On 3 October 2023, the Information Commissioner’s Office (“ICO”) published updated guidance on lawful monitoring in the workplace.
The guidance outlines legal requirements as well as good practice advice to help employers build trust with their workers and respect their rights to privacy.
Addressing employees’ concerns
Research conducted by the ICO suggests that employees are becoming more concerned about workplace surveillance, with 70% of people surveyed saying they would find monitoring in the workplace intrusive and only 19% stating that they would feel comfortable taking a new job if they knew that their employer would be monitoring them.
As Emily Keaney, Deputy Commissioner - Regulatory Policy (ICO), highlights:
“Our research shows that today’s workforce is concerned about monitoring, particularly with the rise of flexible working - nobody wants to feel like their privacy is at risk, especially in their own home.”
Technology is now increasingly sophisticated and allows organisations more scope to monitor staff than ever before.
Such monitoring can include:
- camera surveillance, including wearable cameras for the purpose of health and safety; webcams and screenshots;
- technologies for monitoring timekeeping or access control;
- keystroke monitoring to track, capture and log keyboard activity;
- productivity tools which log how workers spend their time;
- tracking internet activity, and
- hidden audio recording.
The guidance outlines that there is no blanket prohibition on organisations carrying out staff surveillance but reminds employers to ensure that any monitoring is compliant with data protection and other legislation.
For example, whilst surveillance such as CCTV may be legitimate in an office environment, adopting equivalent measures for home workers, such as webcam recordings, may be in breach of Article 8 of the Human Rights Act 1998, which provides individuals with the right to respect for their private and family life.
Special category data
In their guidance, the ICO also reiterate the importance of managing “special category data” correctly as it attracts a greater degree of protection.
This is data considered to be highly sensitive, often comprising employees’ health information, religious beliefs or political opinions, and organisations should bear in mind that this data could also be obtained when monitoring employees.
What steps should an employer be taking?
The guidance reminds organisations that if monitoring of staff is being contemplated, the following steps must be taken:
- Ensure staff are aware of the reasons, nature and extent of any monitoring;
- Establish a defined purpose and be proportionate in achieving it;
- Identify a legal basis for processing data;
- Ensure that any information provided to staff in relation to monitoring is clear;
- Not to retain any data for longer than is necessary or if irrelevant to its purpose;
- Conduct data protection impact assessments if any special category data is processed.