The UK Information Commissioner’s Office (ICO) published its final guidance on monitoring workers on 3 October 2023 (the Guidance). The Guidance is aimed at employers across both the private and public sector. Responding to the rise of remote working and new technologies available to monitor employees, the ICO has looked to provide clear direction on how monitoring can be carried out lawfully and fairly.
The final Guidance follows a consultation launched in October 2022 on the ICO’s draft guidance. It substantially follows the draft guidance, with some additional examples and pointers on where employers “must”, “should”, or “could” follow the approach laid out.
1. Takeaways for employers
1.1 Key messaging
The Guidance stresses throughout that to be lawful and fair, monitoring must take account of workers’ expectations, must not be excessive, and must done in a transparent way wherever possible. Context is key for considering workers’ expectations. Where looking to deploy monitoring of remote workers in their homes, employers should take into account that workers have a greater expectation of privacy at home than in the office. Similarly, examples draw out the distinctions between workers who might expect intrusive monitoring in their employment and those who would not. For example, miners would expect to wear location tracking devices in the mine due to the risk of accidents, while office workers would not.
1.2 Using AI and biometric data
The Guidance clarifies that monitoring employees will fall within the restrictions on automated decision-making under Article 22 UK GDPR if the decision making is solely automated and has legal or similarly significant effects. Paying workers based solely on automated monitoring of their productivity, for example, would fall within Article 22.
In contrast, automated systems used as decision-supporting tools would not fall within the scope of Article 22, but in such cases the people making the decisions should not just routinely apply automated recommendations and should have meaningful influence on the decision.
For the time being, solely automated decision making falling under Article 22 UK GDPR may only be used where the processing is necessary for the performance of a contract with the individual, authorised by law that applies to the employer, or based on the individual’s explicit consent. The Data Protection and Digital Information Bill is set to widen the circumstances where automated decision making can be used, but these restrictions remain in place at present.
The ICO’s guidance on AI is also referenced in the Guidance and employers are encouraged to refer to it for guidance on ensuring fairness and lawfulness in their AI monitoring systems.
The ICO also builds on its recent draft guidance on biometric data to provide specific pointers on using biometric data for employee monitoring. These include that in the context of the use of biometric data for time and attendance control, employers should consider whether there are alternatives to using biometric data to achieve their desired objectives, and must consider whether extra security measures are needed if they go ahead. A data protection impact assessment (DPIA) is needed wherever biometric data is used to uniquely identify an individual.
1.3 Other practical points to note from the Guidance
- Employers must identify a lawful basis at the outset. Where more than one lawful basis might apply, organisations should identify and document them from the start. The guidance cautions “Try to get it right first time, as you should not change it later without good reason”, leaving some room for a change of approach in exceptional circumstances.
- The ICO highlights, by way of example, its view that using systems to monitor the content of emails will require the processing of special category data. Using examples of monitoring carried out in a bank, monitoring transactions made by every worker to prevent and detect fraud would not involve processing special category data. However, a special category condition would be needed for the monitoring of all email traffic to address the risk of fraud and protect commercially sensitive information. This would be needed as monitoring all email traffic could detect special category data, such as emails sent to union representatives or to occupational health personnel.
- Carrying out a DPIA is encouraged as a “should” for employers even where monitoring might be considered not to require one, as the ICO considers it to be a flexible and scalable tool to assist decision-making.
- Employers should seek and document the views of workers or their representatives (such as trade unions) unless there is a good reason not to. This is considered important for transparency and building trust.
- The ICO stresses the need to consider subject access requests from workers. It may be challenging to respond if the monitoring system collects large amounts of personal information, or contains the information of third parties which will need to be redacted.
- The ICO’s view is that audio recording is more intrusive than purely visual recording. “Continuous audio and video recording can be highly intrusive and you are unlikely to be able to justify it in most circumstances.”
- A specific purpose for the monitoring must be identified. The ICO reminds organisations that this can only be changed if the new purpose is compatible with the original purpose, the employer gets consent, or has a clear obligation or function set out in law. The Data Protection and Digital Information Bill is set to make changes intended to clarify the rules on where further processing is to be treated as compatible with the original purpose, including processing that is necessary for detecting, investigating, or preventing crime, but these changes are not part of UK data protection law at present.
2 Other guidance for employers and the status of the Employment Practices Code
The Guidance has been added to a hub of resources for employers. In addition to the now final Guidance on monitoring, these resources also include guidance on handling information about workers’ health, which was published in August 2023.
The ICO issued a call for views in August 2021 on plans to replace the employment practices code, supplementary guidance and the quick guide with an online resource on topic specific areas. In its response to the comments received, the ICO confirmed that it does not have plans to issue a new code of practice, but rather to build out a new web-based hub.
The position now is presumably that organisations should refer to new guidance where it appears on the hub. At present, the Guidance should be referred to for employee monitoring and information about workers’ health, and other resources and checklists available on the hub should be referred to for other areas, where relevant. The employment practices code and accompanying supplementary guidance and quick guide continue to be available on the hub for reference on topics on which newer guidance is not yet available.
3 Our take
The Guidance provides employers with useful clarification on the ICO’s position relating to various employee monitoring-related issues. Whilst most of the Guidance is unsurprising, it will require some organisations to make their staff monitoring notices more explicit about the monitoring undertaken and to review their processes for approving new forms of monitoring, especially given the expectation to undertake DPIAs and to consult workers or their representatives about proposed monitoring. In the face of this clear guidance, the ICO is unlikely to be sympathetic where organisations do not comply with their requirements and recommendations in this area.