Employee Monitoring

The data protection regulator, the Information Commissioner’s Office (ICO), recently updated its guidance on monitoring workers to address technological developments.

Monitoring covers both systematic and occasional use of emails, internet, CCTV and can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings, or using specialist monitoring software to track activity or productivity.

There is no specific law in the UK which governs monitoring of employees. Employers are neither expressly permitted to monitor, nor are they prohibited from doing so but issues can arise from applying a monitoring practice such as:

• breach of an employee’s privacy,
• unlawful discrimination;
• breach of trust and confidence leading to a constructive dismissal claim; or
•  unfair dismissal.

Recent years have seen more widespread deployment of monitoring technology in the workplace, especially during the Covid pandemic. The swift rise in artificial intelligence is also increasing the power and the risks posed by such tools.

The updated ICO guidance includes the following key themes and recommendations:

• The need to take a balanced and proportionate approach to employee monitoring, and to consider workers' expectations of privacy, especially when working from home.
• The importance of transparency and purpose limitation, and the requirement to inform workers in advance about any monitoring, unless there are exceptional circumstances that justify covert monitoring.
• It’s good practice to conduct data protection impact assessments (DPIAs) before introducing any monitoring, even where there is no legal requirement to do so, and to consult impacted individuals unless there is a good reason not to.
• The risk of discrimination or bias where monitoring results in processing that causes unfair or unequal treatment of workers, especially where biometric recognition technologies are used, and the need to assess and mitigate the bias in the system. For example, are remote workers subject to more monitoring than employees working in the office?
• The restrictions on automated decision making under the UK GDPR, where the decision making is solely automated and has legal or similarly significant effects, such as paying workers based entirely on automated monitoring of their productivity (increasingly, this will involve AI).

The ICO guidance contains recommended steps for businesses to help ensure that their monitoring policies and practices are compliant which include:

1. Reviewing data protection documentation, such as the employee privacy notice, IT systems usage policy and signage, to ensure they accurately describe the monitoring taking place and explain the purposes.
2. Carrying out or refreshing DPIAs prior to conducting monitoring and documenting any decision not to carry out a DPIA or to consult with impacted individuals.
3. Ensuring that the monitoring is consistent with the internal policies and the actual practice, and not trying to rely on a policy that is not strictly enforced to justify monitoring, e.g. banning private phone calls but tolerating them in practice.
4. Considering whether to consult with employees and/or representative bodies before introducing new monitoring and keeping a record of the decision.
5. Explaining in organisational policies the types of behaviours that are not acceptable and the circumstances in which covert monitoring might take place, and only using covert monitoring in exceptional circumstances.
6. Paying particular attention to the guidance before introducing any new monitoring measures that result in the processing of biometric data, and ensuring that there is a joined-up approach to the introduction of any new technology.
7. Considering retention policies and ensuring that data obtained through monitoring is deleted once it is no longer necessary.

Rollits’ Employment Team can assist in advising companies and employees if they have any concerns in this area and our commercial department can also assist with review and preparation of data protection policies to ensure compliance with the GDPR and recommendations from the ICO.