The Information Commissioner’s Office (ICO) is currently in the process of developing new guidance for employers on the monitoring of employees at work. A consultation on the latest version of this draft guidance closed earlier this year, and we are now waiting to see how the ICO may respond to stakeholder comments.
In the meantime, the draft guidance provides a very useful overview of the ICO’s expectations for employers who carry out employee monitoring activities. Below we’ve listed some key takeaways from the draft guidance along with recommended steps employers can take to demonstrate compliance.
It is worth noting that, when conducting employee monitoring, employers may be subject to relevant obligations under other types of laws (e.g. the Human Rights Act 1998 and Equality Act 2010). These are beyond the scope of the draft guidance so should be considered separately.
Key Takeaways from the Draft Guidance
- Employee monitoring can take a wide variety of forms and the applicability of the UK GDPR will always need to be considered in relation to the specific activities. Monitoring may be systematic (e.g. the constant use of CCTV) or occasional (e.g. monitoring carried out for a one-off investigation) and, among many other methods, could be carried out through webcam and screenshot captures, CCTV, systems logging timekeeping or physical access, keystroke monitoring, productivity tools, and internet activity tracking.
- To ensure UK GDPR compliance, employee monitoring activities must be based on an applicable “Lawful Basis” under Article 6. Where, as is often the case, the monitoring may involve processing special category data (e.g. health data), the activity will also require identification of a “Special Category Condition” under Article 9.
- The ICO confirms that in most cases it will be necessary to perform a Data Protection Impact Assessment (DPIA) before any personal data is processed. The ICO recommends that organizations always perform a DPIA by default for any monitoring activities and it states that any decision not to carry out a DPIA should be appropriately documented.
- All monitoring should be communicated to employees, who should be appropriately consulted before the monitoring begins. Covert monitoring (i.e. carried out without employees being aware of it) is only permissible in exceptional circumstances and under strict conditions. Employers will have a high threshold to meet in order to demonstrate covert monitoring is lawful.
- In certain circumstances, such as when business calls are recorded, employee monitoring will result in collecting information about non-employees. Whenever this occurs non-employees should be informed that the monitoring is taking place and directed to the organization’s privacy notice.
- Employers should bear in mind that employees will have rights in their data, including, to request a copy of the data collected about them, and in some cases, to object to use of their data. It is important to make sure procedures are in place to appropriately deal with any employee requests.
- Whenever monitoring involves any automated-decision making (e.g. automatic flagging of emails which contain content that could lead to disciplinary action), employers must consider how this will comply with the UK GDPR’s rules and restrictions on use of automated-decision making.
- If monitoring involves use of a third party’s services (e.g. a SAAS product), the employer must ensure that the third party complies with UK privacy laws to the extent they process personal data.
We recommend preparing for the release of the final version of the ICO guidance by reviewing existing policies, processes and any relevant DPIAs for aspects that may require updating. If there are any monitoring activities for which no DPIA has yet been completed, organizations should take into account the draft guidance (and the final version once published) as part of the DPIA. Please contact firstname.lastname@example.org if you have any questions about the draft guidance or employee monitoring more generally.