Cordery

Legal.Compliance.

ICO Guidance On Lawful Monitoring In The Workplace

What’s this all about?

With the rise of remote working and developments in the technology available, many employers are looking to carry out checks on staff. This type of monitoring includes tracking calls, emails, messages, internet activity and keystrokes, taking screenshots, webcam footage or audio recordings, using specialist monitoring software to track activity, tracking staff work location, or monitoring social media channels. The Information Commissioner’s Office (“the ICO”) is calling on organizations to consider both their legal obligations and the rights of their staff before organizations implement any monitoring in the workplace. Recently the ICO published guidance about this, which this article looks at in brief.

What does the guidance say?

Edited highlights of the guidance include the following:

  • What do we mean by monitoring workers?

“This guidance covers systematic monitoring, where an employer monitors all workers or groups of workers as a matter of course. For example, if you use software to monitor productivity. It also applies to occasional monitoring, where an employer introduces monitoring as a short-term response to a specific need. This includes installing a camera to detect suspected theft, or a software package created to monitor workers systematically, but where monitoring functions are not always active, for example taking random screenshots”;

  • Can we monitor workers?

“Data protection law does not prevent you from monitoring workers, but you must do so in a way which is compliant with data protection requirements. […] Just because a form of monitoring is available, [this] does not mean it is the best way to achieve your aims. You must be clear about your purpose and select the least intrusive means to achieve it”;

  • How do we lawfully monitor workers?

“To lawfully collect and process information from monitoring workers, you must identify a lawful basis. There are six to choose from and you must identify at least one that is appropriate for the type of processing you intend to do. […] If the nature of your monitoring means that you will collect special category data, or are likely to, you must identify a special category processing condition, as well as a lawful basis;”

  • How do we identify a lawful basis?

“You must not adopt a one-size-fits-all approach. No one basis is always better, safer or more important than the others. However, some are likely to be more appropriate than others for employers. […] Sometimes, more than one basis might apply. […] Consent is only appropriate if circumstances mean workers have a genuine choice and control over the monitoring. […] You can rely on [legal obligation as a] lawful basis if you monitor workers to comply with a common law or statutory obligation. [You can rely on legitimate interests where] [t]he processing is necessary for your legitimate interests or those of a third party, unless the risks to the workers’ rights overrides them. This basis is the most flexible and could apply in a wide range of circumstances. Legitimate interests may not be the most appropriate lawful basis if: you are monitoring in ways workers do not understand and would not reasonably expect; or it is likely some workers would object if you explained it to them;”

  • What if our monitoring involves special category data?

“If the planned monitoring captures [special category data], you must have a special category condition, as well as a lawful basis, before you start the monitoring. […] There are 10 conditions for processing special category data. Five of these require you to meet additional conditions and safeguards set out in Schedule 1 of the DPA 2018.[…];”

  • What about criminal offence data?

“You must only process criminal offence data if the processing is either under the control of official authority or authorized by domestic law (schedule 1 of the DPA 2018.) If you are monitoring workers to detect criminal activity, you must identify a specific condition for processing in schedule 1 of the DPA 2018;”

  • Are there other laws we should consider?

“There are other laws that you should also consider when monitoring workers, outside data protection. These include, but are not limited to, the Human Rights Act 1998, Equalities legislation and investigatory powers regulations;”

  • How do we ensure our monitoring is fair?

“[…] you should only monitor workers in ways they would reasonably expect and not in ways that cause unjustified adverse effects on them. In some circumstances you must carry out a DPIA before carrying out monitoring. Even if you are not required to carry one out, you should still do so. The results of a DPIA will help you consider whether the planned use of monitoring is fair;”

  • How do we ensure that we are transparent about monitoring?

“Workers have the right to be informed about the collection and use of their information, and you must tell workers about monitoring in a way that is accessible and easy to understand. […] Apart from in very exceptional circumstances where covert monitoring is justified, you must inform workers about any monitoring;”

  • How do we demonstrate accountability?

“You should make sure overall responsibility for monitoring workers rests at the highest senior management level. If you have a data protection officer (DPO), you must make sure they are closely involved in any plans to monitor workers. You should brief any workers involved in processes that are used for monitoring workers on data protection law and their roles within it;”

  • Do we need to do a Data Protection Impact Assessment (DPIA) before we start monitoring?

“You must carry out a DPIA before undertaking any processing likely to cause high risk to workers’ and other people’s interests. Examples of high risk processing can include: processing biometric data of workers; keystroke monitoring of workers; monitoring that may result in financial loss (such as performance management); or using profiling or special category data to decide on access to services.[…] You should carry out a DPIA even if there is no specific high risk as it is a flexible and scalable tool which can assist your decision-making. If you decide to proceed without carrying out a DPIA, you should document your decision;”

  • Do we have to define our purpose for monitoring workers?

“You must be clear about the purpose for monitoring. […] “[Y]ou should not monitor workers ‘just in case’. You must document why you are monitoring workers and what you intend to do with the information you collect. You should consider that workers base their expectations of privacy on practice, as well as policy. Excessive monitoring set out in a policy does not make it lawful, just because it is documented;”

  • Do we need to restrict the amount of information we collect when we monitor workers?

“Yes. The data minimization principle means you must not collect more information than you need to achieve your purpose. […] “[Y]ou must not collect more information than is necessary, just in case it might prove useful to you in the future;”

  • How do we ensure accuracy?

“You must: take all reasonable steps to ensure the personal information you gather through monitoring workers is not incorrect or misleading as to any matter of fact; […] You should consider the following points: equipment or systems malfunction can cause information collected through monitoring to be misleading or inaccurate (e.g. a computer system resetting to the wrong time zone); information can also be misinterpreted or even deliberately falsified; data analytic tools can make incorrect inferences about workers;”

  • How long should we keep information obtained from monitoring workers?

“You must not keep personal information obtained from monitoring workers for any longer than is necessary for your particular purpose or purposes. You should base any retention period you set on business need. You should review it regularly, and take into account any professional guidelines or legal obligations. You should not retain information just in case you find a purpose for it in the future. You must ensure you have a retention schedule and delete any information you collect from monitoring workers in line with your schedule. […] [Y]ou should be able to justify any retention periods that you set, and be able to link these to the reasons why you have obtained the information;”

  • How do we ensure the security of personal information obtained from monitoring workers?

“You should: assess the data security risks of any monitoring and use this to decide the security measures you need to put in place; and restrict access to the information to only those who need access. Take care to identify the most appropriate person or people to access the information you collect. You should properly train them to handle information obtained from monitoring. […] [I]f you are using commercially available monitoring tools, or the monitoring functionalities which are available on communication and collaboration tools – you are still responsible for compliance with data protection. In particular, you should still consider the security and access controls on any information you collect. You should not assume the tool has the appropriate level of protection built-in;”

  • What must we tell workers about our monitoring?

“You must make sure workers are aware of how and what personal information you are collecting during any monitoring You could set up a system to ensure workers remain aware that monitoring is taking place. For example, through your organization’s intranet or signage in areas subject to monitoring;”

  • Should we discuss the introduction of monitoring with our workers?

“If you are planning to introduce monitoring, you should seek and document the views of your workers or their representatives (such as trade unions), unless there is a good reason not to. If you decide not to, you should record this decision along with a clear explanation;”

  • Can we use covert monitoring?

“Covert monitoring means carrying out monitoring in a way designed to ensure workers are unaware that it is taking place. It is unlikely that you will be able to justify covert monitoring in most usual circumstances. However, there may be exceptional circumstances where you might be able to justify this. For example, if covert monitoring is necessary to enable you to prevent or detect suspected criminal activity or gross misconduct. You should outline in your organizational policies the types of behaviours that are not acceptable and the circumstances in which covert monitoring might take place. If you are considering monitoring workers covertly, there are several factors to be aware of (see the guidance for the detailed list of these). […] [Y]ou should be able to justify every decision you make to carry out any covert monitoring;”

  • Can workers request access to their personal information obtained from monitoring?

“You must make the personal information you collect through monitoring available to workers if they make a subject access request (SAR), unless an exemption applies. […] You should factor in how easy it is to retrieve information when considering what type of monitoring system you plan to introduce. You should do this in your DPIA;”

  • Can workers object to being monitored?

“Yes, workers can object to you collecting and processing their personal information from monitoring in certain circumstances. Specifically, a worker can object where the lawful basis you are relying on is: public task (for the performance of a task carried out in the public interest or for the exercise of official authority vested in you); or legitimate interests. The worker must give specific reasons why they are objecting to you collecting and processing personal information through monitoring. The reasons should be based on their particular situation. However, this isn’t an absolute right and you can refuse to comply with the objection [on a number of limited bases]. […] If you are satisfied you do not need to comply with the request, you must let the worker know. You should document and thoroughly explain your decision. […] You can also refuse to comply with an objection if it is: manifestly unfounded; or excessive;”

  • What do we need to consider if we use a third-party provider or an application provided by a third party to carry out monitoring?

“If you decide to carry out monitoring of your workers, you must ensure that this is done fairly and lawfully. You are responsible for deciding how and why the monitoring takes place, including the use of any particular technology or service to do so. You should not assume that packages you purchase are compliant with data protection law. Before you begin any monitoring activity, you must ensure the system or application is compliant with data protection law, and that you have any necessary contracts are in place. […] If you or your provider are using automated decision-making techniques (AI) to process worker data, you should take additional considerations into account. […] You should not assume that any third party software has been designed with data protection in mind;”

  • What do we need to consider if we transfer personal information of workers outside the UK?

“The rules for international transfers apply if: you are agreeing to send personal information, or make it accessible, to a receiver which is located in a country outside the UK; and the receiver is legally distinct from you as it is a separate company, organization or person. This includes transfers to another company within the same corporate group. […] If you are making a restricted transfer, you must make sure the transfer is covered by either: adequacy regulations – this is where another country has been assessed as providing ‘adequate’ data protection; appropriate safeguards – before you rely on one of these you must carry out a transfer risk assessment to be sure workers’ information will have protection essentially equivalent to the UK data protection regime; or an exception – if you are making a restricted transfer that is not covered by UK adequacy regulations or an appropriate safeguard then you can only make the transfer if it is covered by an exception.”

Takeaways

Where an organization is considering monitoring staff it should consider taking a number of practical steps, including the following:

  • Make staff aware of the nature, extent and reasons for monitoring;
  • Have a clearly defined purpose and use the least intrusive means to achieve it;
  • Have a lawful basis for processing staff data, for example, consent or legal obligation;
  • Tell staff about any monitoring in a way that is easy to understand;
  • Only keep personal information which is relevant to its purpose;
  • Carry out a DPIA for any monitoring that is likely to result in a high risk to the rights of staff; and,
  • Make the personal information collected through monitoring available to staff if they make a Subject Access Request.

Finally, bear in mind that guidance is only guidance – only a court has the final say on the interpretation of the law.

Resources

We report about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.

The full ICO guidance can be found here: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment-information/employment-practices-and-data-protection-monitoring-workers/.

For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 347 2365
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.