On 3 October 2023, the Information Commissioner’s Office (ICO) published guidance (the Guidance) on lawful monitoring in the workplace. The Guidance provides advice to companies to help them comply with their obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) when monitoring anyone who performs work on their behalf. This is not limited to employees and could include monitoring of workers or those who are self-employed.
Scope of the Guidance and methods of monitoring
The Guidance governs the monitoring of workers within the work premises but also in other places where they may be working, including their homes, vehicles or on the street. It includes monitoring during and outside of working hours and both systematic monitoring (i.e., monitoring performed as a matter of course) as well as occasional monitoring (i.e., monitoring introduced as a short-term response to a specific need).
The types of monitoring technologies that could be caught by the Guidance include, keystroke monitoring to track, capture and log keyboard activity; tracking internet activity; audio recording; camera surveillance; telematics boxes; body-worn camera; wearable devices and covert monitoring.
Key considerations when monitoring
Workers should only be monitored in ways that they would reasonably expect, and not in ways that cause unjustified adverse effects on them. The ICO recommends that in some circumstances, the company should carry out a data protection impact assessment (DPIA) with respect to workplace monitoring activities, even if not strictly required under the law. However, we would recommend conducting a DPIA for most monitoring activities, not least because conducting a DPIA will demonstrate that the company has assessed the fairness of monitoring, and has considered potentially unjustified and adverse risks thereof.
Companies looking to monitor workers should consider taking the following steps:
- Ensure that the nature, extent and purpose of any monitoring, are documented and communicated to workers in a transparent, clear and accessible way. In most cases, this is likely to be achieved using the employee privacy notice but, depending on the complexity of the technology, you may also need to provide more detailed explanations;
- Be clear about the purpose for monitoring, and select the least intrusive means to achieve it;
- Make sure the processing of workers’ data is lawful and you have identified a lawful basis for processing (e.g., the processing may be necessary to comply with the law);
- Only keep information that is relevant to your purpose for monitoring;
- Carry out a DPIA;
- Make personal data obtained through monitoring available to workers if they submit a subject access request; and
- Understand what your obligations will be in relation to the personal data obtained through monitoring, if the data subject requests to exercise any of their rights (e.g., their right of erasure).
Given the increase in remote working, it is crucial to monitor workers in a way that is compliant not only with the UK GDPR and DPA 2018, but also Article 8 of the Human Rights Act 1998, which sets out the right to respect for a private and family life. This is because workers have significantly greater expectation of privacy at home compared to the workplace, and companies run a greater risk of capturing information relating to workers’ family and private lives.