On 3 October 2023, the UK’s Information Commissioner’s Office (ICO) published new guidance on workplace monitoring. The previous guidance was issued in 2011, as part of the ICO’s Employment Practices Code, and was badly in need of updating, given both the development of new monitoring technologies over the last 12 years and the increase in hybrid and remote homeworking, especially during and since the pandemic. The guidance is designed to help employers comply with the requirements of UK data protection law when monitoring their workers, but it does not address other laws which may be relevant, such as health and safety laws or, for example, regulatory requirements in the financial services sector. The guidance provides helpful examples to illustrate what is – and what is not – permissible, along with checklists to assist with assessing and documenting compliance.
Who and what is covered?
All companies subject to UK data protection law need to comply with the guidance. This means that non-UK companies that are either ‘established’ in the UK or target goods or services at – or monitor the behaviour of – UK individuals will be covered. Further, the guidance covers the monitoring of ‘workers’, not just employees. A ‘worker’ is defined as someone who performs work for a company, regardless of the nature of the contract, and so would include consultants and contractors, if engaged directly by the company. The scope of the guidance is therefore very wide.
The guidance covers both systematic monitoring (e.g., software to monitor productivity) and occasional monitoring (e.g., targeting closed-circuit television to combat theft).
What should companies do?
Companies monitoring workers must:
- Make workers aware of the nature, extent and reasons for monitoring.
- Have a clearly defined purpose for monitoring.
- Use the least intrusive means of monitoring to achieve that purpose.
- Have a lawful basis for processing workers’ personal data.
Companies must comply with the requirements of UK data protection law regardless of the particular monitoring technology being used. However, the guidance recognises that some monitoring technologies will present additional and/or unique challenges. For example, if a company makes automated decisions with legal or similarly significant effects on workers based on information obtained through monitoring, it must provide workers with meaningful information about the logic involved in the decision-making and provide them with the means to request human intervention or challenge the decision.
Where monitoring is likely to result in a high risk to workers’ rights, companies must carry out a Data Protection Impact Assessment (DPIA). The guidance gives the following examples of high-risk processing: the use of biometric data, keystroke monitoring, performance management that could result in financial loss and profiling to determine access to services. Even where companies are not required to carry out a DPIA, the guidance strongly recommends completing one to help assess whether the planned monitoring is fair. Data protection officers (DPOs) should advise on the outcomes of DPIAs. DPOs also should be involved generally in any plans to monitor workers, as should workers themselves or their representatives (e.g., trade unions) – unless there is a good reason not to consult with them.
The guidance is very user-friendly and provides practical advice for companies on how to monitor workers in compliance with UK data protection law. As well as covering the basics (e.g., monitoring access and attendance at work with a swipe card), the guidance highlights a number of areas of greater complexity with which companies may have to grapple. For example, the guidance addresses monitoring at and out of work – i.e., monitoring that takes place on and off work premises and during and outside of work hours. The guidance recognises that monitoring remote/homeworking presents additional challenges, as those working from home are likely to have a higher expectation of privacy. In addition, the risks for companies of inadvertently capturing information about homeworkers’ home life and family are increased.
Article 6 legal basis and Article 9 permitted purpose
The guidance also highlights that if workplace monitoring does, or may, result in the processing of special category data, even if incidentally, employers must identify a permitted purpose for which the data are processed. For example, monitoring all of a worker’s email traffic could reveal special category data, such as trade union membership or health information, and would therefore require an Article 9 permitted purpose, as well as an Article 6 legal basis.
Monitoring is often justified as being in a company’s legitimate interests; however, the guidance suggests that legitimate interests may not be an appropriate Article 6 legal basis if workers are being monitored in ways they do not understand and would not reasonably expect – or if it is likely that some workers would object if the monitoring was explained to them. This may place significant limitations on the availability of legitimate interests as an appropriate Article 6 legal basis for workplace monitoring.
The guidance also considers the role of consent as an appropriate Article 6 legal basis and/or Article 9 permitted purpose. Although consent is often considered invalid in the employment context, given the imbalance of power between employer and employee, the guidance notes that consent may be valid – e.g., in the context of a biometric access control system – as long as there is an alternative available for workers who withhold consent which does not negatively impact them.
If a company is processing special category personal data and relying on the Article 9 permitted purpose of compliance with employment law or social security/protection law, the guidance states that companies must identify the legal obligation or right relied upon, either by referring to the specific legal provision or an appropriate source of guidance – e.g., a government website or industry guidance.
Worker’s right to object
Interestingly, the guidance recognises a worker’s right to object to monitoring where the Article 6 legal basis is the carrying out of a public task or the company’s legitimate interests. The worker must specify why they are objecting, and their right to object is not absolute. The company can continue to monitor if it can demonstrate compelling legitimate interests, the monitoring is for the establishment, exercise or defence of legal claims, or the objection is manifestly unfounded or excessive.
Some companies may be asked to carry out workplace monitoring by their customers. The guidance makes clear that even if a customer makes it a condition of business that a company monitors its workers, the company would still need to comply with UK data protection law and be able to justify its monitoring.
Biometric data monitoring
If a company collects or uses biometric data to monitor workers (e.g., by controlling access by facial recognition), it must have security measures in place to protect that data which are appropriate to the risks presented by unauthorised access or disclosure. The guidance notes that, unlike other data such as a password, biometric data cannot usually be changed, which makes the risks associated with a data breach much more serious. In particular, the guidance recommends storing biometric templates in a way which does not allow for reverse engineering into the original image and not alongside other images or lists.
Finally, covert monitoring is only likely to be justified in exceptional circumstances – such as where criminal activity is suspected and informing workers of the monitoring would prejudice the prevention or detection of that activity. Even if companies can justify covert monitoring in principle, it should not be undertaken in areas where workers would reasonably expect privacy, such as toilets or changing rooms, and it should not capture communications that workers would reasonably expect to be private, such as personal emails.