Out-Law News 4 min. read
13 Oct 2022, 4:09 pm
The importance of having a distinct policy on employee monitoring has been highlighted in new guidance published by the UK’s data protection authority, an expert has said.
Stephanie Lees of Pinsent Masons was commenting after the Information Commissioner’s Office (ICO) opened a consultation on draft new guidance for employers on monitoring at work (54-page / 431KB PDF).
The new guidance, when finalised, will replace the ICO’s guidance on monitoring contained in the employment practices code of 2011. The draft reflects the emergence of new innovative technologies which have been used to monitor workers in recent years, particularly since the shift to remote working during the Covid-19 pandemic.
Lees said: “Many organisations have adopted Microsoft Teams, Zoom and other videoconferencing platforms to support remote working. The guidance confirms the use of continuous audio recording is more privacy intrusive than visual recording, requiring a greater justification particularly in contentious situations – it should be switched off by default. It also said that ‘capturing webcam shots or footage are particularly unlikely to be justifiable’ when monitoring staff devices.”
“Employers should ensure workers have been notified of any monitoring and have a clear monitoring standard or policy document, to explain their internal procedures for both systematic and occasional monitoring. Transparency is a core theme throughout the guidance,” she said.
Data protection laws in the UK, set out under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018, do not prohibit the use of monitoring technologies by employers. However, employee monitoring must be done in a way which is consistent with data protection laws and other applicable legislation relevant to the organisation in question, such as the Human Rights Act 1998 and Equality Act 2010, as it involves an intrusion to an individual’s privacy.
Employers must have a lawful ground for monitoring workers. There are six lawful grounds for processing personal data under UK data protection law.
The ICO said that the ‘legitimate interests’ is “the most flexible” of the lawful bases for employee monitoring. To rely on that ground, organisations must carry out a balancing exercise and have to carefully consider if there is in fact a legitimate interest behind the processing; if the processing is in fact necessary for that legitimate purpose; and if the legitimate interest is overridden by the individual’s rights, interests and freedoms. The ICO said the ‘legitimate interests’ ground cannot be relied on for employee monitoring “if you can reasonably achieve the same result in a less intrusive way”.
The ICO also said it is “hard to envisage” where the ‘contract’ lawful ground for processing could be relied upon in the context of employee monitoring. It will only apply if the monitoring is necessary for a contract an employer has with a worker, or because the worker asked the employer to take specific steps before entering into a contract.
Consent is another of the lawful grounds for processing personal data under the UK’s data protection framework, but it cannot usually be relied upon in an employer-employee context due to the imbalance of power in that relationship. In the specific context of employee monitoring, the ICO said consent is “only appropriate if circumstances where workers have a genuine choice and control over the monitoring”.
However, in its draft guidance, the ICO gave an example where consent would be able to be relied upon. The example concerned is an access control system where workers can choose to sign into work devices using their biometric data, or through feasible alternative access methods, such as PIN codes, if they elect to withhold their consent to the processing of their biometric data.
The ICO also said that employers should be clear from the outset about their purpose for monitoring. Where personal data is collected for one purpose, it cannot be used for another purpose – unless the two purposes are considered “compatible” by way of a documented compatibility assessment.
Where employers want to change the purpose for monitoring, they should only do so if the new purpose is compatible with your original purpose; related to a clear legal provision allowing the processing in the public interest; clearly in the worker’s interest to do so; or related to activity that no employer could reasonably ignore, the ICO said, citing “criminal activity at work, gross misconduct and health and safety breaches which jeopardise workers” as examples of activities no employer could reasonably ignore.
Lees said: “This is a helpful clarification, particularly for employers that are using CCTV images for the purposes of a criminal or security investigation, which reveals an unrelated issue about a worker which they weren’t already live to. In such circumstances, the ICO suggests that this change of purpose may be justified.”
The compatibility assessment in the context of employee monitoring was examined earlier this year by the Court of Appeal in Ireland. It found that an employer’s use of CCTV images originally installed for property security purposes could not be used to monitor a staff member’s authorised break times.
Lees said: “The ICO recommends employers consult employees before any monitoring, which should form part of their data protection impact assessment process. Employers may be hesitant to do this at first, but the ICO highlights how this initial transparency can foster trust from workers and save employers time and resource in responding to complaints at a later stage.”
“Employers should also look to embed privacy by design and default into their monitoring systems, to ensure they comply with the data protection principles and are only collecting the minimum data needed. Where emails need to be monitored, employers should consider if network data can be used instead, rather than reviewing the content of emails,” she said.
“Employers should further consider the impact of their proposed use of monitoring information on workers – particularly where their processing can have substantial negative and harmful impacts on individuals i.e. when used for disciplinary purposes. Employers should also ensure that any data collected by monitoring systems is appropriately documented and their records of processing reflect this. They should be prepared to provide the results in a subject access request, unless an exemption applies,” Lees said.
The ICO’s draft guidance is open to consultation until 11 January 2023. Further guidance from the ICO on employee monitoring in the context of recruitment is anticipated – it said it is intending to publish guidance on candidate vetting and verification as part a broader recruitment practices project.