The Information Commissioner’s Office (ICO) has published new monitoring guidance to help employers comply with the UK General Data Protection Regulation and the Data Protection Act 2018. The guidance follows on from its public consultations.
Workplace monitoring is a sensitive area, with the ICO’s research revealing that 70% of the public would find it intrusive to be monitored by an employer. The research also revealed that almost one in five people believe they have been monitored by an employer, and fewer than one in five would feel comfortable taking a new job if they knew their employer would be monitoring them. Employers must therefore consider their legal obligations and their workers’ rights before implementing any monitoring in the workplace.
What the guidance contains
The ICO explains that with the increase in remote working and developments in technology, many employers are seeking to carry out checks on their workers. Monitoring can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recording, as well as using specialist monitoring software to track activity.
If seeking to use such measures, any processing must be lawful in the first place and staff must be made aware of it. The ICO’s guidance outlines necessary steps to take, including:
- Making workers aware of the nature, extent and reasons for monitoring
- Having clearly defined purpose and using the least intrusive means to achieve it
- Having a lawful basis for processing workers’ personal data
- Telling workers about any monitoring in a way that is easy to understand
- Only keeping information relevant to the purpose
- Carrying out a Data Protection Impact Assessment for any monitoring that is likely to result in a high risk to workers’ rights.
Following these steps does not automatically mean that monitoring will be lawful, but it will help determine whether organisations have a lawful basis for monitoring in the first place, and mitigations they can apply to minimise the data privacy risks for individuals. The ICO is clear that any monitoring undertaken must be necessary, proportionate and respect the rights of workers, and it will take action if it believes people’s privacy is being threatened.
If you are considering implementing monitoring in the workplace, the ICO’s guidance contains helpful practical advice and checklists. Legal advice should also be sought. Please contact our Data Privacy team for further information.
You can view the ICO monitoring guidance here.
This article was first published by our UK member Doyle Clayton on 17 October 2023. For more information, contact the authors Piers Leigh-Pollitt, Partner & Compliance Officer for Legal Practice and Mike Hibberd, Legal Director.