The ICO has issued draft guidance on monitoring at work, which, though not particularly ground-breaking, aims to provide greater regulatory certainty and protect the data protection rights of employees and workers. Once approved, this will replace the guidance set out in the ICO’s Employment Practices Code 2011.
Monitoring may be carried out in relation to the quality or quantity of employees’ performances, or for other reasons such as safety or security. Certain monitoring activities have become more commonplace with the rise in remote working following the COVID-19 pandemic, for example, video and audio recording, monitoring of internet usage and the use of timekeeping or productivity tools. The ICO has always been clear that it is possible to monitor workers if done in a way consistent with data protection legislation, including the UK GDPR. The draft guidance seeks to highlight some considerations and requirements that employers should be aware of when implementing monitoring activities.
Transparency is a key feature of the draft guidance. In a post-pandemic world, employers may consider it their right to monitor compliance with a new flexi or hybrid working policy, for example by logging how many days employees are attending the office each week. However, if they are not carrying out such activities in a transparent way, including by providing appropriate notices, then they will likely be in breach of the UK GDPR.
Employers must also consider (i) to what extent any monitoring is needed (including the nature and purpose of it); and (ii) whether such monitoring is necessary and proportionate. The proportionality aspect can often be missed, for example it might be necessary for dash cams on company vehicles to be installed for insurance purposes and they will normally require video recording; however they likely will not require audio recording to enable the purpose to be carried out. Such a function should therefore be disabled to ensure the measures are proportionate.
Within the draft guidance, the ICO acknowledges that the legitimate interests of employers is likely to be the “most flexible” lawful basis for monitoring employees under the UK GDPR. However, this may not be appropriate if employers are monitoring in ways that employees do not understand and would not reasonably expect. For example, it may be legitimate to monitor internet usage on work laptops to ensure compliance with security policies. However, when it comes to company smartphones, it has become more common for employees to also make personal use of these devices. Employers should carefully consider whether other security methods should be put in place, such as encryption, remote device wiping and targeted website blockers, to ensure safe and secure use of a company device without monitoring individuals’ personal messages and app or website use.
The recent increase in remote and home working has led to an increase in monitoring of device activity, as employers seek to secure their systems and manage remote workers. The ICO emphasises that excessive monitoring is likely to intrude into employees’ private lives and undermine their privacy. Additionally, employees’ expectations of privacy are likely to be significantly higher at home than in the workplace (due to the risks of capturing family and private life information). This may be particularly relevant where meetings or calls are being recorded, for example for training purposes. Employers should make clear when a recording is being made by ensuring a message is played to state a recording is taking place, or by utilising platforms such as Microsoft Teams or Google Meets, which alert participants when there is a recording in progress.
Finally, employers must generally not use the information collected for a different purpose to the one it was collected for, unless it is compatible with the original purpose. The ICO provides the example of an employer collecting office ethernet connection data to monitor the use of workspace to ensure there is sufficient capacity for employees, then subsequently using this same data for performance management purposes. This would clearly not be compatible with the original purpose. Similarly, inadvertent use of building access pass data collected for security / fire safety purposes, to monitor hours spent in the office, would not be compatible.
The public consultation on the draft guidance will remain open until 11 January 2023. The ICO is also expected to publish further draft guidance on other parts of the 2011 Code in due course.