Employee monitoring has become common practice for many employers in the UK. Monitoring is often part of an organization’s security procedures to secure personal information or prevent loss of property, often deployed for health and safety reasons, or companies may even have to monitor employees to comply with legal requirements (for example, in the financial services sector). Increasingly, employers are monitoring employee office attendance as many organisations are requiring their staff back into the office for all or part of the working week. For whatever reason, it is important that any such monitoring is carried out in compliance with data protection law. This is why the ICO has released tailored guidance to clarify the do’s and don’ts of monitoring of workers by employers, and how this interacts with data protection.
Who is affected by this guidance?
The ICO guidance relates to any form of monitoring of people who carry out work on an employer’s behalf. This will include monitoring workers on particular work premises or elsewhere (e.g. if working from home), and can also include monitoring carried out during or outside work hours. This guidance will also cover you if you employ a visiting worker to your household, such as a nanny or gardener, and monitor their activity routinely, or on an ongoing basis.
What sort of monitoring is covered?
This guidance broadly covers systematic and occasional monitoring. Practical instances may include keystroke monitoring to track, capture and log keyboard activity; productivity tools which log how workers spend their time; tracking internet activity; body worn devices to track the locations of workers; hidden audio recording; camera surveillance; webcams and screenshots; technologies for monitoring timekeeping or access control; and tracking use of company communication systems.
Key Takeaways
Some key tips for employers to note are as follows:
- Is monitoring workers allowed? The ICO makes it clear that monitoring staff is allowed as long as it is done in accordance with data protection legislation. This means you must have a lawful basis to carry out the monitoring, must clearly communicate your monitoring practices and the monitoring must be proportionate.
- You should only monitor workers in ways they would reasonably expect and not in ways that cause unjustified adverse effects on them, unless exceptional circumstances apply. For example,. you should not monitor the content of communication on a worker’s personal email account as an ordinary course of conduct.
- If the monitoring activity is likely to capture special category data, even incidentally, you must identify a special category condition. This is particularly relevant for workplace investigations which involve imaging of personal device.
- How about covert monitoring? In most ordinary cases covert monitoring would not be justifiable under the UK GDPR. However, there are exceptional circumstances where it can be justifiably employed for example, where it is necessary to prevent or detect suspected criminal activity or gross misconduct, and a less intrusive means of preventing or detecting such activity is not available. The ICO has laid down stringent guidelines to be observed before covert monitoring should take place, of which the key ones are:
- Covert monitoring should only be authorised by senior management.
- In most circumstances you should not covertly capture personal, non-work, communications (e.g., personal emails or instant messages).
- It must be infrequent monitoring that is targeted at fulfilling an objective within a limited time frame.
- Limit information collected to only what is needed and disclosure to only a limited number of people involved in the investigation.
- Only use the information you obtain for the relevant purpose, unless the monitoring reveals unrelated information no employer could reasonably be expected to ignore.
- Unless there is a compelling reason not to, consult with employees before monitoring is undertaken.
- If your monitoring activity captures special category data, even incidentally, the ICO expects you to identify a special category condition.
- Define and record the purpose of your monitoring before doing so.
- The ICO expects you to carry out a DPIA before any employee monitoring, even if it is not legally necessary under the GDPR.
- Employees must be given clear and understandable information regarding monitoring. This would involve informing workers about the nature, extent and purpose of any monitoring.
- You should also consider implementing monitoring policies and training to provide guidance to staff who are involved in the monitoring process so that they are aware of their responsibilities.
- If your employees work from home, keep in mind that their privacy expectations are likely to be higher at home than in the office.
Comment
Much of the information in the ICO guidance is not new, however employers may want to re-evaluate their processes in the light of this guidance when implementing new monitoring systems in the workplace. This is particularly relevant considering the recent trend among employers in monitoring employee attendance at the workplace to ensure compliance with hybrid working policies. For example, many employers may not have routinely consulted with their workforce prior to implementing monitoring systems. Ultimately, an employer’s key compliance document when seeking to carry out employee monitoring will be a DPIA. In addition to this, employers should review their monitoring policies to ensure they are clear on the nature, extent and purpose of any monitoring that takes place.
