Statistics suggest that 60% of employers are monitoring their employees within the workplace.
Monitoring employees is intrusive, however, it is not prohibited under data protection legislation. It is therefore possible to monitor employees as long as that monitoring is consistent with data protection legislation and its principles.
In October, the ICO released its draft guidance on Employment practices: monitoring at work, which is now open for consultation. The current guidance was produced in 2011, so when finalised the new guidance will address the significant changes that have occurred in data protection law during that period and will reflect the changes in the way employers use technology and interact with staff.
The oversight that employers have over employees whilst at work has increased in recent years. There are negative connotations associated with monitoring employees, and not implementing monitoring appropriately could lead to possible decreased job satisfaction, increased stress for employees and also impact the employers.
The ICO states that 60% of employers are using some sort of tracking software on their employees. The figures having risen during the covid pandemic as more employees worked from home, and there was more monitoring and surveillance which targeted thoughts, feelings and physiology, location and movement, performance and professional profile and reputation.
Types of monitoring can take various forms and could include the employer monitoring keystrokes, tracking idle time, taking screen shots, activating webcams and/or mics or log how long employees stay on apps/websites. There could also be video surveillance within the office, recording of phone calls, or monitoring of emails, hours worked, and the websites and apps that employees visit.
The types of monitoring that an employer uses must be in line with the guiding principles of relevant data protection legislation. This means that the monitoring must be lawful and fair, employers should ensure that they only monitor employees in a way that they would reasonably expect and not in any way that would cause unjustified or adverse effects on them.
Employers should be transparent and clear about how and why they process an employee’s personal data, ensure that the personal data collected in monitoring is only used for the purpose for which it is collected, and is only what is necessary for the initial purpose. The employer must also ensure that the personal data is accurate, only kept for the period of time it is needed and only processed in a manner which ensures the ongoing security and confidentiality of the data. Further, the employer should be able to demonstrate its compliance with the data protection legislation.
The ICO makes it clear in its draft guidance that the employer must balance the business’s interests with the rights and freedoms of the employee in relation to their personal data. As monitoring employees is intrusive, the employer should also give consideration to whether there is other reasonable or less intrusive means that would achieve the same outcome.
As with all processing of personal data, you must be able to justify and have a lawful basis under the data protection legislation to undertake that processing. The lawful basis for personal data and special category of data are listed in Article 6 and Article 9 of the UK GDPR. However, it is important to note that this is not a “one size fits all exercise”, but a careful consideration of what you are trying to achieve and then balancing the business interests with the rights of the individual and documenting your reasoning.
Employers should steer away from consent as a lawful basis for monitoring employees. The ICO remains clear and stipulates within its draft guidance that the relationship between employer and employee is not balanced and that employees could feel like there is no choice but to give their consent, meaning therefore that such consent would not be freely given.
The ICO has reiterated that the lawful basis of a legitimate interest is the most flexible basis for such processing and could apply in a number of circumstances. However, be aware that “if you can reasonably achieve the same result in a less intrusive way, legitimate interests does not apply. You should avoid using legitimate interests if you are monitoring in ways the workers do not understand and would not reasonably expect, or if it is likely that some workers would object if you explained it to them.”
If the monitoring would process any special category data, the employer will have to ensure that there is also a lawful basis for such processing and ensure that there is more protection around this data due to the increased sensitivity and the increase to the possible risks of harm from any inappropriate disclosure or use.
In order to ensure that the principles are upheld, employers would be well advised to complete a data protection impact assessment (DPIA), which will not only help document the assessment of the risks and mitigations but further justify the reasoning behind the monitoring and address any concerns about potential adverse impact the monitoring may have, for example, whether any of the technology being used could produce a bias or discriminate. The DPIA will also ensure that you have undertaken the purpose test, necessity test and balancing test, and could even be used to seek the views of employees.
Within this draft guidance, the ICO has again reiterated the need for having a robust data privacy regime with appropriate frameworks, policies, procedures and measures that demonstrate that, as an employer, you have considered the risks and impacts of monitoring on your employees.
If you need help with how to lawfully monitor employees, and or to ensure that your supporting privacy frameworks are robust, please contact Eleanore Beard in our Data Protection team.
