Draft guidance on workplace monitoring, aimed at employers, has been published by the Information Commissioner’s Office (ICO). Consultation is open for UK organisations to submit views until 11th January 2023.
Monitoring – what is it?
Monitoring is broadly defined and includes technologies which enable
- workplace vehicle tracking (such as dashcams)
- video surveillance (such as CCTV or wearable cameras used for the purpose of health and safety)
- checks on a worker’s electronic devices (such as access controls or timekeeping checks on their computers, laptops, mobile phone)
The draft guidance covers occasional monitoring, where introduced as a short-term measure for a fixed time period or specific need (for example, installing cameras to Investigate and detect suspected theft). But it also covers situations where all workers are monitored as a matter of course (using software to monitor productivity or security, for instance).
Is monitoring lawful?
UK laws do not prevent employers monitoring workers. The draft guidance reminds employers it must be done in a way which is compliant with data protection laws. This includes:
Identify the purpose (or purposes) for monitoring: Employers are required to define their reasons for monitoring workers. They should not be monitored for some vague unspecified reason or ‘just in case’. Purpose limitation is a key principle of data protection law.
Acceptable purposes given as examples in the draft guidance include using CCTV for site safety and monitoring email traffic for security (such as to prevent data loss or detect malicious traffic)
Having a lawful basis: this is a requirement for any personal data processing. While six bases are available, the draft guidance highlights that
- the ICO consider it hard to envisage scenarios where monitoring is necessary for an employer to fulfil their contract with workers, so that lawful basis will be available only in limited situations
- consent is not usually an appropriate lawful basis in an employment context, because of the power imbalance (since workers are likely to feel that they have no choice but to give consent).
In practice, monitoring is more often done for business purposes. This makes it likely employers will look to rely on one of the other six lawful bases available – such as necessary for a specific legitimate interest or, alternatively, because it is necessary to comply with a legal obligation.
Meets requirements for special category data processing: Interlinked with this, the draft ICO guidance points out that monitoring will involve capturing workers’ special category data in most cases. This means employers must identify a special category data processing condition as well as a lawful basis.
It gives the example of a financial institution monitoring all staff emails to address fraud risks and protect commercially sensitive information, which provide a lawful basis. The ICO’s position is that the institution is expected to also identify a special category condition in the Data Protection Act 2018 (DPA2018). Why? Because such extensive monitoring could intercept data such as, for example, emails sent by workers to their union representatives or occupational health.
From the draft guidance, it appears “reasons of substantial public interest (with a basis in law)” is the condition most likely to be available for employers in those situations. But to rely on it, they must be clear that the monitoring is necessary in the public interest, with a basis in law, and that the limited amount of special category data processing is necessary to achieve the organisation’s purpose.
An exhaustive list of 23 public interest reasons is given in Part 2 of Schedule 1 of the DPA2018.
In the draft guidance, the ICO gives the example of a bank using CCTV to prevent and detect crime. Since camera footage may sometimes also capture special category data about workers and customers, the bank would need to identify an appropriate condition. The ICO view is they could rely on ‘reasons of substantial public interest’ in conjunction with the specific reason ‘preventing or detecting unlawful acts’.
Minimising data collected and how it is used: The UK GDPR general principles include data minimisation, which in practice means organisations should not collect more data than needed to achieve the purpose or purposes identified. It should not be used more than necessary or kept for any longer than necessary.
Recognising that many employers will cite security as the reason for its monitoring, the draft guidance highlights that organisations are likely to have a range of technical solutions that can help ensure the confidentiality, availability, and integrity of personal data (such as firewalls to prevent external threats as well as internal monitoring). It reminds employers to consider the least privacy-invasive means possible.
Data Protection Impact Assessments (DPIA): Employers are legally required to carry out a DPIA for any monitoring that is likely to result in a high risk to the rights of workers and other people whose personal data is captured by the monitoring. A template form is available on the ICO website with general guidance on how to complete.
Where a DPIA is not mandatory, the guidance says employers should consider completing one anyway for good practice. It helps assess risk and identify whether less intrusive methods could achieve the same purpose. It should document why workers are monitored and what the organisation intends to do with the information collected. For instance, if the monitoring is to enforce an organisation’s policies, such as an Acceptable Use Policy, it is expected those will be set out clearly. The policy or policies should outline the nature, purpose and extent of any monitoring, and the organisation should regularly bring those policies to the attention of workers (for example as part of induction and refresher training).
Review periodically: The draft guidance says employers must regularly review any monitoring. This would include periodically reviewing any completed DPIA (and keeping under review whether DPIA are needed) as well as ensuring privacy information is up to date and workers informed when changes are made to monitoring activities.
Transparency: What should employers tell workers about monitoring?
It is the employer’s responsibility to ensure workers understand what personal data is being processed during monitoring, including how and why the organisation is using that personal data. The draft guidance suggests arrangements to ensure workers remain aware that monitoring is being conducted such as messages appearing via an intranet, or through physical signage in areas subject to video monitoring.
The guidance adds that employers could collect documentary evidence that workers have been made aware of monitoring, for example confirming in writing that notices have been provided and read.
Must employers consult workers before monitoring?
If planning to introduce monitoring, the guidance recommends seeking and documenting the views of workers (or their representatives) unless there is a good reason not to. It can be done as part of a DPIA. This is a good way of being transparent and helps meet obligations to protect workers’ data protection rights and freedoms.
Involving workers during the planning stages can potentially avoid complaints from workers by considering their potential concerns. Addressing any feedback or questions in advance helps to build good working relationships and builds trust.
If employers decide not to consult, the draft guidance recommends recording this decision along with a clear explanation. And it reminds employers that personal data collected through monitoring must be made available to workers if they make a subject access request (with the usual exemption applied).
Monitoring work vehicles outside working hours?
When private use of a work vehicle is allowed, the draft guidance flags that monitoring a worker’s private use will rarely be justified.
Giving the example of company cars tracked during working hours for business reasons, it reminds employers they must ensure workers and other vehicle passengers are informed of any monitoring, and also that the tracking system can be disabled by the worker (so it does not monitor activity outside of work).
What about remote working and homeworking?
If monitoring those who work remotely, the draft guidance for employers is to keep in mind that workers’ expectations of privacy are likely higher at home than in the workplace. In addition, there is an increased risk of employer’s capturing family and private life information, which should be factored into the employer’s planning and decision making around monitoring.