UK’s ICO calls for transparency and fairness in employee monitoring

Data protection and privacy specialist Jaya Handa of Pinsent Masons was commenting after the Information Commissioner’s Office (ICO) published its updated guidance for employers on monitoring workers in the workplace (52-page/1.14MB PDF). The UK’s data protection watchdog has emphasised that any monitoring must be fully compliant with data protection law, especially with the rise of remote working and the technology available for carrying out checks on workers.

“The ICO has reiterated its focus on transparency and fairness in its latest guidance on employee monitoring. The hybrid working model now used by many organisations leads to a disparity in privacy expectations; the ICO specifically notes that organisations need to take account of the fact that the expectations of privacy are higher at home than in the workplace. The ethical considerations of monitoring and building trust with employees are consequently brought to light in this guidance.” said Handa.

New research commissioned by the ICO found that 70% of people surveyed by the ICO said they would find monitoring in the workplace intrusive and fewer than 19% of the people would feel comfortable taking a new job is they knew that their employer would be monitoring them.

As well as highlighting the legal obligations of employers, the ICO guidance also requires companies to consider their workers’ rights to privacy before implementing any monitoring in the workplace and conducting the monitoring fairly and transparently.

ICO’s deputy commissioner of regulatory policy Emily Keaney said: “As the data protection regulator, we want to remind organisations that business interests must never be prioritised over the privacy of their workers. Transparency and fairness are key to building trust and it is crucial that organisations get this right from the start to create a positive environment where workers feel comfortable and respected.”

She added that the ICO would take action if it believed people’s privacy was being threatened.

The guidance outlines the steps employers must take if they are looking to monitor workers. These include making workers aware of the nature, extent and reasons for monitoring; having a clearly defined purpose and using the least intrusive means to achieve it; having a lawful basis for processing workers data; telling workers about any monitoring in a way that is easy to understand; only keeping the information which is relevant to its purpose; carrying out a data protection impact assessment (DPIA) for any monitoring that is likely to result in a high risk to the rights of workers; and making the personal information collected through monitoring available to workers on request.

On the point of fairness, the guidance explains that it means an employer should only monitor workers in ways they would reasonably expect and not in ways that cause unjustified adverse effects on them. For example, when using a software tool to monitor how long workers spend using a case management system and using the monitoring report to assess the performance of workers, the guidance suggests that reasonable adjustments should be made for some workers who work outside of the system for some tasks. Otherwise, the monitoring is considered as unfair and inadequate.

In addition, the guidance suggests that a DPIA must be carried out in some circumstances, and the results of the assessment will help determine if the planned use of monitoring is fair. Installing CCTV systems in business premises is a typical situation where an impact assessment should be used to evaluable the risks of unjustified or adverse processing involved.

“Organisations should assess what monitoring technology is available to them, whether they should use it and how they should deploy it in a transparent way that fosters trust. Many companies have recently established ethics committees or appointed ethics officers with an outward customer focus - this guidance serves as a reminder that internal processes and technology utilisation should also be reviewed through an ethical lens,” said Handa.

Outside of the UK, the way in which employers are monitoring staff, particularly with new technologies, is an issue that data protection authorities across Europe are also scrutinising. In Ireland, the Data Protection Commission has issued new guidance on records of processing activities and data protection in the workplace. Last year, the French data protection authority said it would closely scrutinise the way employers use technology to monitor the activities of their staff, to make sure it is compliant with data protection laws.