Skip to main content

Workplace monitoring rules

Written by: Nigel Miller
Published on: 2 Apr 2024
Category:

Computer data

Image © Gegham / Adobe Stock

Research commissioned by the Information Commissioner’s Office (ICO) revealed that 19% of people believe they have been monitored by their employer; 70% said they would find workplace monitoring intrusive, and just 19% would feel comfortable taking a new job if they knew their employer would be monitoring them1.

With the rise of remote working and developments in the technology available, many employers are looking to carry out checks on their workers. Beyond that is the need for employers to protect controlled items such as medicines, or to put in place processes to aid complaint resolution.

However, while legislation does not prevent monitoring, it must be done in compliance with data protection laws. If monitoring is excessive, and undermines employee privacy, then it may well contravene data protection laws. This could then stand in the way of an employer looking to rely on data obtained from monitoring – for example, for disciplinary purposes – and could lead to regulatory action in the event of a complaint. Monitoring can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings, or using software to monitor productivity. It includes the use of biometric data for building access controls and to monitor timekeeping and attendance.

And when it comes to those working at home, the ICO points out that workers’ expectations of privacy are likely to be higher than in the workplace, and that the risk of capturing family and private life information is higher, as it can be inadvertently captured.

In October 2023, the ICO published revised guidance for employers on monitoring workers lawfully. Several key takeaways arose from the new guidance.

Lawful basis

To monitor workers, employers must identify a “lawful basis” under GDPR. “Consent” is unlikely to be appropriate in the context of the employment relationship. The “legitimate interests” basis is the one that is likely to apply in most circumstances. When considering this ground, employers must balance their legitimate interests and the necessity of the monitoring against the interests, rights and freedoms of workers.

This can be done by carrying out, and documenting, a “legitimate interests assessment” (LIA). An LIA can be done in conjunction with a data protection impact assessment (DPIA).

If an employer relies on legitimate interests, then workers will have a right to object to the monitoring on this ground.

This is not an absolute right, and an employer can resist the objection if it can demonstrate compelling legitimate interests for the processing, which override the interests, rights and freedoms of the worker, or if the processing is for the establishment, exercise or defence of legal claims.

Special category data

The ICO points out that monitoring can involve capturing “special category data”, such as a worker’s political opinions, religious or philosophical beliefs, or information about a worker’s health, sex life or sexual orientation. Even if not intended, this can happen incidentally in the course of the monitoring. Also, if an employer uses biometric data for identification, such as for access control, it will be classed as special category data.

In such cases, as well as having a lawful basis, the employer must identify a special category processing condition. This can be more problematic.

Again, obtaining the worker’s “explicit consent” to the monitoring is unlikely to be appropriate in most cases.

A special category condition may apply where the employer is monitoring to ensure the health and safety of workers for compliance with a legal obligation. Otherwise, it may have to comply with one of the “substantial public interest” conditions set out in Schedule 1 of the Data Protection Act; for example, where it uses CCTV to detect and prevent crime, and incidentally captures special category data, it could rely on the public interest condition of “preventing or detecting unlawful acts”.

If relying on a substantial public interest condition, it will also have to have in place an “appropriate policy document”.

Fairness

Fairness is a key data protection principle. It means an employer should only monitor workers in ways they would reasonably expect; for example, CCTV in staff changing rooms – designed to prevent theft – is unlikely to meet this requirement. However, CCTV positioned outside the changing room could be justified.

Transparency

Transparency is about being clear with workers about how and why the employer processes their information. It is fundamentally linked to fairness.

Apart from exceptional circumstances where covert monitoring is justified, employers must inform workers about the monitoring. They must be clear about why they are monitoring and what they intend to do with the information they collect. This is normally set out in an employee data protection statement, staff handbook or in an acceptable usage of communications policy.

Data minimisation

Monitoring technology has the capability to gather more information than may be necessary to achieve the desired purpose.

The ICO highlights that this risks “function creep”, where information is used for wider purposes than the original intention.

So, the monitoring must be proportionate to the objectives. As an example, no need should exist to monitor the content of a communication if monitoring the traffic or log file will be sufficient for the purpose.

Similarly, an employer must not collect information, or hold on to it for longer than is necessary just in case it might become useful in the future.

Data security

In the interests of data security and proportionality, access to the information gathered from monitoring should be restricted to those who need access.

Employers will need to identify the most appropriate person or people to access the information they collect – for example, the HR team – and train them how to handle the information in compliance with data laws.

Using third-party processors

Where an employer outsources its monitoring activities to a third-party data processor – for example, using technology such as software as a service under which the service provider handles the data – then as the controller, it must have in place a data processing contract with the third party as required by GDPR.

DPIA

Under the GDPR, employers must carry out a DPIA before undertaking any processing likely to cause a high risk to workers’ and other people’s interests. This is particularly the case when using new technologies.

The ICO gives examples of high-risk processing, which include processing biometric data, keystroke monitoring or monitoring that may result in financial loss (such as performance management). Even if an employer is not strictly required to carry out a DPIA, it is regarded as good practice to do so.

The ICO also advises that, as part of the DPIA, employers should seek and document the views of their workers before introducing monitoring, unless a good reason exists not to.

The ICO says this can potentially avoid complaints from workers at a later stage, and allows employers to consider potential issues before they arise. This is a new recommendation, and likely one that most employers will not previously have followed.

Data subject access

It is important to remember that employers may have to make the personal information they collect through monitoring available to workers if they make a data subject access request, unless an exemption applies.

Practical next steps

In the light of the ICO’s new guidance, employers need to revisit their policies and practices on monitoring to ensure it is proportionate to the objective, as the powers that the ICO has are broad and will be used where sufficient cause is given.

Reference

  1. Information Commissioner’s Office (2023), ICO publishes guidance to ensure lawful monitoring in the workplace, tinyurl.com/2sfp6d8f