On 12 October the Information Commissioner's Office (ICO) launched a consultation on its draft guidance on monitoring employees at work.
It has also published an impact scoping document that outlines the potential impacts already under consideration.
Summary of the draft guidance
The document aims to provide employers with practical guidance about monitoring workers in compliance with data protection legislation. While the ICO's guidance does not impose any new legal obligations, it is intended to be an accessible publication, with helpful examples, that will be useful for organisations aiming to promote good practice, build trust with workers and comply with workers' data protection rights. As would be expected from the ICO, the need for transparency, fairness and accountability is a key focus throughout the document.
Some of the key requirements in the document are:
- Employers will need to notify workers of the nature, extent and rationale of any monitoring (unless exceptional circumstances apply);
- Employers should be very clear about the purpose for monitoring, identifying an appropriate legal basis for processing personal data and special category data;
- Employers should not to use the information collected for a different purpose to the one it was collected for (unless compatible with the original purpose); and
- Employer accountability requirements include the need to inform workers about the monitoring activities and to conduct data protection impact assessments in certain instances (DPIAs).
The draft guidance is welcome, as the previous guidance is now outdated and no longer relevant to today's workplace. Some specific examples from the document are outlined below.
- Can employers monitor remote workers?
The Covid-19 pandemic facilitated remote working environments and this is now covered in the draft guidance. Remote working arrangements are heavily reliant on trust and employers should be able to carry out some degree of monitoring, such as monitoring device activity to track workers' activity and productivity. This is acknowledged by the ICO; however, it has made clear that employers' excessive monitoring may intrude in workers' private lives and they must take into account that workers' expectations of privacy are likely to be significantly higher at home than in the workplace. Employers should factor these risks of capturing family and private life information into any planning.
- Can employers monitor work vehicles?
If employers provide workers with company cars, it may be that these cars are tracked during working hours for business reasons. For example, the employer may use tachographs in vehicles to record information about driving time, speed, and distance to ensure the rules on drivers’ hours are followed. The draft guidance makes clear that if company cars can be used for personal use by the worker as well, monitoring during private use will rarely be justified. The ICO suggests that employers should use tracking systems which the driver can disable so it does not monitor driver activity outside of work.
If driver monitoring is more intrusive, for example, by monitoring driver behaviour or using cameras or audio, then these will be harder to justify (due to the higher risk to the worker's privacy). The ICO recommends that a DPIA is carried out in these instances to access the risks and less intrusive methods should be considered.
- Can employers use biometric data for time and attendance control and monitoring?
Technological advances have led to an increase in the processing of biometric data, which is used to monitor and control workers' access into buildings and systems. The updated draft guidance now considers this and warns employers that when processing such data, it must:
- consider whether it is necessary and proportionate, documenting its reasoning;
- identify a legal basis and special category condition where needed. If consent is relied on as a special category condition, employers will also be required to put in place alternative methods for authentication / identification for workers who have not provided consent; and
- carry out DPIAs in some instances. It will be good practice for employers to carry out DPIAs in any instance to reduce potential regulatory action and also improve workplace morale.
What should employers do?
Employers should now take the opportunity to:
- Consider the potential impact the new draft guidance will have on their business;
- Review their current monitoring processes and consider if any improvements can be made;
- Identify what monitoring processes are deemed necessary for the business moving forward; and
- Consider what monitoring will need to be communicated to workers and specified in relevant policies.
Employers should also be aware that personal data collected from monitoring may be disclosable in the event an employee submits a Data Subject Access Request. It will therefore be important for employers to reduce excessive workplace monitoring using personal data and to ensure that, when monitoring is carried out, it is compliant with workers' data protection rights.
The consultation remains open until 11 January 2023. If you would like our help with your response to it, please do get in touch.
Contributors Jo McLean and Hannah Magrath