The Information Commissioner’s Office (ICO) has issued new guidance for employers on their obligations under data protection law when monitoring workers, including any tracking of remote workers’ activities. The guidance is framed around the fundamental principles of data protection law - lawfulness, fairness and transparency – and calls on employers to consider both their legal obligations and their workers’ rights before implementing workplace monitoring. We’ll ask a data protection specialist what that means in practice.
Personnel Today reports on this citing research commissioned by the ICO revealing that 19% of people believe they have been monitored by their employer. Of those who believe they have been monitored, monitoring timekeeping and access was the most common practice at 40%, followed by monitoring emails, files, calls or messages at 25%.
The article quotes the Deputy Commissioner for Regulatory Policy at the ICO, Emily Keaney,. She says: “Nobody wants to feel like their privacy is at risk, especially in their own home. As the data protection regulator, we want to remind organisations that business interests must never be prioritised over the privacy of their workers. Transparency and fairness are key to building trust and it is crucial that organisations get this right from the start to create a positive environment where workers feel comfortable and respected.”
So let’s get a view on the guidance. Harriet Dwyer is data protection specialist and earlier she joined me by video-link to discuss it:
Harriet Dwyer: “I think the ICO guidance is really helpful. Monitoring of employees is certainly something which more clients are thinking about. It's becoming much more commonplace because of the increase in flexible working arrangements and the fact that, really, there's a lot more technology out there now which allows clients to do this which might make processes more cost effective and things like that. So the guidance is really helpful because it's definitely an area which is becoming more popular. However, one thing to flag, and for employers to be mindful of is the fact that, mainly because the technology is so sophisticated, quite often the monitoring of employees can result in capturing more personal data than might actually be intended. So if you take an example of monitoring employee emails to, perhaps, monitor email traffic, or perhaps performance, the employer might be doing that for one particular purpose, as I've just described, but by virtue of monitoring emails they're also probably going to be capturing special category personal data as well, such as health personal data. So, whilst an employer might think that they’ve got a lawful basis for doing that particular activity, because it's going to involve a special category personal data as well, they also need to be ensuring that they're satisfying the additional conditions set out by the legislation to ensure that that activity is compliant as well. The other thing to be mindful of, as I've said, is the technology is very sophisticated and that often means, again, that you are capturing more data than you actually need. So employers need to be sure that they are certain of what the technology involves, and how it can be limited, so that they're compliant with the data minimisation principle as well.”
Joe Glavina: “I see the guidance also deals with covert monitoring, Harriet. What’s the key point for employers to take from that section?”
Harriet Dwyer: “I think the key message with covert monitoring, and monitoring in general actually, is that it is considered as quite an intrusive measure by employers and, obviously, what's important in an employer/employee relationship is building trust and, obviously, covert monitoring is at odds with that. However, it's not to say that covert monitoring can never be done and we have seen examples with clients where covert monitoring is necessary, unfortunately, to detect things like suspected criminal activity, or fraud, or suspected gross misconduct. As I say, it's going to be okay in very limited justified circumstances such as those, and so if employers are thinking about introducing covert monitoring they should ensure that they're carrying out a data protection impact assessment to weigh up the purpose for which they're thinking of doing it against the risks to the individual involved. They should also ensure that they are limiting it in terms of the length of time that it's going to be implemented for. Going back to that point of building trust with employees, one of the main principles of the data protection legislation is transparency. Now, you'd think that would be at odds with the idea of covert monitoring, so to be compliant with the transparency principle employers should ensure that their data privacy policies are capturing situations where they think covert monitoring might have to take place so that it’s as compliant as possible with the data protection legislation.”
Joe Glavina: “Can I just ask you about impact assessments, Harriet. What’s the trigger for those to happen?”
Harriet Dwyer: “So a data protection impact assessment must be carried out where there is high risks involved with the data subjects. Typically, in a larger organisation, the data protection impact assessment will be carried out in in conjunction with the Data Protection Officer, but most of our clients will do those within HR. It’s really important, it’s an important part of being compliant with data protection legislation in terms of demonstrating accountability and ensuring that employers are really thinking through the purpose for which they want to carry out the data assessing, and weighing that up against the rights and freedoms of the individuals involved, and also thinking about any other ways in which they might be able to achieve that purpose which is, perhaps, a bit more proportionate.”
Joe Glavina: “Finally, any final thoughts on this guidance, Harriet. Your overall impression?”
Harriet Dwyer: “There’s nothing really new in the guidance. Whenever we talk about ICO guidance it always captures the fact that a lawful basis is needed for the processing and, perhaps, the special extra conditions that are needed for special category personal data. The ICO seem to be particularly active, I would say, in the employer space. This is just another piece of guidance that they've issued in relation to employers and the processing of personal data. So I think, again, it acts as a helpful reminder to clients that there is guidance there for them, but also it's a reminder to be reviewing and looking at their data protection policies, ensuring that they're compliant with the data protection legislation, and reflecting upon the guidance in those as well.”
At the same time as publishing that new guidance on monitoring the ICO also published new guidance on processing employees’ health information. The ICO says the key point for employers to understand is that health data is categorised as “special category data” and has enhanced protection – a point Harriet made in that interview a moment ago. We have included links to both sets of guidance in the transcript of this programme for you.
LINKS