The Information Commissioner’s Office (ICO) has issued guidance for employers on how to ensure that any monitoring of their workers is lawful. The guidance provides clear direction on how employers can balance surveillance with data protection laws and workers’ rights.
The guidelines were developed following a recent study commissioned by the ICO which revealed that 19% of people believe that they have been monitored by an employer. The same research found that 70% of people would perceive monitoring in the workplace as intrusive. The rise in remote working has led to an increase in monitoring of employees, but employers clearly need to tread carefully to avoid creating a sense of distrust among their workers.
What is meant by monitoring workers?
Monitoring can mean different things and take many forms, including:
- using technology to monitor timekeeping;
- implementing technology to log keyboard activity;
- taking screenshots and accessing webcams;
- monitoring internet activity; and
- utilising body-worn devices to track the locations of workers.
How can employers lawfully monitor workers?
To lawfully collect and process information from the monitoring of workers, employers must identify a “lawful basis” to do so. There are six from which to choose:
- Consent: The worker gives consent to monitor them.
- Contract: Monitoring is necessary for a contract with the worker.
- Legal obligation: Monitoring is necessary to comply with the law.
- Vital interests: Monitoring is necessary to protect someone’s life.
- Public task: Monitoring is necessary to perform a task in the public interest.
- Legitimate interests: Monitoring is necessary for the employer’s legitimate interests or those of a third party (unless the risk to workers’ rights overrides them).
In addition to this, if an employer is processing “special category data”, they need to identify a lawful basis and a special category processing condition (there are 10 of these under Article 9 of the UK GDPR). This is because, by its nature, special category data is sensitive and therefore requires extra protection. Special category data is personal information revealing or concerning matters such as race or ethnicity, political opinions, health or disability, sexual orientation or religious beliefs etc. Employers should be wary of collecting special category data, whether or not done purposefully. Whatever the circumstances, a condition for processing must be identified.
What else should employers know about lawful monitoring?
- Employers need to clearly define their purpose for monitoring workers, and what they intend to do with the information they collect. For example, an employer cannot install CCTV cameras “just in case” – they need to specify a reason, such as installing it for “site safety purposes”. If the monitoring is to enforce an employer’s policies, they should be clearly set out.
- Employers need to be aware of the data minimisation principle. This stipulates that employers should not collect more information than is needed to achieve their stated monitoring purpose(s). Monitoring technologies are often capable of capturing much more of a worker’s data than was intended. The data minimisation principle seeks to reduce “function creep”, whereby employers may gradually collect more and more data than they actually need to achieve their aim.
- Employers should not keep personal information obtained from monitoring workers for any longer than is necessary for the purpose(s) identified. The retention period should be based on business need and reviewed regularly. When the retention period is over, the employer should delete the data in question. It should not be kept, for example, just in case an employer considers that it might be needed in the future.
In conclusion, the ICO’s guidelines highlight the need for employers to ensure any workplace monitoring is lawful and fair. In addition to including good practice advice to assist employers in building trust and respecting their workers’ right to privacy, it also gives guidance on the relevant legal requirements.
