As technology continues to advance at a rapid pace, so does the prevalence of firms monitoring workers and the sophistication of the tools available to employers to monitor their staff’s activities. Hand in hand with the increasing prevalence of workplace monitoring tools are concerns that their excessive use may infringe workers’ data protection and privacy rights. Employers must take heed of recent ICO guidance to ensure they do not fall foul of the law in pursuit of the hoped for benefits of workplace monitoring, such as boosting productivity and profit.
The ICO defines ‘monitoring workers’ as “any form of monitoring of people who carry out work on your behalf”. This includes systematic or occasional monitoring on work premises or elsewhere, either during or outside work hours. Examples of monitoring technologies and their purposes include: keystroke monitoring to track, capture and log keyboard activity; camera surveillance including wearable cameras; body worn devices that record the location of workers; audio recordings; productivity tools which log how workers spend their time; and technologies for monitoring timekeeping or access control.
How can employers lawfully monitor workers?
It is important to consider and be clear about the purpose of monitoring workers. Monitoring must be necessary for the purpose identified and be conducted in the least intrusive way possible. Employers should ensure they identify a lawful basis for the monitoring including, for example, consent, public interest task or legitimate interests.
Further steps should include identifying a special category processing condition for any special category data being processed. Special category data includes personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; as well as genetic data; biometric data processed for the purpose of uniquely identifying a natural person; data concerning health; and data concerning a person’s sex life or sexual orientation.
Furthermore, employers should document the personal information being processed, regularly review the information collected and destroy what is not necessary, and inform workers about the nature and extent of and the rationale for monitoring in an accessible and easily understandable way. Such information should be set out in the organisation’s privacy information.
It is also important that employers conduct a Data Protection Impact Assessment (DPIA) before undertaking any processing that is likely to cause high risk to workers’ interests, for example, if the employer intends to monitor emails and messages. Employers must make the personal information collected through monitoring available to workers if the worker makes a Subject Access Request in addition to ensuring that any third-party systems or applications used to carry out monitoring are compliant with data protection law. There must also be a suitable contract in place with the provider.
Finally, employers should consider the rules for international transfers when transferring personal information of workers outside the UK and outside the company or organisation.
Getting it wrong
Non-compliance with data protection law can lead to heavy fines. Additionally, excessive monitoring can have an adverse impact on workers’ data protection rights and mental wellbeing, which may result in work-related stress and personal injury claims against the employer. Excessive monitoring may also have a detrimental impact on the trust and confidence between employees and employers, which is integral to any employment relationship. The fundamental breach of this relationship can give rise to constructive dismissal claims, for those employees with more than two years’ continuous employment.
Workers may object to monitoring where the employer is relying on the lawful bases of public interest task or legitimate interests. The employer can refuse to comply with the objection if:
- the objection is manifestly unfounded or excessive; or
- the employer can demonstrate compelling legitimate interests for the processing which override the worker’s interests, rights and freedoms; or
- the processing is for the establishment, exercise or defence of legal claims.
Getting it right
There are specific data protection considerations for different methods of monitoring workers which are additional to the above steps that employers need to take to monitor workers lawfully.
For example, employers may monitor business calls to evidence business transactions, or for training or quality control purposes. However, the employer must inform workers of such monitoring in its privacy information, and inform those making or receiving calls from the organisation.
Employers must inform workers of the purpose of any monitoring of emails and instant messages, and such monitoring must be necessary and proportionate for the purpose. The employer must also complete a DPIA.
Employers must carry out a DPIA if it is likely that CCTV monitoring will capture special category data, including if the CCTV uses facial recognition. The employer must inform workers and anyone caught by the monitoring of the operation of CCTV. It should also have an appropriate policy and contract in place with any outsourced provider.
When using biometric data to monitor workers, employers must: conduct a DPIA; identify a special category processing condition; and consider whether additional security measures are required for collecting, using or storing biometric data. If biometric data is used in automated decision-making, employers must assess and mitigate any bias in the system and ensure that manual reviews are available.
Employers should have the data protection and privacy rights of workers at the forefront of their mind when considering any workplace monitoring tool or system, not only to avoid being penalised by the ICO or having to defend a claim from a worker, with the management time and reputational damage that entails, but also to ensure that the trust between the employer and its workforce, which is integral to a happy and productive business, is not undermined by a belief that “big brother” is watching.
Anthony Woolich is Data Protection Partner and Michelle Chance is Employment Partner at HFW
December 19, 2023
How employers should navigate the ICO’s guidance on monitoring workers
by Anthony Woolich and Michelle Chance • Comment, Technology
The ICO defines ‘monitoring workers’ as “any form of monitoring of people who carry out work on your behalf”. This includes systematic or occasional monitoring on work premises or elsewhere, either during or outside work hours. Examples of monitoring technologies and their purposes include: keystroke monitoring to track, capture and log keyboard activity; camera surveillance including wearable cameras; body worn devices that record the location of workers; audio recordings; productivity tools which log how workers spend their time; and technologies for monitoring timekeeping or access control.
How can employers lawfully monitor workers?
It is important to consider and be clear about the purpose of monitoring workers. Monitoring must be necessary for the purpose identified and be conducted in the least intrusive way possible. Employers should ensure they identify a lawful basis for the monitoring including, for example, consent, public interest task or legitimate interests.
Further steps should include identifying a special category processing condition for any special category data being processed. Special category data includes personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; as well as genetic data; biometric data processed for the purpose of uniquely identifying a natural person; data concerning health; and data concerning a person’s sex life or sexual orientation.
Furthermore, employers should document the personal information being processed, regularly review the information collected and destroy what is not necessary, and inform workers about the nature and extent of and the rationale for monitoring in an accessible and easily understandable way. Such information should be set out in the organisation’s privacy information.
It is also important that employers conduct a Data Protection Impact Assessment (DPIA) before undertaking any processing that is likely to cause high risk to workers’ interests, for example, if the employer intends to monitor emails and messages. Employers must make the personal information collected through monitoring available to workers if the worker makes a Subject Access Request in addition to ensuring that any third-party systems or applications used to carry out monitoring are compliant with data protection law. There must also be a suitable contract in place with the provider.
Finally, employers should consider the rules for international transfers when transferring personal information of workers outside the UK and outside the company or organisation.
Getting it wrong
Non-compliance with data protection law can lead to heavy fines. Additionally, excessive monitoring can have an adverse impact on workers’ data protection rights and mental wellbeing, which may result in work-related stress and personal injury claims against the employer. Excessive monitoring may also have a detrimental impact on the trust and confidence between employees and employers, which is integral to any employment relationship. The fundamental breach of this relationship can give rise to constructive dismissal claims, for those employees with more than two years’ continuous employment.
Workers may object to monitoring where the employer is relying on the lawful bases of public interest task or legitimate interests. The employer can refuse to comply with the objection if:
Getting it right
There are specific data protection considerations for different methods of monitoring workers which are additional to the above steps that employers need to take to monitor workers lawfully.
For example, employers may monitor business calls to evidence business transactions, or for training or quality control purposes. However, the employer must inform workers of such monitoring in its privacy information, and inform those making or receiving calls from the organisation.
Employers must inform workers of the purpose of any monitoring of emails and instant messages, and such monitoring must be necessary and proportionate for the purpose. The employer must also complete a DPIA.
Employers must carry out a DPIA if it is likely that CCTV monitoring will capture special category data, including if the CCTV uses facial recognition. The employer must inform workers and anyone caught by the monitoring of the operation of CCTV. It should also have an appropriate policy and contract in place with any outsourced provider.
When using biometric data to monitor workers, employers must: conduct a DPIA; identify a special category processing condition; and consider whether additional security measures are required for collecting, using or storing biometric data. If biometric data is used in automated decision-making, employers must assess and mitigate any bias in the system and ensure that manual reviews are available.
Employers should have the data protection and privacy rights of workers at the forefront of their mind when considering any workplace monitoring tool or system, not only to avoid being penalised by the ICO or having to defend a claim from a worker, with the management time and reputational damage that entails, but also to ensure that the trust between the employer and its workforce, which is integral to a happy and productive business, is not undermined by a belief that “big brother” is watching.
Anthony Woolich is Data Protection Partner and Michelle Chance is Employment Partner at HFW