October 12, 2023
This new ICO Guidance covers a wide range of data protection issues that need to be considered when an employer wishes to monitor its workers (e.g. for health and safety reasons, to meet regulatory obligations or to monitor timekeeping, access control, productivity, internet activity or the locations of its workers). In the introduction, it explains that the Guidance applies to systematic, not one-off, monitoring but will apply to monitoring for a short-term specific need. It does not apply to processing carried out for law enforcement purposes or to monitoring in a personal or household context. However, it will apply to homeworking.
As in other recent ICO Guidance, the ICO uses “must” to indicate a legislative requirement, “should” to indicate what the ICO expects data controllers or processors to do to comply with the law and “could” to indicate one option that could help them comply effectively.
The employer must establish a lawful basis or bases for worker monitoring. Consent is not usually appropriate in the employment context due to the imbalance of power between employee and worker. The lawful basis most likely to be relevant for employee monitoring is where the processing is necessary for the legitimate interests of the employer. To determine if this basis applies, the employer must consider whether there is a legitimate interest, whether the processing is necessary for that purpose and whether the legitimate interest is overridden by the worker’s interests, rights or freedoms. Legitimate interest may not be appropriate in cases where the employer is monitoring workers in ways they do not understand and would not reasonably expect or it is likely some workers would object (e.g. an office worker would not reasonably expect to wear a tracking device in the office, but a miner might reasonably expect to do so).
The employer must make workers aware of the personal information being collected during any monitoring, keep the information up to date and inform workers when changes are introduced. As to whether the employer needs to disclose the monitoring to workers, the Guidance states that employers should seek and document the views of workers in advance unless there is a good reason not to. If the employer decides not to, it should record this decision along with an explanation. Covert monitoring, where workers are unaware it is taking place, may be justified but only in exceptional circumstances (e.g. to prevent or detect suspected criminal activity or gross misconduct). In this case, the employer must carry out a Data Protection Impact Assessment (“DPIA”) and use the information gathered only for the intended purpose. Covert monitoring should also, amongst other things, be authorised by senior management, be based on grounds for suspecting criminal activity or gross misconduct and that informing workers would prejudice prevention or detection and should be strictly targeted at obtaining evidence within a set timeframe.
Workers can object to any type of monitoring where the employer is relying on legitimate interest as its legal basis. The employer can refuse to cease the monitoring if they can demonstrate a compelling legitimate interest for the processing which overrides the rights and freedoms of the worker or that the processing is for the establishment, exercise or defence of a legal claim. The employer must balance the worker’s rights and freedoms with its own legitimate interests and, to continue the monitoring, must demonstrate that the legitimate interests override those of the worker. The employer must inform the worker of its decision, their right to make a complaint to the ICO and their ability to enforce their rights through a judicial remedy.
The Guidance addresses many other issues such as transparency, accountability, accuracy, security and DPIAs. It also addresses monitoring tools that use solely automated processing and the use of biometric data for time and attendance control and monitoring. Finally, it has a section which addresses data protection considerations for different ways or methods of monitoring workers (including telephone calls, emails and device activity). As with other recent ICO guidance, this Guidance also contains several useful examples and checklists.
For the Guidance, click here.