ICO draft guidance on workplace monitoring

At a glance

The previous version of the guidance was first published over a decade ago when the technology and working practices of today were non-existent. Helpfully for employers, the draft has been updated to include the monitoring of remote and home workers and new technologies such as biometric data.

The overall approach is much the same, bringing colour to principles with examples. As with most employment laws and practices, fairness is a key data protection concept. For employees, this means that nothing should come as a surprise. It is closely linked to transparency where the “how” and “why” of processing is crystal clear.

There are a few points of difference, which may mean that employers will want to rethink or refresh their data protection policies, including:

• consultation with employees where monitoring is being introduced, unless there are good reasons for not doing so, which should be documented;
• the need for a special category condition to be identified and documented before the monitoring starts where monitoring (e.g. emails) is likely to capture special category data inadvertently;
• conducting an impact assessment as a matter of good practice even where there is no requirement to do so because there are no high risks to employees (and any decision to proceed without one should be documented); and
• the expectation that the bar for privacy is likely to be higher when monitoring home working than in the workplace.

Biometric data

In recognition of the universal trend to use technologies to enhance HR processes, the ICO has incorporated a section on biometric data (fingerprints, face and voice recognition). In a workplace context, this might be used, for example, for processes such as monitoring access to buildings or restricted areas – an issue which has taken on greater significance with hybrid working and the need to know who is working where. If going down this route, the ICO warns that the processing of biometrics requires careful consideration. Challenges include:

• being clear about why less intrusive alternatives are not being used and documenting the reasons for not doing so, which can be tricky because the HR processes like access control and security already have less intrusive methods which are mostly effective;
• identifying a special category condition for processing, which is likely to be consent (notwithstanding that the difficulties surrounding consent are well known, because of the deemed power imbalance between employers and employees); and
• providing those employees who do not consent with an alternative, without any detriment, which is required.

The requirement to provide an alternative may be problematic in this context.  For example, it could mean that an employer who introduces biometric access to laptops and other devices, to enhance security, would still be required to offer an alternative. Simply offering an alternative of a strong password may well defeat the purposes of introducing biometric access (i.e. to offer stronger protection against the risk of compromised passwords), so other solutions would need to be considered (e.g. multi-factor authentication).

Key takeaways

• Employers must balance the level of intrusion against their needs and those of workers.
• Employers must notify workers of the monitoring, including its nature, extent and rationale, unless exceptional circumstances require covert monitoring.
• Employers must be clear about their purpose for monitoring. Further, they must not use the data collected under an existing purpose for a new purpose, unless it is compatible with the existing purpose in most circumstances.
• Employers must carry out a data protection impact assessment for any monitoring that is likely to result in a high risk to the rights of workers and other data subjects. Further, employers should keep the need for an impact assessment under review. Even where these impact assessments are not mandatory, employers should consider carrying one out as good practice, as the process would help employers make better risk-based decisions and more clearly meet their data protection obligations.

Next Steps

• The previous guidance was a well-thumbed volume for those in HR and employment relations whose day jobs encountered aspects of employee-related data protection. It is worth reviewing this draft as monitoring can be highly technical but this publication is very accessible, with helpful examples.
• There is no need to make changes to data protection policies and training at this stage but the monitoring sections should be reviewed to identify gaps and areas which could be improved.

Discuss with relevant stakeholders whether there are any recent working practices, e.g. in relation to hybrid working or monitoring the presence of workers in the workplace, that need to be incorporated into data protection polices and communicated to workers.

Consider whether to respond to the consultation, particularly in respect of those areas of your business which you feel are not clearly or adequately covered. If you would like to submit responses, you can do so by completing the survey for the draft guidance and/or the survey for the draft impact scoping document. Alternatively, you can download the survey for the draft guidance and/or the survey for the draft impact scoping document and email them to employmentguidance@ico.org.uk. The consultation remains open until 11 January 2023 for comments.

A version of this blog first appeared in our sister blog Digital Hub