NEW GUIDANCE FOR UK ORGANISATIONS THAT MONITOR THEIR WORKERS
▪
2
NEW GUIDANCE FOR UK ORGANISATIONS THAT MONITOR THEIR WORKERS
Following developments in monitoring technology and the rise
of home working, the Information Commissioner’s Office (“ICO”)
published new guidance on employee/worker monitoring at the
beginning of October.
The guidance applies whenever an individual performs work for
the organisation including employees, contractors and workers.
The guidance does not apply to processing of personal data
that is carried out for law enforcement purposes e.g. suspected
criminal activity; a separate regime applies to such processing.
The term monitoring is widely construed and includes CCTV, audio
recording, technologies for monitoring timekeeping or access
control, keystroke monitoring, productivity tools and tracking
internet activity.
We recommend that where organisations conduct, or plan to
conduct, any kind of worker monitoring, internal policies are
reviewed (e.g., work from home, acceptable use, BYOD, privacy and
data protection, IT usage etc.) to determine whether amendments
need to be made in light of the ICO guidance.
Below we set out eight key takeaways:
1. MONITORING IS PERMISSIBLE BUT MUST
BE CONDUCTED IN COMPLIANCE WITH DATA
PROTECTION LEGISLATION
▪
The ICO recognises that certain monitoring may be
reasonable to achieve various aims, e.g., to protect health
and safety, to meet regulatory requirements, and for security
purposes; but some types of monitoring and/or excessive
monitoring (e.g. video surveillance in bathrooms) are likely
to intrude into employees’ private lives and undermine
their privacy and well-being and are incompatible with data
protection legislation.
▪
Monitoring must comply with the principles laid out in data
protection legislation including data minimisation, accuracy
and security.
▪
There may be other legal implications under other legislation.
Monitoring must be lawful in a general sense.
▪
Make use of the ICO’s screening checklists (see here) before
monitoring.
2. ONLY MONITOR WORKERS IN WAYS THAT
THEY WOULD REASONABLY EXPECT AND NOT IN
WAYS THAT CAUSE AN UNJUSTIFIED ADVERSE
EFFECT ON THEM
▪
Remember that a worker’s expectation of privacy is likely to
be higher at home than when in the office.
▪
Be aware of the risk of capturing information about a worker’s
spouse or children, e.g., if workers use personal devices for
work.
3. BE CLEAR ABOUT THE PURPOSE OF THE
MONITORING AND IDENTIFY A LEGAL BASIS
FOR IT
▪
Just because a form of monitoring is available does not mean
that it is the best way to achieve your aims. You must be clear
about your purpose (‘just in case’ is not sufficient) and select
the least intrusive means to achieve it. You should be clear
about what you intend to do with the information collected.
▪
You must identify one of the legal bases for the processing
of the personal data you collect. Consent is not usually
appropriate in an employment context, unless the worker
has genuine choice and control. Generic consent in an
employment agreement, or to a privacy policy, will not suffice.
▪
It is unlikely that worker monitoring is necessary to enable
you to perform your obligations under the contract you have
with the worker, so relying on ‘contract’ as your legal basis is
unlikely to be appropriate.
▪
Legitimate interests is likely to be the most appropriate legal
basis for worker monitoring, but the legitimate interest of the
business in doing so needs to be weighed up against the risk
of the worker’s rights being overridden. Worker’s rights are
likely to be overridden if you are monitoring in ways a worker
will not understand or will not reasonably expect or it is likely
some workers would object. A legitimate interest assessment
will help you to navigate the appropriateness and applicability
of this legal basis.
▪
If the monitoring is likely to involve capturing more sensitive
data i.e. ‘special category data’
1
(even if you do not intend to),
(e.g. CCTV) you will need a special category legal basis to
process this data.
4. CONDUCT A DATA PROTECTION IMPACT
ASSESSMENT (“DPIA”) PRIOR TO ANY MONITORING
▪
If your monitoring will result in processing of personal
data that is likely to result in a high risk to the worker, you
must conduct a DPIA. High risk examples highlighted in the
guidance include monitoring of email/message and keystroke
monitoring, monitoring that involves processing of biometric
data or which results in financial loss such as performance
management. If your DPIA identifies a high risk that you
cannot reduce, you must consult with the ICO before going
ahead with the monitoring.
BITESIZE:
▪
Conduct a Data Protection Impact Assessment
before monitoring and identify a legal basis for
the monitoring.
▪
Do not rely on generic consent in agreements
as a basis for processing personal data collected
as a result worker monitoring. Consent should
be specific.
▪
Inform workers about monitoring in a manner that
is accessible and easy to understand.