The Information Commissioner’s Office (ICO) recently published new guidance on data protection and employee monitoring. Iain Bourne reviews the changes and what to do now to remain compliant.
Contents

The new ICO guidance is the first update in this space since 2011, but despite the introduction of the GDPR in 2018, there have been no significant changes to the basic principles of the law since the original guidance was issued. There has, however, been a raft of new technologies, supporting new types of employee monitoring, and working patterns have changed a lot. As such, firms can inadvertently collect more personal data than is appropriate about its people and potentially their families given the shift to hybrid working.

You need to think about how you’re carrying out employee monitoring, while staying compliant with ICO guidance and avoiding unnecessary privacy intrusion.  

Employee monitoring – what’s the norm?

Post-pandemic, many organisations have adopted a hybrid working model. This has led to a sharp increase in the use of employee monitoring software including productivity assessment programs, tracking internet usage or using geolocation tools to make sure individuals aren’t working overseas (which may have specific security and tax implications for firms).

Other common monitoring activities include:

  • empathic computing – to assess employee emotions, eg, to assess tone of voice for call centre staff
  • video recordings – to reduce the potential for theft or other incidents
  • access to buildings – to track attendance and enforce security
  • data loss prevention tools – to assess whether individuals are sending documents to personal email addresses.

While these reflect some of the more typical monitoring practices, some organisations take this a step further. More high-risk practices include keystroke tracking, taking regular screengrabs, or using webcams and microphones, possibly without the device user’s knowledge.

What the new guidance says

The new guidance doesn’t make any changes to the law but reinforces the existing rules. If you’re carrying out employee monitoring, these three questions are what you need to consider:

  • Purpose – what, precisely, is the monitoring intended to achieve?
  • Necessity – is all the information you collect through monitoring necessary to fulfil its purpose?
  • Balancing – have individuals’ data protection rights been given sufficient consideration?

This is where the guidance becomes a bit tricky, as it can be difficult to strike the right balance between an employer’s need to carry out monitoring and the employee’s privacy rights. Further guidance would be helpful to demonstrate what kind of monitoring would be acceptable in a specific context. In reality, this will remain a grey area unless the ICO takes some kind of enforcement action, or there’s a test case to clarify the position. That said, the ICO hasn’t historically taken enforcement action on employee monitoring but that’s not to say it won’t in the future.

Employers have to read the guidance, adopt a reasonable position and be prepared to defend their actions in the face of an ICO or other legal challenge, for example from a trade union.

Gaining employee consent?

Given the nature of the employer-employee relationship, consent is not really an issue here. On paper, data protection consent has to be freely given, but the ICO would probably take the view that given the power imbalance between employees and employers, consent for monitoring is not valid. Consent for employee monitoring is tied into wider onboarding agreements around data processing and it's generally included in an individual’s contract of employment. This covers a broad set of use cases, including background checks or payroll processing. So, the issue is more one of transparency.

You need to give appropriate privacy notices to explain what personal information you’re collecting through employee monitoring software, and how you plan to use it. You can also regularly remind individuals of the type of monitoring you’re undertaking and provide further information in employee handbooks or other resources. Remember, employees have strong and legally enforceable data access rights, so you may need to provide a copy of the information collected through a monitoring programme if the employee requests this.

Covert monitoring is acceptable in some (limited) situations, but you need to be able to justify it to the ICO. You also need to demonstrate how overt monitoring would undermine the purpose of the data collection itself, for example, for crime prevention in the workplace.

Staying compliant and mitigating risks

The new guidance stresses the importance of a Data Protection Impact Assessment (DPIA) to identify and minimise the risks of using employee monitoring software. This is good practice for all types of monitoring but is essential for high-risk activities, such as keystroke monitoring. If you haven’t performed a DPIA, consider doing so – it would put you in a more defensible position with the ICO in the event of any challenges.

When it comes to DPIAs, you’re really looking for a monitoring system that’s effective but minimises the impact on privacy. For example, if you’re collecting personal information you need to keep it secure and make sure you aren’t retaining it for longer than necessary. This is particularly important if you face any challenges from the ICO over the type of information you’ve collected. It would be an aggravating factor if you then retain that data for too long, or if it’s subject to a data breach.

It’s also essential to make sure the right individuals have signed off employee monitoring. This may seem like an obvious point but, in practice, the sign-off process can be unclear. Make sure you consult your Data Protection Officer during the DPIA process and document key decisions. This includes deciding on the form employee monitoring should take, and processes for security and deletion. Good documentation is essential in the event of a challenge by the ICO or an employee.

What firms need to do now

To remain compliant with employee monitoring guidelines, it's important to review your existing processes to assess whether:

  • employee monitoring is appropriate and balances business need with an individual’s right to privacy
  • sign-off processes and adequate oversight and documentation are in place
  • data security and retention policies are fit for purpose and are being complied with
  • DPIAs are being conducted regularly in respect of high-risk monitoring activity
  • transparency is sufficient and ongoing means of reminding staff about monitoring activities are in place.

For more information and guidance, contact Iain Bourne or Nikhil Asthana.