New Draft Guidance and Consultation from the ICO

Monitoring workers is permitted by the UK’s data protection legislation, but as with most use cases concerning personal data, balance and the protection of the rights and interests of individuals is of central importance. You must have a clear purpose for carrying out monitoring. There will inevitably a certain degree of intrusion, particularly when a worker is working from home, and this must be balanced against your needs as an employer. Transparency is essential, and workers must be made aware of the nature, extent, and reasons for monitoring (with some limited exceptions that may justify covert monitoring).

Last month, the Information Commissioner’s Office issued new draft guidance entitled Employment practices: monitoring at work draft guidance. The guidance forms part of the ICO’s work to update the 2011 Employment Practices Code and will be open for consultation until 11 January 2023.

The draft guidance is designed to provide a practical guide to keeping the monitoring of workers in line with the UK’s data protection legislation (including the UK GDPR and Data Protection Act 2018) and to promote good practice.

The draft is based on input from a range of stakeholders gathered in 2021 including:

• employers;
• professional associations;
• those representing staff interests;
• recruitment agencies;
• employment dispute resolution bodies;
• employees;
• workers;
• volunteers; and
• employment technology solution providers.

The monitoring of workers has become an increasingly important issue over the past few years, not least due to the significant increase in home working resulting from the COVID-19 pandemic. Although many have now returned to work, remote working has remained popular with many employees and employers. Coupled with this rise, monitoring software has also become more popular as a means of tracking productivity. The draft guidance recognises that workers working remotely from home will have greater privacy expectations than they might otherwise have in the workplace and that the risks of impinging on private and family life are greater.

It is important to note that while the guidance itself is currently in draft form and open for consultation until January, the laws to which it relates already apply and have done for some time. Now is the time to take a step back and review your monitoring activities, particularly those which may have been hastily implemented over the past few years to accommodate the shift towards remote working.

What is in the Draft Guidance?

The following key areas are addressed in the draft guidance:

• How to lawfully monitor workers;
• Using automated processes in monitoring tools;
• Specific data protection considerations for different types of workplace monitoring; and
• Using biometric data for time and attendance control and monitoring.

How to Lawfully Monitor Workers

The draft guidance explains how employers can lawfully monitor their workers, setting out the lawful bases for processing personal data under the law and advising on the selection of the most suitable basis. As in many cases, “legitimate interests” is considered the most flexible lawful basis (see our recent guidance and Legitimate Interests Assessment template here), but it may not always be appropriate for monitoring workers, as the guidance explains.

Other important considerations addressed in the draft guidance under this heading are fairness, transparency, and accountability; the use of special category personal data (something which may often be relevant in the employer-employee relationship) and criminal offence data; data retention and security; and the rights of workers in their capacity as data subjects.

Using Automated Processes in Monitoring Tools

Monitoring tools have risen in popularity and sophistication. Automated processing is often used for security purposes, performance management, and absence management – including determining when a worker is away from their computer (the less said about apps designed to keep a worker’s mouse cursor moving when they aren’t using the computer the better!). This is sometimes referred to as “people analytics”, but while such tools are clearly useful for employers, the UK GDPR’s provisions on automated decision making and profiling must be complied with.

The draft guidance explains what automated decision making and profiling is; what must be considered when making solely automated decisions with legal or similar effects; what workers must be told when you are using automated decision making; and the important role of human oversight of such systems.

Specific Data Protection Considerations for Different Types of Monitoring

A range of different types of monitoring may apply depending on the nature of your business and the nature of the work undertaken by your workers. The draft guidance considers a number of examples in detail including:

• monitoring telephone calls, emails, and messages;
• using video and audio monitoring;
• monitoring work vehicles and dashcams;
• monitoring information about workers from third-party sources;
• monitoring time and attendance data;
• monitoring to prevent data loss and to detect malicious traffic; and
• monitoring device activity.

Using Biometric Data for Time and Attendance Control and Monitoring

Controlling and monitoring access and time recording is far from new, but things have moved on a great deal from the clock cards and time recorders of the 19th Century. Similarly, security controls have advanced considerably, with biometric technologies taking the place of swipe cards and PIN codes.

Using biometric data such as fingerprints requires careful consideration from a data protection perspective, however, and it may be necessary to implement additional security measures when storing biometric data given that the risks of harm are inherently higher as biometric data cannot be reset in the event of a breach unlike a password or PIN.

The draft guidance explains what biometric data is; how to decide whether or not using it is necessary and proportionate; identifying a lawful basis for processing such data along with a special category data condition; the role of Data Protection Impact Assessments (templates for a DPIA, guidance notes, and a screening checklist are available here in the Business document folder); principles and rights relating to automated decision making; and the related rights of workers in their capacity as data subjects.

Comment

While the draft guidance remains open for consultation until 11 January 2023, the laws to which it relates already apply. Over the past few years, many employers may have found themselves rushing to implement new systems to accommodate remote working, overlooking important data protection and privacy matters in the process. Now is the time to review the measures that have been implemented in order to determine whether or not they are legally compliant and what steps can be taken to improve such compliance.