportionate and respect the rights and freedoms of workers."
Key points in the new guidance include:
- Regardless of the technology being used, employers must comply with data protection requirements under the UK GDPR. Employers should also consider the legal implications of any other relevant laws.
- Monitoring of employees must be conducted in the least intrusive way to achieve clearly defined purposes of processing.
- Any monitoring of employees must be proportionate – "Just because a form of monitoring is available, does not mean it is the best way to achieve your aims." For example, the use of dashcams to monitor employees should only be used if necessary. Any audio should have the capability to be switched off and should only be switched on in "exceptional circumstances." The guidance sets out further useful examples.
- The guidance encourages employers to seek and document the views of employees (or representatives) on proposed monitoring activities during the early planning stages. It is thought that this will help to build trust with employees, while also ensuring compliance with the transparency principle.
- Employers should be mindful of the "function creep" that may result from the use of monitoring technologies that have the capability to gather large amounts of information, extending beyond that necessary to achieve the purpose of processing.
- If a third party provider is used to carry out monitoring, employers should not assume that their services are compliant with data protection law – they must take steps to actively assess the service provider's compliance.
- The use of biometrics is touched upon, and UK companies should consider further security measures when collecting or storing biometric data. The ICO is currently consulting on new guidance for biometric recognition.
At the end of the guidance, the ICO has provided checklists to aid organisations with their data protection considerations. It advises organisations to use these whenever they are considering monitoring their staff.
The ICO has also made it clear that they will "take action if we believe people’s privacy is being threatened.”