The Information Commissioner’s Office (ICO) has published new guidance for employers on monitoring workers. This includes some useful commentary on lawful monitoring in the context of recent developments to working practices, including the rise in homeworking and the increased use of more advanced monitoring technology in the workplace, write Rachel Barnet and Hannah Pettit.
Monitoring
Monitoring can be a useful tool for employers wanting to track employee activity, whether in order to improve performance and efficiencies within the business, or to address concerns about security or health and safety.
However, as monitoring will inherently involve the processing of the personal data of employees and workers, it is important to ensure that the methods used are compliant with data protection legislation. This will include ensuring that there is an available lawful basis, and if necessary a special category processing condition, for processing personal data for monitoring purposes and ensuring that there is not a less intrusive way of achieving the relevant aims.
It is also important to make sure that workers understand that they are being monitored and why, and are provided with clear and transparent information about the monitoring. For example, in a privacy statement or policy, on posters if relevant or during staff meetings.
The law requires employers to carry out a data protection impact assessment (DPIA) to assess the necessity and proportionality of data processing activities they are planning to undertake in certain situations. This includes where an employer is planning to bring in a new process or system which is likely to pose a high risk to workers’ rights and freedoms. Monitoring may often therefore trigger the need for a DPIA to be undertaken.
The ICO guidance confirms that despite there not being a strict legal need to, employers should carry out a DPIA even if they do not consider that there is a specific high risk, on the basis that it can assist with responsible decision making. In fact, the guidance goes further to state that if an employer decides to proceed with implementing workplace monitoring without carrying out a DPIA, the employer should document its decision not to carry one out.
What should a data protection impact assessment cover?
Any DPIA should:
- specify the purpose behind the monitoring
- identify any potential adverse impacts of the monitoring and any measures which will be taken to mitigate those risks
- consider whether there are any alternative, less intrusive methods to the type of monitoring which is being proposed
- acknowledge the legal obligations which apply to monitoring such as identifying the lawful basis, and special category condition if necessary, for processing the personal data
- ultimately make a finding about whether the monitoring is justifiable in the circumstances
Information Commissioner’s Office guidance and examples
In the ICO’s new guidance, the need to carry out a DPIA is highlighted in the context of home working. The guidance points out that if an employer is monitoring workers remotely, they should keep in mind that expectations of privacy are likely to be higher than they would be on company premises, and the risk of capturing family and private life information as part of this monitoring, is higher. The ICO recommends that this risk is factored in when considering any type of monitoring of remote workers and should be considered as part of a DPIA.
The ICO also provides a number of useful working examples in this guidance, such as in relation to biometric monitoring.
Example one: electronic fingerprint scanning
One such example is that of introducing an electronic fingerprint scanning system in the workplace for time and access control.
The ICO suggests that an employer may decide, having considered the options as part of a DPIA, that consent is the most appropriate lawful basis to rely upon for the processing of this biometric data.
The ICO then points out that, as biometric data is being processed, a type of ‘special category data’ when used for identification purposes, the employer will also need a valid condition for processing that data.
It is suggested that the employer offers a swipe card option to any workers who do not want to have their fingerprints scanned. This alternative option means the employer could rely on the explicit consent condition for processing the special category biometric data, because workers can change their mind at any time and opt to use a swipe card instead.
Employers have to be particularly cautious when seeking consent from employees or workers, due to the inequality of bargaining power between the parties, and the risk that this could invalidate the consent on the basis that it is not considered freely-given. This clarity on when it would be acceptable to rely on consent in an employment context is therefore especially useful, highlighting the importance of providing an alternative option.
Example two: facial recognition
Another example provided in the guidance is using facial recognition for signing into a laptop or device.
It is suggested again that the employer might decide to use consent as their lawful basis for processing and that explicit consent may perhaps be relied upon again as the condition for processing the biometric data. This is on the basis that the workers agreeing to use facial recognition are doing so, on the understanding that the image created is only held on the device provided to them, and is not stored elsewhere or used for any other purpose.
As in the fingerprint example, it is also suggested that the option of using a password or a PIN is still made available to staff and that the facial recognition process does not activate on the devices of those who have not consented.
Practical examples like these, as well as wider examples relating to activities such as device monitoring and video surveillance, mean that the ICO guidance is a useful reference point for employers who are considering introducing new methods of monitoring, or updating existing methods.
The ICO guidance also provides a reminder that, if an employer is relying on legitimate interests as its lawful basis for monitoring, instead of consent, then it is possible for workers to object to this. The right to object is not absolute, so an employer can still refuse to comply with the objection if it is satisfied that its legitimate interests override the worker’s grounds for objecting. A properly conducted DPIA would be an extremely useful tool to be able to refer back to in this situation, as it will assist the employer in making a decision and explaining this to the worker.
What can we take away from this?
The key takeaway is that monitoring in the workplace will only be appropriate where it is necessary and proportionate. If it is not necessary or proportionate, or if there are less intrusive ways for an employer to achieve its aims or satisfy its business interests, then the workplace monitoring should be avoided.
Alongside preparing guidance on workplace monitoring, the ICO has carried out research which confirms that 70% of people they surveyed said they would find monitoring in the workplace intrusive and 19% of people would feel comfortable taking a new job which would result in them being monitored.
This is an important reminder that workplace monitoring should be used with caution. In addition to this, the reasonable expectations of workers should be an important factor in any decision to implement workplace monitoring.
The ICO’s full guidance on monitoring in the workplace is available here.
Rachel Barnet and Hannah Pettit are Associates at Ashfords.