On October 12, 2022, the UK Information Commissioner’s Office (“ICO”) opened a public consultation seeking feedback on the draft guidance document on employment practices, specifically relating to monitoring at work (the “Monitoring at Work Guidance”). The guidance aims to provide practical guidance and good practices relating to monitoring workers in accordance with data protection legislation.
This new guidance forms part of a wider initiative to update the ICO’s current employment practice code. Between August and October 2021, the ICO solicited stakeholder and public input into future guidance on data protection and employment practices, with the aim of replacing existing employment practices guidance with a more user-friendly online resource with topic-specific areas. The current ICO Employment Practices Code, including the supplementary guidance and the quick guide, was published in 2011 under the Data Protection Act 1998 and has not been updated since the UK General Data Protection Regulation (“UK GDPR”) and Data Protection Act 2018 (“DPA 2018”) came into force.
Using the feedback from the ICO’s call for views, the ICO is currently updating the Employment Practices Code to address the changes in data protection law and to account for technological developments in modern workplaces. The draft Monitoring at Work Guidance will replace the “Monitoring at work” chapter of the Employment Practices Code and will form part of an online hub that contains topic-specific guidance on employment practices and data protection.
The draft Monitoring at Work Guidance does not introduce new legal requirements, but rather provides practical guidance to help employers comply with data protection legislation. Note that the Employment Practices Code was issued as practical guidance to help organizations comply with the Data Protection Act 1998, and until the draft Monitoring at Work Guidance is finalized, the Employment Practices Code continues to be the relevant guideline for employment and data protection related issues.
This blog post outlines the key issues included in the ICO’s draft Monitoring at Work Guidance and how this compares with the Employment Practices Code.
Fundamental changes to the employment guidance
The draft Monitoring at Work Guidance provides updated guidelines on the application of data protection rules within the employment context and, in particular, addresses key gaps in the outdated Employment Practices Code. This includes the legal bases for processing personal data, the application of the data protection principles set out in the UK GDPR and the rules on international transfers.
- Lawful basis for monitoring.
- The Employment Practices Code recognizes that monitoring is a component of an employment relationship and will therefore take place to ensure the quantity and quality of work produced by employees, to safeguard workers and to protect employers’ own interests and those of their customers. It does not expressly require organizations to identify a lawful basis to collect and process information from monitoring, but recommends that employers justify their monitoring on the basis of an impact assessment.
- The draft Monitoring at Work Guidance specifically addresses this gap, and in accordance with the UK GDPR, specifies that organizations must rely on a lawful basis in order to carry out monitoring activities that involve personal data and special category data. The six lawful bases are: (a) consent, (b) performance of a contract, (c) legal obligation, (d) vital interests, (e) public task and (f) legitimate interest. If the monitoring involves the processing of special category data, the monitoring is prohibited unless a special category data condition applies e.g., if it is necessary to comply with employment law or social security and social protection law.
- The Employment Practices Code notes that there are limitations as to how far consent can be relied on as the legal basis for an employer’s monitoring in an employment context, since the consent must be “freely given” and be capable of withdrawal.
- The draft Monitoring at Work Guidance provides more clarity on the circumstances in which consent may be relied on as the legal basis for monitoring. It notes that, due to the imbalance of power within the employment context, workers may feel that they have no choice but to consent to monitoring, which undermines the concept of a “freely given” consent. In order for organizations to rely on consent as a legal basis for monitoring, the workers must have a genuine choice and control over the monitoring. This means that workers are provided a genuine option and would not be negatively impacted for withholding consent to the monitoring activity. The consent must be (i) unambiguous and include an affirmative action, (ii) there must be an option to withdraw consent, which is as easy as when they first provided it, and (iii) the employer must keep a record of the consent process.
- Data protection principles.
- The core principles of monitoring in the Employment Practices Code are that employers should be clear about the purposes of the monitoring, and that workers should be aware of the nature, extent and reasons for any monitoring.
- These core principles are more clearly defined in the draft Monitoring at Work Guidance by reference to the data protection principles set out in the UK GDPR, including fairness, transparency, accountability, purpose limitation, data minimization, and accuracy. For example, organizations should only monitor workers in ways that they would reasonably expect (fairness), workers must be made aware of how and why their employer processes their information and the monitoring activities that the employer conducts in an accessible and easy-to-understand manner (transparency), the employer can only monitor its employees for a specific purpose, and not ‘just in case’ (purpose limitation), the employer should not collect more data than is required to achieve the monitoring purpose (data minimization).
- Data protection impact assessments (“DPIA”). Both guidelines state that it is good practice to conduct a DPIA in most cases, as it allows employers to determine if and how to carry out monitoring in a way that minimizes the risks of any monitoring activity. However, the Monitoring at Work Guidance makes clear that employers have an obligation to carry out a DPIA before undertaking any processing likely to cause high risk to workers’ and other people’s interests.
- The draft Monitoring at Work Guidance places greater importance on carrying out a DPIA when conducting monitoring at work. In particular, it sets out more circumstances in which a DPIA should be completed by employers, for example (i) if the monitoring involves special category data, (ii) covert monitoring, (iii) intrusive driver monitoring e.g., the use of any monitoring tool which uses analytics to make inferences, predictions, or decisions about drivers, tools that monitor driver behavior or the use of cameras or audio to monitor drivers, (iv) when monitoring emails and messages, (v) when monitoring device activity, (vi) video or audio monitoring, and (vii) when processing biometric data e.g., using facial recognition technology.
- International transfers.
- The draft Monitoring at Work Guidance includes a specific section on international transfers of monitoring data, which are regulated by the UK GDPR. The rules relating to international transfers apply where an organization sends personal data to a “third country” outside the UK or European Union, for example, where a UK company outsources its HR services to a company in a third country or uses a platform / application that hosts the data in a third country. Such international transfers are restricted and the organization will need to ensure they have adequate safeguards in place to transfer the data to the third country, such as where the third country has been assessed as providing ‘adequate’ data protection, or if there are appropriate safeguards e.g., standard contractual clauses have been entered into between the transferring and receiving organizations.
- This topic was not previously covered in the Employment Practices Code.
Guidance on specific types of workplace monitoring
The draft Monitoring at Work Guidance addresses specific types of workplace monitoring, taking into consideration the advances in technology within the employment setting since the Employment Practices Code was published in 2011. It provides guidance on the use of automated processes in monitoring tools, covert monitoring, monitoring of electronic communications, monitoring of time and attendance information (particularly with the use of biometric data), monitoring of device activity, and monitoring of remote and home workers.
- Covert monitoring. Both the Employment Practices Code and the draft Monitoring at Work Guidance underscore the fact that covert monitoring can only be used in exceptional circumstances e.g., suspected criminal activity or gross misconduct. Both guidelines set out similar considerations, such as limiting covert monitoring to a set timeframe, limiting the number of people involved in the investigation, entering into contracts with any private investigators who are enlisted to collect information that complies with data protection legislation, and ceasing covert monitoring once the investigation is complete. The draft Monitoring at Work Guidance sets out additional safeguards when using covert monitoring, such as outlining the types of behaviors that are not acceptable in the workplace and the circumstances in which covert monitoring that might take place within organizational policies and ensuring that the covert monitoring has been authorized by the highest authority in the workplace (rather than “senior management”, which is the suggestion in the Employment Practices Code).
- Automated processes in monitoring tools.
- The Employment Practices Code does not have a specific section related to automated processes in monitoring tools. Where the Code does mention automated processes, it recommends the use of automated monitoring over human monitoring (i.e., spot-checks or audits with human intervention where there is a human carrying out manual monitoring of communications to or from workers) as it deems automated processing as less intrusive.
- The draft Monitoring at Work Guidance includes an entire section to deal with automated processing in monitoring tools. It recognizes the benefits of automated processes in monitoring tools (also known as ‘people analytics’), but, as a result of the UK GDPR provisions on automated decision making and profiling, as well as developments in technology, the draft Guidance also understands that automated processes can pose risks to the data protection rights and freedoms of workers if used irresponsibly.
- The draft Monitoring at Work Guidance sets out the circumstances in which solely automated decision-making can be used pursuant to Article 22 GDPR (i.e., the performance of a contract, when authorized by the law, and with the worker’s explicit consent). The guidance clarifies that the restriction on automated decision making under Article 22 of the UK GDPR will only apply where an organization carries out solely automated decision-making — if the automated decision-making includes an aspect of human oversight (e.g., ensuring human reviewers are involved in checking the automated recommendation before a decision is made), Article 22 of the UK GDPR will not apply. The additional requirements for solely automated decision-making in the context of monitoring workers include information / notification obligations about the automated processing (e.g., the logic involved in the automated decision-making, the consequences of the automated processing), and providing employees with a simple process to request human intervention or challenge a decision — it must be possible to override the automated decision-making.
- Biometric data. The draft Monitoring at Work Guidance sets out the considerations that an organization should take into account when processing biometric data in the context of monitoring workers (e.g., fingerprints, facial recognition, and voice recognition). As with other monitoring activities, it is necessary to conduct a DPIA, identify a lawful basis and ensure that the processing complies with the data protection principles. As a practical example, if an organization relies on consent to implement facial recognition or an electronic fingerprint scanning system for workspace access, it is necessary to offer an alternative to workers who do not want to give consent (e.g., a swipe card option), and the employer must ensure that the system only scans workers that have consented to the processing of their biometric data. Additionally, it is necessary for an organization to have security measures in place to protect the biometric data, e.g., only storing a copy of the biometric data where necessary, implementing encryption and organizational measures such as access restrictions.
The public consultation will be open until January 11, 2023 and interested parties may submit their feedback on how to improve the guidance. Further to this, as the draft Monitoring at Work Guidance is the ICO’s first topic-specific guidance on employment practices, the ICO will continue to release further draft guidance on other topics in due course (such as recruitment and selection, employment records, and information about workers’ health), together with additional practical tools and checklists alongside the guidance.