Contributors
The Information Commissioner's Office (ICO) is consulting on new draft guidance on monitoring at work. The consultation closes on 11 January 2023. The existing employment practices code 2011 contains supplementary guidance on data protection and employment practices but the ICO has recognised that much has changed in the last 11 years. Since publication of the code, we have seen the introduction of the UK GDPR and the Data Protection Act 2018. In order to provide regulatory certainty and protect the data protection rights of workers, the ICO has issued draft guidance on monitoring at work to replace the existing guidance in the 2011 code.
New technology
The updated guidance reflects the shift in working practices and the emergence of new technology used to monitor workers. This largely stems from the move to remote working caused by the pandemic. Monitoring at work can include the monitoring of telephone calls, emails and the tracking of device and internet activity as well as the use of webcam surveillance and timekeeping technology. Workers are likely to have a greater expectation of privacy when working from home, where the risk of capturing family and private life is greater.
Neither the UK GDPR nor the Data Protection Act prevent the use of monitoring technology, but any monitoring must be undertaken in compliance with data protection law particularly where special category data (such as health or biometric data) is processed or where the monitoring involves the use of automated processes. Employers are also advised to consider the right to respect for private and family life contained in Article 8 of the European Convention on Human Rights. Any decision to monitor workers should involve striking a balance between the business interests of an employer and workers' rights and freedoms.
This article outlines the key changes that will come with the implementation of the new guidance. The draft guidance takes the format of a series of questions and answers, with practical examples. It also includes a number of checklists for lawful monitoring.
Key changes
The draft guidance includes the following:
- Employers are advised that monitoring is permitted. However, a balance is required between the needs of workers and monitoring levels. Workers must be notified of monitoring. This includes the extent of and reasons for monitoring
- Information collected must not be used for a new purpose unless it is compatible with the original purpose
- Employers should carry out a data protection impact assessment for any monitoring likely to result in a high risk to the rights of workers. This is not mandatory but employers are advised to do so as good practice
- In order to lawfully collect and process information from monitoring workers, employers (ie the controller) must identify a lawful basis. There are six to choose from. These are listed in the ICO draft guidance and (briefly) are:
- Consent: a worker gives consent to the controller processing their personal data for one or more specific purposes (e.g. monitoring)
- Contract: the monitoring is necessary for a contract for which the worker is a party, or in order to take steps at the request of the worker prior to entering into the contract
- Legal obligation: the processing is necessary for compliance with a legal obligation to which the controller is subject
- Vital interests: the processing is necessary to protect the vital interests of the worker such as the protection of life
- Public task: the processing is necessary to perform a task in the public interest or the exercise of official authority vested in the controller
- Legitimate interests: the processing is necessary for the controller's legitimate interests or those of a third party, unless those interests are overridden by the interests or fundamental rights or freedoms of the worker.
- As mentioned above, the guidance considers the use of biometric data when monitoring workers such as the use of such data to control worker access to systems or premises. Advice is given on how employers can appropriately comply with the UK GDPR in these scenarios
- The guidance also considers UK GDPR compliance in the use of automated process monitoring tools as this type of technology may use automated processes ("people analytics") to track and assess worker behaviour and performance which, when combined with the use of an automated decision about a worker, may increase the risk of inaccuracy of data and discrimination.
What employers should do now
Employers are advised to consider responding to the consultation, particularly in regard to issues you feel may not be adequately covered. You can access the consultation documents here: ICO consultation on the draft employment practices: monitoring at work guidance and draft impact assessment | ICO
The draft guidance will remain open until 11 January 2023. Further guidance is expected and once finalised, employers should ensure that they follow it.
At WBD, we have experienced Employment and Digital teams who provide commercial and practical advice on a range of employment, technology and data protection law issues. If you have any queries on the above or would like further advice or support, please get in touch with your usual Womble Bond Dickinson contact or get in touch.
