Can employers monitor employees? Proposed new guidance from ICO
As part of its latest guidance on employment practices and data protection, the Information Commissioner’s Office (ICO) has released new draft guidance concerning employee monitoring. Partner David Edwards from Harrison Drury’s regulatory team, and trainee solicitor Hannah Pinder from our employment law team, highlight and explain key areas of the proposed new guidance.
Once finalised, the draft guidance will replace the current employee monitoring guidance contained in the ICO’s Employment Practices Protection Code, which was published in 2011. The draft guidance is open for public consultation until January 11, 2023.
The draft new guidance
Given the previous guidance was published over a decade ago, certain technologies and working practices of today were non-existent back then, meaning it was in desperate need of reform.
The new guidance has been prepared to reflect the current legal framework of the UK GDPR and the Data Protection Act 2018, along with the innovations in working practices and new technologies that have arisen over the years, particularly with regards to the shift to remote working during the Covid-19 pandemic.
What is ‘monitoring at work’?
The ICO acknowledges monitoring at work as the use of various workplace surveillance methods to gather information on the activities and location of staff using the following:
- Camera surveillance.
- Webcams and screenshots.
- Technologies for monitoring timekeeping or access control.
- Keystroke monitoring to track, capture and log keyboard activity.
- Tracking internet activity and keystrokes.
The purpose of monitoring at work includes reviewing the quality and quantity of a worker’s output, protecting the health and safety of workers, including their wellbeing, meeting regulatory obligations and forming part of a short-term response to a specific need i.e. installing surveillance to monitor for a suspected theft.
The position under UK law on monitoring at work
Although employee monitoring is permitted under UK law, employers should note it is regulated under data protection, human rights and equality laws. When conducting employee monitoring, employers must ensure they balance the level of intrusion against their needs, those of their workers and members of the public.
Employers should always consider the right to respect for a private and family life enshrined in Article 8 of the Human Rights Act 1998, particularly with regard to homeworking.
To lawfully collect and process information from monitoring workers, an employer must identify a specific lawful basis. There are six to choose from under Article 6 of UK GDPR:
- Consent – the worker provides consent to process their personal data for a specific purpose
- Contract – the monitoring is necessary for a contract between the employer and employee
- Legal obligation – the processing is necessary for the employer to comply with the law
- Vital interests – the processing is necessary to protect someone’s life
- Public task – the processing is necessary for the employer to perform a task in the public interest
- Legitimate interests – the processing is necessary for the employer’s legitimate interests or those of a third party
The guidance confirms that employers are unlikely to be able to rely upon ‘consent’ as a lawful basis for processing employee personal data, due the imbalance of power between employer and employee. The guidance states that consent is “only appropriate in circumstances where workers have a genuine choice and control over the monitoring”.
The guidance also suggests a lawful basis in ‘contract’ will only arise in scenarios where the monitoring is genuinely necessary for performance of the contract between employer and employee.
‘Legitimate interests’ is the most flexible Article 6 condition upon which employers can rely when monitoring employees. As identified above, when considering whether employee monitoring is justified as a legitimate interest, employers must balance their own interests against the privacy rights and expectations of employees.
Key points from the new guidance
Noteworthy points arising from the new guidance include:
- Where sensitive data (i.e. special category personal data, such as health information) is collected incidentally, an Article 9 special category condition will be required to lawfully process such data. Article 9 of the UK GDPR prohibits the processing of special category data, however as there are 10 exceptions to this general prohibition, the employer must be able to show one of these conditions applies to allow them to process the data.
Example: an employer monitors the emails of an employee to gauge the employee’s client-handling performance. During the email monitoring, information concerning the health of the employee is also processed. The purpose of the email monitoring was not to process health data, but the employee’s health data was nonetheless processed by the employer. Therefore, an Article 9 special category condition will be required, in addition to one of the lawful bases for processing personal data under Article 6, to lawfully conduct the email monitoring.
- Where employees are monitored for the purpose of enforcing its policies or procedures, the monitoring will not be justified if in practice those policies or procedures are not genuinely enforced.
Example: an employer prohibits employees from making personal phone calls at work. However, the policy is not enforced, and employees often make personal phone calls at work. Accordingly, the employer is not lawfully able to justify monitoring employees for the purpose of enforcing such a policy.
- Where an employer seeks to monitor employees, before doing so it should consult with employees or their representatives in the interests of transparency and to seek their views. Employers must notify workers of any monitoring, including its nature, extent and rationale, unless exceptional circumstances require covert monitoring.
- Where an employer collects information through the monitoring of employees, the data must not be used for a purpose other than that for which the monitoring was intended. However, there may be exceptional circumstances that the employer cannot ignore, such as gross misconduct or criminal activity.
- Employers must carry out a data protection impact assessment for any monitoring that is likely to result in a high risk to the rights of workers and other data subjects. Even where these impact assessments are not mandatory, employers should consider carrying one out as good practice, as the process would help employers make better risk-based decisions and more clearly meet their data protection obligations. If an employer’s proposed monitoring concerns employees working from home, the DPIA should assess the impact of the monitoring on other members of the household.
- Employers must be clear about their purpose for monitoring. Further, they must not use the data collected under an existing purpose for a new purpose, unless it is compatible with the existing purpose in most circumstances.
Next steps for employers
It is important that employers take a proportionate and balanced approach to employee monitoring, and employers who intend to monitor their employees should have appropriate policies and other documentation in place before doing so. There is no need to update data protection policies as of yet, however the monitoring sections should be reviewed to identify areas which could be improved in light of the draft guidance.
Employers can respond to the consultation and the ICO welcomes feedback on the specific questions contained in the monitoring at work survey and draft impact assessment survey. Any responses should be submitted by 5pm on 11 January 2023.
If you operate a business and would like further information regarding employee monitoring, please contact Harrison Drury’s employment law and regulatory teams on 01772 258 321 or at enquiries@harrison-drury.com.