Balancing legal compliance against employee privacy: ICO publishes guidance for employers on monitoring workersOctober 2023
On October 3, 2023, the Information Commissioner’s Office (ICO) in the United Kingdom released a comprehensive guidance document titled “Employment Practices and Data Protection – Monitoring Workers.” This guidance (available here: https://ico.org.uk/media/for-organisations/uk-gdpr-guidance-and-resources/employment-information/employment-practices-and-data-protection-monitoring-workers-1-0.pdf ) aims to help employers navigate the complex landscape of monitoring employees while ensuring compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
The topic is an important one for several reasons. In a world where remote work and technological advancements are on the rise, the ICO’s guidance becomes a vital resource for organisations looking to monitor their workforce lawfully.
Monitoring of email communications may also occasionally be necessary in order to ensure that the company and its personnel are complying with their legal obligations. For example, if a whistle-blower alleges that a co-worker has been involved in fraud, bribery or embezzlement, the company may wish to seek evidence of such conduct in the email account of the person concerned. Companies with concerns about possible antitrust violations may wish to carry out keyword searches to identify possible evidence of anti-competitive conduct. The guidance is required reading for all these situations.
This article delves into some of the key aspects of the guidance and its implications for employers. It looks specifically at some of the concerns to be taken into account where an employer wishes to monitoring the activities of its workforce in order to ensure they are not acting in an unlawful way which could expose the organisation to prosecution or penalties.
Monitoring is possible: within legal boundaries
The guidance clarifies that data protection law does not prevent you from monitoring workers, but employers must do so in a way which is compliant with data protection requirements. Article 8 of the Human Rights Act 1998 concerns the right to respect for a private and family life. This is increasingly important due to the rise of homeworking. Workers’ expectations of privacy are likely to be significantly greater at home than in the workplace and the risks of capturing information about your workers’ family and private lives (if you monitor them when they are working from home) are higher.
It is possible monitor workers if you do it in a way which is consistent with data protection law (the subject of the Guidance and this article) and employment law. When deciding whether to monitor workers carefully, the employer’s business interests as an employer and workers’ rights and freedoms under data protection law must be balanced against the employee’s legitimate expectations of privacy (the Guidance states for example that installing CCTV in a changing room where thefts had occurred would likely be unfair and violate that expectation). The impact of monitoring on the relationship of mutual trust must be taken into account, as must the wellbeing of the employee. Just because a form of monitoring is available, does not mean it is the best way to achieve the employer’s aims. You must be clear about your purpose and select the least intrusive means to achieve it.
Understanding the Scope of “Monitoring”
The ICO’s guidance defines “monitoring workers” as any form of supervision or data collection related to individuals performing work for an organisation. This includes monitoring on or off the work premises, during or outside work hours. Monitoring technologies and purposes may include:
- camera surveillance including wearable cameras for the purpose of health and safety;
- webcams and screenshots;
- technologies for monitoring timekeeping or access control;
- keystroke monitoring to track, capture and log keyboard activity; productivity tools which log how workers spend their time;
- tracking internet activity and keystrokes;
- body worn devices to track the locations of workers; and
- hidden audio recording.
To comply with data protection laws, monitoring must be carried out in a lawful and fair manner that respects workers’ privacy.
The Guidance also recognises that employers might consider monitoring emails and messages sent to and from work accounts (including messages sent via a chat function). That may be done with a view to:
- protecting corporate information;
- safeguarding data security;
- identifying suspicious activity;
- or enforcing any acceptable usage policies you may have.
Employers must be clear about your purpose for monitoring emails and messages and make sure any monitoring is necessary and proportionate to your purpose. You must inform workers of the purpose of any monitoring. When it is considering monitoring emails and messages, the employer must complete a data privacy impact assessment (DPIA). This is because it poses a high risk to workers’ data protection rights and freedoms and is likely to capture special category data. The ICO recommends completing a DPIA even where this is not a requirement, as that would represent good practice in this situation.
There may be other instances when emails will be accessed. For example, the employer may engage a CRM software provider to help identify business opportunities and synergies in an automated way. It is submitted that the principles of these guidelines are helpful in such a situation and a DPIA will be a necessary step (even more so where there is less of a public interest justification for accessing correspondence).
Balancing Rights and Interests
Data protection laws do not prohibit monitoring workers, but employers must balance their business interests with employees’ rights and freedoms. This balance is crucial, especially when considering the increased expectation of privacy while working from home. Unfair monitoring can negatively impact employees’ rights, trust, and mental well-being.
Identifying a Lawful Basis
To monitor workers lawfully, employers must identify a lawful basis for data processing. The ICO’s guidance outlines six potential lawful bases:
- Consent: Workers provide explicit and freely given consent for monitoring. However, consent is generally not suitable in employment contexts due to power imbalances.
- Contract: Monitoring is necessary for fulfilling the employment contract, such as improving efficiency or ensuring productivity.
- Legal Obligation: Monitoring is required to comply with specific legal obligations, like health and safety regulations.
- Vital Interests: Data processing is essential to protect someone’s life, typically in emergency situations.
- Public Task: Monitoring is necessary for performing tasks in the public interest or official functions, with a clear legal basis.
- Legitimate Interests: Data processing is necessary for an employer’s legitimate interests, provided it does not unduly infringe on workers’ rights.
The legitimate interests basis is the most flexible but must consider the necessity of monitoring and workers’ rights.
Where the employer’s purpose in conducting monitoring is to detect potential unlawful activity, the “legal obligation” basis should be considered. This basis is available only where the monitoring is intended to enable the employer to comply with a contractual or statutory obligation. It may not be available to consider whether, for example, the employer wishes to establish whether a worker has breached company policies or her contract of employment.
Where the monitoring is likely to capture “special category data” (e.g. information about ethnicity, trade union membership, sexual orientation or religious beliefs), the employer must have a special category condition, as well as a lawful basis, before you start the monitoring. There are 10 such conditions for processing special category data. Five of those require the employer to meet additional conditions and safeguards set out in Schedule 1 of the DPA 2018.
Transparency and covert monitoring
Apart from in very exceptional circumstances where covert monitoring is justified, employers must inform workers about any monitoring.
In our view, it is critical that any disclosure in policies is set out in clear language. Businesses seeking to rely on exclusion clauses in standard terms often set the clauses in capitals or bold type. That may be a technique worth considering in employment policy or privacy notices to meet any objection that the right was not reserved explicitly or conspicuously enough.
An exception is covert monitoring. Covert monitoring means carrying out monitoring in a way designed to ensure workers are unaware that it is taking place. It is unlikely that you will be able to justify covert monitoring in most usual circumstances. However, there may be exceptional circumstances where you might be able to justify this. For example, if covert monitoring is necessary to enable you to prevent or detect suspected criminal activity or gross misconduct. It is submitted that an employer may wish to conduct covert monitoring where there is a risk of loss of evidence or tipping off of an investigation by an enforcement body which is not in the public domain.
Privacy impact assessments and proportionality
The ICO guidance provides several examples to illustrate the application of these lawful bases, helping employers make informed decisions on monitoring practices. It also emphasises the importance of conducting a DPIA to assess the appropriateness of monitoring.
Even where “legal obligation” is identified as the lawful basis, the employer should still carry out a DPIA before carrying out monitoring. The Guidance suggests for example that employers consider whether “network data” could be examined as an alternative to reading employee correspondence. That may well lack the necessary specificity to assist the employer in understanding what its workers have been doing. However, the thought process and conclusions should be documented in the DPIA. Even where the employer will consider workplace emails, privacy concerns may still arise. The ICO identifies for example communications between a worker and their union representative or capturing a worker’s personal correspondence as being potentially problematic. The risk of incursions into privacy from capturing and monitoring such correspondence must be weighed against the employer’s objectives in the DPIA.
The ICO’s recent guidance on monitoring workers is a valuable resource for employers seeking to balance the need for oversight with the protection of workers’ privacy and rights. In an evolving workplace where remote work and technology are increasingly prevalent, employers must carefully consider the legal and ethical implications of monitoring their workforce. By following the ICO’s guidance, organisations can navigate these challenges while fostering trust with their employees and complying with data protection regulations. Advice will be needed on some of the more technical aspects of the guidance (e.g. who is a “worker” for the purposes of these guidelines and when would they cover freelance staff). In most situations, a DPIA should be carried out and retained in a timely but considered and comprehensive way.
The road to hell is paved with good intentions. Employers may fall into the trap of thinking that all monitoring will be lawful where their aim is to uncover or prevent unlawful conduct within the organisation (or committed on its behalf). As the guidance shows, this is not so straightforward and even where intentions are noble, due account must be given to workers’ rights to privacy. The good news is that in most if not all cases a properly structured and considered process can be put in place which will get the employer where it needs to be.Download PDF