- Employer monitoring of workers must be carried out in a way that is lawful and fair to the workforce so as not to infringe on the rights of data subjects, the UK Information Commissioner’s Office said in updated guidance.
- In order to lawfully collect and process information from monitoring workers, employers must identify one of the six lawful bases under the UK GDPR: consent, contractual basis, legal obligation, vital interests, public task, and legitimate interest.
- Employers may want to consider a Data Protection Impact Assessment when carrying out monitoring on remote workers.
The ICO’s guidance uses the term “monitoring workers” to mean “any form of monitoring of people who carry out work on [an employer’s] behalf.” Monitoring in the workplace can include things such as call recording, keystroke monitoring, screenshots, and activity tracking software. Workplace monitoring could be conducted for a number of reasons, including health and safety, security, or regulatory obligations. The guidance is clear that in order to be compliant, employers must carry out monitoring in a way that is lawful and fair to the workforce so as not to infringe on the rights of data subjects.
In order to lawfully collect and process information sourced from monitoring workers, employers must identify one of the six lawful bases under the UK GDPR: consent, contractual basis, legal obligation, vital interests, public task, and legitimate interest. As consent is only appropriate in circumstances where workers have a genuine choice and control over the monitoring, the guidance explains it is not always appropriate in an employment relationship due to the imbalance of power between the parties. Employers may decide to rely on an alternative basis, ensuring that it is appropriate for the type of processing they will carry out.
The guidance also explains the importance of ensuring that when “special category data” is captured by the monitoring, employers have one of the ten special category conditions to rely on, in addition to a lawful basis for processing. Special category data consists of highly sensitive data such as racial or ethnic origin, political opinions, and health data. This attracts greater protection as the risk of harm to the data subjects is higher if it is wrongly disclosed.
In light of the increase in remote working, the guidance has been updated to acknowledge the rise in monitoring those who work from home as employers aim to effectively manage security and productivity. The guidance suggests that employers may want to consider a Data Protection Impact Assessment (DPIA) when carrying out monitoring on remote workers, given that their own privacy expectations will be higher when working from their homes, and the greater risk of capturing information on their private life by monitoring them during working hours.
The guidance also explains that where employers use automated decision-making for monitoring purposes, they are required to give their workers “‘meaningful information about the logic involved, as well as the significance and the envisaged consequences’” and disclose this information to workers who make a Subject Access Request. Workers have a right to ask for human intervention in decision-making and the guidance explains that employers must not disadvantage such workers.
The guidance is a reminder of the core principles in data protection legislation: transparency, accountability, and proportionality. The guidance continuously gives tips on how employers might build trust with workers by keeping them informed and respecting the privacy of individuals.
Employers are required to include specific information about monitoring workers in their privacy information, ensuring workers are kept informed with readily accessible information on how they are being monitored, the lawful basis for the monitoring, and the nature and duration of the data retention.
Employers that monitor their workers or intend to in the future may want to check their policies and procedures to ensure that they are up to date with regard to the type of monitoring carried out and the lawful bases upon which the employers rely for collection and processing.
Ogletree Deakins’ London office will continue to monitor developments and will provide updates on the Cross-Border, Cybersecurity and Privacy, and Technology blogs as additional information becomes available.
Follow and Subscribe
Ellie Burston is a trainee solicitor in the London office of Ogletree Deakins.