On October 3, 2023, the Information Commissioner’s Office (ICO) adopted a guidance to assist employers in adhering to data protection laws while monitoring workers. The guidance applies to any form of monitoring (both systematic and occasional) of people who carry out work on behalf of an organisation, regardless of the nature of the contract between the company and the individual.
Companies should apply careful consideration in the context of workers monitoring, due to the inherent privacy risks related to this activity. Usually, workers’ monitoring is the primary purpose of the adoption of a certain technology, but it can also be a collateral outcome of other practices (e.g., health and safety protocols). This article seeks to raise employers’ awareness about the potential risks that may arise from these activities, providing an overview of the points covered in the ICO guidance, coupled with practical steps to increase compliance.
Data Protection Considerations on Worker Monitoring
This section offers an overview of various data protection considerations related to different monitoring methods. Notably, the expectation of privacy is typically higher in a home environment compared to the workplace; as in the first scenario the risks of inadvertently capturing family and private life information may be higher. Therefore, special consideration needs to be applied to remote workers’ monitoring, as an additional step.
Key considerations for different contexts and specific monitoring methods are provided in the following points:
- Telephone calls, emails and messages: Access to the content of workers’ communications should follow a clear policy outlining exceptional circumstances for monitoring. Employers should preliminarily consider the adoption of other less intrusive measures, such as itemised call records or monitoring network data.
- Device activity: Special caution should be implemented to ensure that the private use of personal devices for work is not captured at any time during the monitoring activity. As in the previous scenario, employers should preliminarily consider the adoption of less intrusive measures, such as the generation of aggregated analytics reports to identify trends or the blocking of problematic websites.
- Video or audio surveillance: This monitoring should always focus on areas with, in principle, lower expectations of privacy (e.g., the common spaces of the workplace are places with lower privacy expectations compared to the staff changing room). All individuals potentially affected by the monitoring, including visitors or customers, should be informed by following the lines of the UK GDPR. In principle, audio recording is considered more intrusive than visual recording, so this factor needs to be taken into account. Therefore, the recommendation is to ensure that this option is deactivated by default and triggered only in exceptional circumstances (for instance, in case of threatening behaviours).
- Work vehicles and driver behaviour: This type of monitoring also poses potential risks to the privacy rights of other individuals, including passengers and anyone who might have direct or indirect contact with the vehicle. This is particularly relevant when outward/inward facing cameras or dashcams are used. By following the lines provided above, the monitoring of private use of work vehicles should be avoided.
- Time and restrict access to work premises: While this may be relevant for security reasons, these measures may give to the employers control over workers’ activities and movements (for instance, a swipe card access control system will record the entrance and exit time of workers).
- Covert monitoring: Given its particular intrusive nature, this needs to be a measure of last resort. As a consequence, it should be conducted only when (i) there are reasonable suspicions of criminal activity or equivalent, and (ii) informing workers about the monitoring would compromise its effectiveness. As a general principle when dealing with such intrusive measures, covert monitoring should only be authorised by senior management. This authorization should be limited to the shortest timeframe possible, and companies should ensure to involve only essential personnel in overseeing this activity.
- AI and automated decision-making: In general, solely automated decision-making refers to decisions made without substantial human involvement. This means that, in practical terms: a process might still be considered solely automated if a human inputs the data to be processed, and then the decision-making is carried out by an automated system. Employers should periodically check that their systems are working as intended. Workers should be provided with accessible channels to request human intervention or contest decisions made through automation. They should also have viable alternatives implying meaningful human involvement in decision-making processes without facing any disadvantages. For instance, employees should be given the option to choose whether the determination of their salary relies solely on automated productivity monitoring or involves a human review of the proposed amount and the parameters used to calculate it.
- Biometric data for time and attendance control and monitoring: Employers must avoid inaccuracies (i.e., biometric templates should be periodically updated), especially those preventing workers from accessing workspaces or unduly impacting the quantification of their payment. This is especially the case if the use of the system results in any type of potential discriminatory processing. For instance, if access to workspaces is controlled by facial recognition, the system may present issues in recognising some demographic groups. Employers should establish processes to protect the biometric templates, such as encrypting them to prevent reverse engineering into the original identity, and segregate them from other associated images or lists. If biometric data is employed for granting access to workspaces, workers should be able to opt for alternative ways (e.g. PIN numbers) without being disadvantaged. Workers should also be able to request manual reviews in case of access denial due to automatic errors. For instance, workers should have a way to ask for assistance in case the system does not recognise them (e.g., through an intercom). In that way, a supervisor could grant them access and manually enter into the system the time they arrived at work.
Compliance with Data Protection Principles
This section outlines the key steps recommended by the ICO for ensuring compliance with essential data protection principles:
- Lawfulness: Before engaging in monitoring activities, employers must identify and establish a lawful basis for processing, as well as a special category condition in case special categories of data are involved. To comply with the lawfulness principles, employers must also comply with other laws that may regulate the monitoring of workers (e.g., labour laws).
- Fairness and transparency: Monitoring should align with what employees would reasonably expect, avoiding unjustified adverse effects or a context of invisible processing. Typically, it is necessary to provide information beforehand. This information should cover the purpose, justification, how collected data will inform decisions and the reasons for not opting for less intrusive measures. Organisational policies should specify unacceptable behaviours, circumstances allowing covert monitoring, and mechanisms for keeping workers informed about ongoing monitoring (e.g., specific reminders).
- Purpose limitation: The purpose of monitoring should be determined before commencement, ensuring the appropriateness of adopted monitoring methods. In principle, once started, the purpose should remain clear and not be changed, unless in limited cases.
- Data minimisation: Employers should adopt the least intrusive measure that would allow them to achieve the monitoring objectives. For instance, employing systems that deny access to prohibited websites is preferable to ex post device activity monitoring.
- Accuracy: Employers should be mindful of equipment malfunctions that may yield misleading or inaccurate information. Workers should have the opportunity to review, explain or challenge monitoring results within disciplinary procedures and performance reviews.
- Storage limitation: Regular review of collected information is essential, along with deleting data not necessary for monitoring purpose (closely connected to the Data Minimisation Principle mentioned above). Retention schedules should align with actual business needs and/or applicable laws.
- Integrity and confidentiality: Given the potential collection of highly sensitive personal data during employee monitoring, employers should establish policies, procedures and measures proportionate to the risks. High-risk processing scenarios include, for example, biometric data processing, keystroke monitoring, monitoring with potential financial implications such as automatic productivity monitoring, and using special category data to decide on access to services.
- Accountability: Employers should document the rationale for adopting specific monitoring measures and tools. Data Protection Impact Assessments (DPIAs) serve as an important accountability tool, especially in high-risk monitoring cases. When carrying out a DPIA employers should seek and document the views of workers or their representatives and consider anyone else captured by the monitoring (also household members, if workers are based at home). Employers should also adopt appropriate policies and ensure that senior management takes overall responsibility for monitoring. The involvement of the Data Protection Officer (DPO), if the organisation has appointed one, is also crucial. Finally, actions to increase data protection awareness should be reinforced especially for those workers involved in monitoring processes.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience in assisting organisations in developing policies and organisational and technical measures to comply with data protection requirements. Feel free to contact our advisors if you would like to receive expert assistance in data protection compliance.
