What is the focus of the UK data regulator’s report on monitoring workers?
The UK Information Commissioner’s Office (“ICO”) published its final guidance on monitoring workers on 3 October 2023 (the “Guidance”) which is compliant with the UK GDPR and the Data Protection Act 2018 (DPA 2018).
What legal requirements are suggested for worker monitoring?
Employers must be clear with their staff about the use of workplace monitoring. Context is key for considering workers’ expectations. Companies should consider the following in connection with monitoring:
- Transparency: Workers should be made aware of the nature, extent, and reasons for monitoring. The principle of transparency is essential to maintain trust between workers and the business. Employers should seek and document the views of workers or their representatives (such as trade unions) unless there is a good reason not to.
- Purpose and intrusiveness: An employer should have a clearly defined purpose for monitoring and use the least intrusive means to achieve it. This ensures that monitoring is necessary and not invasive.
- Lawful basis: There must be a lawful basis for processing workers’ data to ensure compliance with data protection laws.
- Clear communication: An employer is required to communicate information about monitoring in a way that is easy and clear for workers to understand.
- Relevance: Only relevant information should be collected through monitoring which should be declared within the employer’s privacy notice.
- Data Protection Impact Assessments (“DPIA”): For monitoring activities likely to result in a high risk to the rights of workers, an employer should carry out a DPIA. This ensures that risks are identified and mitigated.
- Subject Access Requests (SARs): Workers should be informed that they can make SARs to access personal information collected through monitoring.
- Artificial Intelligence: Employers monitoring workers will fall within the restrictions on automated decision-making under Article 22 UK GDPR if: (1) the decision-making is solely automated; (2) and has legal or similarly significant effects – for example compensating workers based solely on automated monitoring of their productivity would fall within Article 22.
- Biometric data: A DPIA is needed wherever biometric data is used to uniquely identify an individual. In the context of the use of biometric data for time and attendance control, employers should consider whether there are alternatives to using biometric data to achieve their desired objectives. They must also consider whether extra security measures are needed if they use such measures.
- Audio and visual recording: The ICO’s view is that audio recording is more intrusive than purely visual recording: “Continuous audio and video recording can be highly intrusive and you are unlikely to be able to justify it in most circumstances.”
Why is there a need for compliance?
Post-COVID-19, employers are turning to data to gain insights into the performance of their workers. This is because more people choose to work from home or agree to hybrid working practices with their employer. Workers have a right under Article 8 of the Human Rights Act 1998 to respect for their private life. The rise in homeworking means the expectation of privacy is likely to be greater at home than in the workplace.
UK organisations tend to heed the rules within the UK GDPR due to the risk of hefty fines and the reputational damage associated with non-compliance with data privacy laws.
How 3CS can help
Our team of data privacy and employment lawyers have both domestic and international expertise and offer a full range of corporate compliance legal services. For further information on employee monitoring and how it may affect your company or for help with any legal matter connected to the issues mentioned above, please get in touch with your usual 3CS contact.