UK’s ICO Releases Guidance on Workplace Monitoring Practices
Fresh guidelines regarding lawful monitoring within workplaces in the UK have been released by the UK Information Commissioner’s Office (ICO) in October 2023, as reported by Hunton Andrews Kurth.
The guidelines cover monitoring activities both on and off-site, during and outside of typical work hours, including remote work, recognizing the heightened privacy expectations of home-based employees.
The aim behind the move is to assist employees adhere to their responsibilities under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).
Further, they offer clearer regulatory guidance, safeguard the data protection rights of workers, and foster trust between employers, employees, customers, and service users.
Is actually it permissible to monitor employees in the UK?
Data protection regulations don’t prohibit monitoring, but it must align with data protection standards.
The UK’s Human Rights Act 1998, Article 8, safeguards the right to privacy, especially pertinent with the surge in remote work. Employees typically expect greater privacy at home, raising concerns about inadvertently accessing personal information while monitoring remote work.
Key Guidance Obligations:
- Regardless of the monitoring technology used, employers must adhere to the data protection principles outlined in the UK GDPR.
- Employers must opt for the least intrusive monitoring methods necessary to achieve their objectives.
- If workplace monitoring involves handling special category data, even incidentally, employers must establish a lawful purpose for processing such data, as stipulated in Article 9 of the UK GDPR.
- Covert monitoring, where employees are unaware of the surveillance, is typically unjustifiable under normal circumstances and should only be considered in cases involving criminal activity, serious misconduct, or similar situations.
- Employers are cautioned against the expansion of monitoring technologies beyond their original purpose (function creep), stressing the importance of collecting only necessary information through employee monitoring.
Function creep is a noun that refers to the gradual expansion of the application of a technology or system beyond its initial purpose, especially when this results in the potential infringement of privacy.
Key Guidance Instructions:
- Employers are encouraged to conduct monitoring activities in a manner that aligns with what workers would reasonably anticipate and to avoid measures that could unjustly harm them.
- Employers are advised by the ICO to carry out data protection impact assessments (DPIAs) for workplace monitoring endeavors, even if not explicitly required by the UK GDPR.
- Employers are encouraged to consult with workers or their representatives when contemplating the adoption of monitoring technologies and involve them in the planning process from the outset.
- There are 6 lawful bases for monitoring employees in the UK (mentioned below); at least one must be identified by the employer based on the nature of the processing that the employer plans to undertake when monitoring activities in order to legally gather and handle data.
The six lawful bases for employee monitoring are:
- Consent: Worker gives consent to process their personal data for a specific purpose.
- Contract: Monitoring is required under the employment contract or pre-contractual arrangements.
- Legal Obligation: Processing is necessary to comply with legal requirements.
- Vital Interests: Processing is necessary to safeguard someone’s life.
- Public Task: Processing is necessary to fulfill a task in the public interest or for official functions.
- Legitimate Interests: Processing is necessary for the employer’s or a third party’s legitimate interests, unless outweighed by risks to the workers’ rights.