The ICO has this week issued revised guidance on monitoring workers to reflect the rise of the gig economy, the blending of work at the office and home, and the use of sophisticated technologies for monitoring.
Monitoring can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings, or using specialist monitoring software to track activity. The guidance discusses the monitoring of workers by employers, and how this interacts with data protection. It is primarily aimed at employers and expands on the need for a lawful basis to process workers’ personal data and the data protection principles employers must comply with.
The guidance is detailed, and this note highlights some key takeaways but the main initial takeaway is that the guidance reaffirms that data protection law does not prevent employers from monitoring workers, but as ever (and as per the previous ICO guidance) it must be done in a way which is compliant with data protection requirements i.e. appropriately balancing business interests with the workers’ rights and freedoms. The guidance also notes that in the new paradigm of hybrid working workers’ expectation of privacy is likely to be significantly greater at home than in the workplace.
Employers must be clear about the purpose of monitoring; must select the least intrusive means to achieve the purpose; and must document why they are monitoring workers and what they intend to do with the information collected.
In some circumstances organisations must carry out a DPIA before carrying out monitoring e.g. in respect of keystroke monitoring which the ICO classes as a high risk form of processing. The guidance states that even if the employer is not required to carry out a DPIA, employers should still do so.
In respect of transparency, excluding very exceptional circumstances where covert monitoring is justified, employers must inform workers about any monitoring. The guidance outlines several factors employers must bear in mind before deciding to initiate covert monitoring such as only senior management should authorise covert monitoring.
This guidance is welcome from the ICO, as ever continuing to show a pragmatic approach that is fair both to employers (recognising the need for monitoring and that in many cases it is fully justified) but equally that highlights the protections that must be afforded to employees.
Bryony Long, Co-Head of the Data Privacy & Cyber team, was asked to share her thoughts on the ICO's guidance with the International Employment Lawyer, see here for the article.
Lewis Silkin LLP and Privacy Laws & Business are organising an event at a date shortly to be announced: Workplace Privacy and the UK ICO’s new Monitoring at Work Guidance: What might this mean for your workplace? This will take place as Lewis Silkin's new London office at The Arbor, 25 Blackfriars Road, in association with PL&B. Express your interest in this event by contacting events@lewissilkin.com
"Clearly employee monitoring is an area of focus for the ICO and employers engaging in monitoring need more than ever to be aware of their data protection obligations. The ICO is at pains to state that an organisation’s business interests must never be prioritised over privacy of workers."