Decoding the ICO's New Guidelines: The Do's and Don'ts of Employee Monitoring
As remote and hybrid working has grown, workplace monitoring has become a hot topic for employers and employees. A recent survey from the Information Commissioner's Office (ICO) found that 70% of the public find workplace monitoring intrusive.
With it being such a hot-button issue, it's no surprise that the ICO has now released guidance for employers who want to implement employee monitoring.
The Legal Landscape
Navigating the legal landscape of workplace monitoring can feel like walking through a maze. Workplace monitoring in the UK is governed by multiple laws. The three key pieces of legislation are:
UK GDPR
Data Protection Act 2018
Human Rights Act 1998
All of this legislation covers an individual’s right to privacy and the ICO plays a crucial role in ensuring that employers adhere to these laws.
The guidelines are comprehensive, covering not just employees but ‘workers’. This means freelancers, consultants, and contractors must be considered as well. If you are going to be monitoring your employees there are six lawful bases to do so. We’ll cover these in detail in the next section.
Lawful Monitoring
1. Consent
The most straightforward basis for monitoring is obtaining explicit consent from your employees. However, it's essential to ensure that consent is freely given, specific, and informed.
Make sure to document the consent and offer an easy way for employees to withdraw it if they change their minds.
2. Contractual Necessity
If monitoring is necessary for the performance of an employment contract, then you've got a lawful basis. For instance, tracking a delivery driver's location during work hours could fall under this category.
Clearly outline the monitoring activities in the employment contract to avoid any ambiguity.
3. Legal Obligation
If you're legally required to monitor certain activities, then you're on solid ground. For example, financial institutions often have to monitor communications to comply with anti-money laundering laws.
Keep a record of the specific legal obligations that require you to monitor activities, as you may need to justify your actions later.
4. Legitimate Interests
You can monitor employees if it serves a legitimate business interest, provided this interest is not overridden by the employees' rights and interests. For example, monitoring email traffic for data leaks could be considered a legitimate interest.
Conduct a Legitimate Interests Assessment to weigh your business needs against potential impacts on employee privacy.
5. Vital Interests
This basis is rarely used but applies when monitoring is crucial for someone's life. For instance, monitoring the health of an employee working in extreme conditions could fall under this category.
Use this basis sparingly and only when absolutely necessary for safety reasons.
6. Public Task
If your organization performs tasks that are in the public interest or exercises official authority, you may have a lawful basis for monitoring. This is more common in public sector jobs.
Clearly define what constitutes a 'public task' within your organization and ensure it aligns with legal definitions.
Data Protection Impact Assessments
The ICO guidelines stress the importance of transparency, fairness, and respect for individual privacy. This is why Data Protection Impact Assessments (DPIAs) are recommended when introducing systematic monitoring.
Following the identification of one of the six lawful bases for workplace monitoring, a Data Protection Impact Assessment (DPIA) serves as your next crucial step. It is basically a risk assessment focused on the data you are processing.
A comprehensive DPIA will need to involve representatives from all the relevant teams in your organisation. Once your DPIA team is selected, you will need to consider the following:
Scope of Data Collection: What kind of data are you collecting? Is it just work-related, or does it veer into personal territory?
Purpose: Why are you collecting this data? Is it to improve productivity, ensure security, or comply with legal requirements?
Lawfulness: Which of the six lawful bases for monitoring applies to your data collection?
Risks to Rights and Freedoms: Could the data collection potentially harm employees' rights to privacy or non-discrimination?
Mitigation Measures: What steps can you take to minimize these risks? This could include technical measures like encryption or organizational measures like staff training.
Consultation: Have you sought the views of data subjects (i.e., the employees) or their representatives (like trade unions)?
This assessment helps you ensure you’re in line with all the necessary legislation. The ICO explicitly warns against prioritizing business interests over employee privacy.
As remote work becomes more prevalent, the ICO recommends higher expectations of privacy for remote workers. Employers should update their monitoring policies to reflect this new reality, including specifying the types of data that can be collected from remote workers.