Monitoring staff at work is a legal minefield. Navigating it in compliance with data protection principles has been made all the more difficult with ICO guidance being buried in the depths of an out-of-date employment practices code. Luckily, the ICO has been busy updating many of its online resources; one such release is the "Employment practices: monitoring at work draft guidance" intended to help employers understand their data protection obligations. But what exactly are those obligations? Has anything changed since the last guidance was issued? Tune into this session to find out.


Jane Fielding: Good morning. I am Jane Fielding and I am Head of the Employment Labour and Equalities Team here at Gowling WLG in the UK and I am delighted to welcome you to this the second webinar in our series of annual update webinars, when we take a look at what we think you need to know as HR professionals and in-house lawyers as we had into 2023.

Our topic today is data protection. I think when the Data Protection Act and then the GDPR came into force, probably those of us in practice were few and far between who thought this would really take off to the extent it has but it has become such a feature of our daily working lives, whether it is a grievance, every second one seems to have a data subject access request attached to it, whether it is a transaction involving TUPE and the outgoing employers refusing to provide the employee information because of data protection. It is a daily feature of our lives these days and therefore, it is really important that you understand what to do and what not to do. I think we had a brief hiatus in the data subject access requests in the pandemic when everybody was sadly otherwise occupied but now we are certainly seeing them coming back so we thought it was a good time for a refresher on this.

So our speaker today is Karin Kiho one of the senior associates in the team. Karin has a broad practice ranging through employee relations, litigation in the Tribunals and transactional work, so she is very well placed to help you with the sort of day to day queries that come up and give you some tips to make sure that you are handling this in a compliant way.

So Karin is going to speak for 30 minutes or so. We will leave some time at the end for questions. If you want to ask a question please can you use the Q&A function rather than the chat function? So the Q&A function probably everybody knows where it is since we have all been using Zoom for so long but just in case I will say it is at the bottom of your screen in the middle. If you could ask the question with your name. I am not going to name you on the webinar. It is just that if we do not get to your question we want to be able to follow up with you afterwards and if you ask anonymously, obviously that is a bit tricky.

If you have a tech problem, hopefully you will not but again if you do, then please use the Q&A function as well and Lucy Strong who is helping us behind the scenes with the tech will do her best to sort that out for you.

And it is my job to make sure that I field the questions but also that we finish promptly at 11.45am so I commit to do that. We will be sending a short email questionnaire around afterwards. It only takes a couple of minutes to fill in and we really would appreciate if you would do that, so that we can use your thoughts and comments to shape future sessions.

So I will now turn my camera off, go mute and handover to Karin.

Karin Kiho: Thank you Jane and good morning everyone and I would just like to say thank you for joining us.

So as Jane mentioned I am going to be talking today about data protection and specifically monitoring stuff at work and the particular focus of the webinar will be on the ICO's latest draft guidance on monitoring staff at work.

In terms of an agenda, I will be covering off what monitoring actually means and why an employer might want to do it. I will then briefly cover off the law and what we have currently got from the ICO. I will then address what is different on the latest guidance of the issue back in October and then I will then end the webinar with some practical tips to help improve compliance in your organisation.

Now I should add a disclaimer as you would probably expect, that data protection law is incredibly complex and very involved, so within the time I have got available especially it would not be possible for me to give you an all-encompassing overview of everything you need to know, so it is very much intended to be a whistle stop tour with an employment focus.

So, what do we mean when we talk about monitoring stuff at work? Really it is a form of surveillance and its purpose is to obtain information about staff activities in the workplace, and obviously electric monitoring will now be the most common form of monitoring I would expect in the workplace and you could have something like CCTV cameras and that would be the most [divert] form of monitoring.

You could be monitoring through other means so looking at emails or email traffic so for example volume of emails going in, coming out. You could be looking at phone calls so monitoring through phone calls so something like the volume and cost of phone calls or you could be recording the content, monitoring the content and you could see that happening maybe in a call centre context.

You could be monitoring through the internet so for example you could be blocking off certain inappropriate websites for employees or social media websites, and you might have systems in place to alert you if anybody tries to access them during working hours… and you could be monitoring through other devices so I have some across printing systems for example that tell me how many trees I have effectively killed with all my printing and while it is a bit disheartening for a junior working on Tribunal bundles, it is certainly something that might be beneficial in some circumstances.

So why would an employer want to monitor their staff? I mean there could be a whole host of reasons. An obvious one might be to protect your interests so for example the use of confidential information and in the course of preparing for this webinar, I actually came across a report that said that around 24% of UK employees had intentionally leaked confidential business information to third parties. You can definitely see why that might be an important reason to monitor and certainly you can see it happening if for example you have just given notice or you have just dismissed an employee and they then log on to their laptops to see what confidential information they can take with them. Now if you have certain systems in place or sufficient systems in place rather to alert you when they try to access your confidential information, but if you cannot prevent the access then at the very least you might be able to do some damage control afterwards.

You could alternatively be monitoring for performance or quality of service purposes so going back to the call centre context if you get a customer complaint you might go back to the recording of your phone call or the customer service advisor's phone call MC what if anything went wrong.

You could be monitoring to identify certain conduct or conduct issues, so if you get an allegation of cyber bullying from one employee against a colleague, then you could be looking at the colleague's use of internet and whether they have logged on to social media sites for example to perhaps to send inappropriate tweaks or whatever else messages, and that could be a helpful tool for investigatory purposes.

You could be monitoring for health and safety, so making sure that your staff are complying with health and safety policies and that could be particularly important in say a warehouse or factory setting. There could be regulatory reasons for monitoring so some financial services firms are actually required to record certain phone calls and that is at the request of the FCA and the regulatory framework.

And the reality is that there could be a whole host of different reasons. For example, you might even be looking to prevent potential reputational issues that may arise from data breaches, and actually some years ago, there was an aggrieved employee in a supermarket that ended up uploading payroll information online. Now that in itself attracted media interest and it was wildly reported at the time, but it actually also led to litigation which lasted a number of years. So you can certainly see where reputational issues could come into play particular where there is a risk of medial interest.

Now you might say we have been monitoring for years. I mean what is the big deal? Why are we so worried about this? Well you might not necessarily be worried but certainly when you are talking about monitoring staff what you are really talking about is processing personal data and that is when you get the GDPR and the Data Protection Act involved.

Those have been around for a number of years and the majority of organisations will have already taken steps to ensure compliance. The ICO skill has powers to issue significant fines for non-compliance, and you can go up to £17.5 million or 4% of total annual global annual turnover whichever is higher, and the ICO is certainly not afraid to use their powers because I was trying to look up what the higher fines had been in recent years to illustrate the point, and I saw that an airline had been fined about £20 million and a hotel group was fined over £18 million, so the fines can be very high, and data protection issues aside there could actually be a whole host of other legal considerations that you might need to bear in mind when it comes to monitoring staff.

So, public sector organisations for example might have to think about the right to privacy at work, under the European Convention of Human Rights. All employers might have to think about whether their monitoring could breach the implied term of trust and confidence, and if it does could that lead to constructive unfair dismissal claims? I mean in most circumstances I would not expect normal type of monitoring to be breaching that implied term but certainly if it is going to be particularly intrusive or covert and there might be a risk of that.

There might also be other considerations perhaps more criminal in nature when you talk about unlawful interception of electronic communications so there is a whole host of things to think about when you start monitoring staff or want to monitor staff.

So what does the law actually say so far as data protection is concerned? Well monitoring is not actually prohibited but it is also not expressly permitted and the bottom line is that it has to be carried out in compliance with data protection principles. So you very much need to be looking at things like purpose. Why are you processing the data? Why are you doing the monitoring?

You need to have a legitimate purpose that is specific and lawful and you should not be relying on all of the lawful basis that you could possible rely on because you need to be specific, so taking the strategy of drafting a very wide privacy notice for example in case something bites in the future is not going to be sufficient. In terms of scope, you would need to think about making sure that your monitoring is proportionate to the purpose that you have identified. So this is all about making sure that the processing is adequate, relevant and necessary for the purpose of identified and you effectively are not going any further than you need to.

There is also the fairness and transparency principles which are fairly fundamental to the data protection framework, and this very much about telling your employees of the monitoring activities you are carrying out, and that would usually take the form of a privacy notice, and actually we have had cases before where an employee has challenged the use of a CCTV recording in a disciplinary context because the privacy notice had not said that it could be used for that purpose so that could add a layer of complication, and you need to think about things like security so making sure you have got the appropriate technical and organisational measures in place to prevent data loss or unlawful processing, and again this is another area where things can go wrong, particularly as around 88% of all data breaches arise from human error so no employer is going to be 100% immune to this, and actually a relatively recent example is when the ICO fined a construction company because their systems did not prevent a cyber-attack, and in that case, an employee received the phishing email so that is an email that looks legitimate but actually is not, and they forwarded it to a colleague. The colleague then downloaded the contents and that ended up installing Malware onto their workstation, and it ended up compromising the personal data of over 100,000 individuals and they actually ended up getting fined over £4 million so it got quite significant quite quickly.

And when you are thinking about monitoring in particular you have to bear in mind potential other considerations so things like special category data. If you are going to be processing special category data say trade union memberships or ethnicity, then in addition to complying with the usual principles of data protection, you need to identify an additional exception or ground for processing that data.

And equally if your processing is going to result in a higher risk to personal data, or may result in that risk, then you would need to carry out a data protection impact assessment. So that could be, for example, if you are going to be using biometric data, to control access to devices or a building where you might work. So with all that said, what have we currently got from the ICO?

Well, we currently have an employment practices code and monitoring at work does feature in the code; it is in part 3 and it is around 19 pages, and I am sure it has been light bed time reading for many of us! And it broadly covers the items that I have listed on the slide, so it provides an overview of monitoring, and then it provides the specific considerations for the various types of monitoring that are listed in points two to six.

Now you might ask: "if we have got the code and we have got an existing document that we are working with, why is the ICO changing it?" "What has prompted all of this?" Well, the bottom line is that the code is very much out of date; from what I can see it has not been updated since about November 2011, and we have obviously since had the introduction of the Data Protection Act and the GDPR.

We have also had Brexit, which has made us a third country for the purposes of data transferring from the EU, so that again has not been reflected. Obviously over the past 11-12 years we have also had significant improvements in technology and the way in which we use technology in the workplace and, again, that is not reflected. And actually, the ICO have produced a core review summary report, following its initial consultation and it said that "respondents were very much concerned about technological advancements and sophistication of monitoring tools nowadays".

And whilst the ICO said that, you know, the same data protection principles would apply so it is no different if it is old technology or new technology, it would be updating its guidance in due course.

And we have obviously had the Covid pandemic and I am sure we are sick and tired of hearing about it, but it has certainly impacted on how we work or I guess, more precisely, where we work. Because there has been a huge trend towards hybrid or home working, and that obviously can affect monitoring activities which have not been properly reflected and I will talk about that in a bit. And again, unsurprisingly, that was a key theme that the ICO identified in the summary report that it produced.

So in terms of what the ICO is actually doing more widely – I mean they are doing a wider overhaul, but they are not looking to replace the code with a new code. What they are looking to achieve is, effectively to create a web‑based hub of guidance. So what we can expect from that is, lots and lots of like updates on the ICO's website in the future.

So then, let us look at what is in the new guidance document and monitoring. So what we got was a document called "Employment practices: monitoring at work draft guidance" and, as the slide says, it was published on 12 October 2022. It is aimed at all organisations both public and private, so that is helpful and its purpose is said to be – to provide clear and practical guidance on monitoring workers in accordance with data protection laws, and to promote good practice. And this is actually very similar to the purpose set out in the current code but, obviously, the ICO has adopted a different strategy in how they want to achieve it.

And in terms of where we are with the draft document the consultation ended on it last week, on 20 January. So at the moment, it is very much a case of "watch this space!" And I think that I would, in the meantime, highlight that, because this is only a draft document, there is not yet a need to do anything necessarily within your organisation on the back of it. So it is worth keeping an eye out for when the final version is published and then looking at what, if anything, needs to change internally.

So, what does the new guidance actually contain? So the starting point is that it is about 54 pages long so clearly, compared to the 19 pager in the code, it is a lot more detailed and very focussed on monitoring which is, in many ways, helpful. And it covers the five points that I have listed on the slide.

So very broadly: how to lawfully monitor workers, so an overview of the law; it talks about automated processes; provides a checklist of lawfully monitoring workers; and the bulk of the guidance is actually on point number four – specific considerations for different types of workplace monitoring. And then lastly it ends with, how to use biometric data for time and attendance control, as well as monitoring. And I am going to take you through each of these sections in turn.

So the first section of the draft guidance is "lawfully monitoring workers", so effectively an overview of the legal position and now, since I have already summarised some of the key principles earlier in the Webinar I am not going to be covering that off again – I am sure there is a sigh of relief! But what I have focused on in this section is how the guidance document compares to the code.

So my impression is that the guidance document is quite practical, as it provides a simple overview of the legal framework, and it very much breaks down the data protection principles with easy to digest examples to bring it to life a little bit more. What I also quite like is that the draft guidance sign posts you to the relevant pages of the ICO website, so if there is something that you might want to bear in mind but, you know, it is very detailed and complicated but instead of sending you down a rabbit hole in the same document – it just tells you where to look on the ICO website.

And there are also other considerations that I thought it might be worth flagging on this Webinar. My impression is that there is a bit of a shift in some of the emphasis that the guide has compared to the code, so the change in emphasis has been, for example, in relation to the ] interpretation of impact assessments. While it is covered off by the existing code as well, there seems to be a greater shift in the draft to actively promote completing one as a matter of good practice even if there is no higher risk to personal data from your monitoring or processing. And that is partly to evidence compliance.

Equally, there is a greater focus on consultation with employees in the latest draft but that is particularly if you are introducing a new form of monitoring. And the guidance document goes into quite a lot of detail as to why it is beneficial to consult – it is really to improve transparency; build trust with your workforce; and minimise complaints if you take feedback earlier and any concerns that your employees may have.

And the draft is also very strong in its emphasis on the need to record any consultation that you do undertake and, if you choose not to consult, you would need to have a good reason for it and again you would need to record that decision with a clear explanation. So there is very much a theme, in my view, of keeping records to evidence compliance and it might give us a bit of a clue as to what the ICO might be expecting in the event of a data breach – to see lots of records and documents effectively – evidence in compliance.

The next session is all about automated decision making. So this is effectively a form of making decisions about your work as an employee without any human involvement. And in the workplace context you could see that happening, for example, in absence management. Now it may not be relevant to all organisations, but it is certainly relevant to those organisations that do use automated decision making, because it carries potential risk if it is not used carefully. And the draft guidance highlights that the risk is that there could be inaccuracies and there could be potential for discrimination.

And again if we take the example of absence management – so even though an automated decision might be to progress an employee, who is absent, to the next stage because they have hit a certain level of absence, there is a risk that actually they might be absent because of a disability – in which case is it the right thing to do, to jump to the next stage of the absence management process, without first considering something like reasonable adjustments? And if you fail to take reasonable adjustments into account there could be a risk of a discrimination claim.

So bearing in mind the extra risk that exists with automated decision making there are additional restrictions in place to any sort of decision making that does not involve humans, and this includes having a narrower scope; a narrower set of purposes on which you can rely in automated decision making. There is also a big emphasis again on telling your workers, and you should be telling them, not only about the significance and consequences or processing but also the logic involved behind it.

There are also other considerations to bear in mind, so the need to introduce simple ways to request human intervention, and also making sure you are carrying out regular checks that the systems are not going completely rogue and that they are working as normal. And insofar as human oversight is concerned the key emphasis in the guidance is to make sure that any human intervention is meaningful.

So it needs to be critical and challenge the output of the system so when the computer says "no" not necessarily accepting that it says "no". And if it is being used as a decision making support tool, then the system recommendations again need to be checked and you need to bear in mind wider factors: so take the example of absence management – what is the reason for the absence? That is unlikely to be something that the system itself takes into account so the human would need to do it for it.

The next part of the draft guidance is to set out a checklist and an easy checklist to basically ensure compliance with the legal principles when you are monitoring staff. And the reality is, that the ICO has been using these types of checklists for years so it is not necessarily new, and it is understandable why they are continuing to use it because it will help focus minds and it will also encourage and simplify compliance. And even though I have not come across it in practice, it is possible that if you do complete checklists, as a matter of course for monitoring staff, then it may be good evidence of compliance or attempted compliance in the event of a data breach.

We then get to the next section of the guidance document which sets out specific considerations for various types of monitoring. I have listed the various types that the guidance covers on the slide but I am not going to take you through each one, in the interests of time, but I have selected a couple which I think might be interesting to flag.

So this is all about audio monitoring, and recording face to face conversations rather than just monitoring business calls… and what the guidance says, rather unsurprisingly I think, is that "this type of monitoring is highly intrusive and it is unlikely to be justifiable in most circumstances". But it actually even goes on to say that "continuous audio recording is more privacy intrusive than purely visual recording via a CCTV camera". It needs to have an even more robust justification.

The draft recommends that the default position should be to switch off any capability to audio record and that is to limit the scope of the processing and the monitoring you are doing and it should only be used in exceptional circumstances and switched back on in exceptional circumstances. So, for instance, you might have audio capabilities… audio recording capabilities in your office but they are switched off by default, but if you need to carry out a specific investigation: say into unlawful activity or alleged unlawful activity, then you can switch it on for that purpose alone.

So the audio monitoring very much needs to be particularly targeted at a specific risk and it should also be confined to areas where there is no or low expectation of privacy. So if you take the example of a conference room versus changing rooms or bathrooms, there is obviously going to be a much greater sense of privacy in a bathroom or a changing room than there is in a conference room.

And if you are going to use audio monitoring, in addition to complying with the usual principles, the draft guidance recommends that you complete a data protection impact assessment. Effectively setting out the pros and cons of the monitoring that you are doing as well as explaining why the monitoring is necessary in the first place. Again, and unsurprisingly, there is an emphasis to tell your workers about the extent and nature of the monitoring and why it is being carried out, and there is also an emphasis on making sure that anyone caught by the monitoring, so anyone visiting the office for example, is aware of the monitoring and its purpose.

And another thing that the guidance document emphasises or flags for you to think about is – if you do get a subject access request, and the audio recording falls within the request, how will you be redacting the personal data of third parties? It leaves you with a nugget to think about!

Another area that the draft guidance covers off relates to monitoring homeworkers, and obviously the draft recognises that there has been an increase in remote and home working but actually it is really light on the guidance as to what to do about it. All it is says is that it acknowledges there is a greater expectation of privacy at home so there is obviously a greater risk of capturing family and private life, but other than to say "factor this into your planning", it does not really provide much more assistance.

And that is actually interesting because the call for these summary reports that I referred to earlier, said that monitoring homeworkers was one of the most frequently recurring themes amongst respondents and it also emphasised, that it is a key priority area with the ICO. So what I suspect is that we might be getting more specific guidance on it in due course, but whether it is in this sort of a guidance document or on the website is yet to be seen.

And the last section of the draft guidance is all about biometric data. So unhelpfully it sets out the GDPR definition of biometric data which I do not think is particularly friendly but, in lay‑mans terms, it is effectively information relating to people's characteristics, that is used for identification purposes, and it includes things like fingerprints and facial recognition. Although it sounds fairly sci‑fi the reality is that these systems are being used very frequently now in the workplace so you could have things like laptop access governed by fingerprints or facial recognition.

And the guidance is actually quite detailed on biometric data and using biometric data to monitor workers. I have not… I am not going to cover all of it, but I have suggested picking out a few more interesting points to flag. So the guidance document does say that biometric data could be special category data, if it is processed to identify a specific individual and this means that it would need an additional condition for processing in addition to complying with the usual data protection principles.

Now actually what it says is that consent is likely to be the most used additional condition for processing biometric data, and to ensure it is validly given you should offer an alternative option to workers so they can make their own choice as to whether or not they want their biometric data to be used. But the key is there to make sure that the alternative option that you give to non‑consenting workers, is not going to be any less advantageous. Another big issue that the guidance document flags with biometric data is the statistical accuracy of the system and the fact that it might not be 100% accurate.

So the guidance document very much says that it is your responsibility as the organisation using it to make sure that the match rate and the risk of false negatives are made clear and that is even if the system is being provided by another organisation, and it also says that you need to have in place an easy alternative if things go wrong; so if there is a misreading of biometric data, the option to manually override any false readings.

Another concern with biometric data could be that there is a scope for discrimination. So some studies, apparently, have shown that facial recognition is less precise for some demographic groups. And again the guidance documentation says to make sure that is used is suitable for the groups and individuals that you are planning to use it for.

So with that all said, has anything really changed? I think the reality is that there has been no earth shattering revelation! The guidance document is very much about being up to date on the law and the relevant current working practices. My view, on the whole, is that it is easier to follow, because it breaks down the law in simpler terms with good examples but it does already add length if you already know the legal positions and just need the practical checklists. And obviously some sections, such as monitoring homeworkers, will need some more work so whether or not it is going to be included in the guidance or on the website is to be seen.

And I thought I would end the Webinar on some practical tips. So when it comes to data protection no "one size fits all" approach is going to be suitable! It is very much a matter of taking stock of the data you collect, and making sure that you are doing it in compliance with data protection principles. When it comes to monitoring, a key point is to inform your staff; to make sure you know… make sure they know what data you are collecting and why, as part of the monitoring. So this is all about making sure that your privacy policy is sufficiently widely drafted but also being quite specific again on the lawful basis on which you are doing that on the monitoring.

You should also be considering whether to consult with employees to try and improve workplace relations, improve trust and try to minimise the risk of any complaints. The key emphasis… the key theme in the draft guidance document is about keeping records; making sure that you have appropriate records, and what you have done to comply with data protection considerations. So if you decide not to consult with your employees, what is your reason for it? Is it good enough? Have you recorded it?

You might also want to think about training, because if a huge amount of data breaches are down to human error then you might need to provide some refresher training, and I would certainly recommend keeping records of it because I think most of us have come across a disciplinary hearing, for a breach of a policy that the employee claims they have never seen before in their lives! So it is very much worth keeping records of what training you have provided to whom and when, and if there is any way of making… receiving confirmation from employees that they have read a certain policy or maybe they have completed a test to check their understanding then that can obviously be helpful as well.

Given that the ICO is overhauling their website and their guidance documents it is very much worth keeping an eye out for any more updates, and obviously seeking legal advice if that is needed for any particular issues you may have. So I will now hand back to Jane.

Jane: Thanks Karin. So we have got quite a few questions. The first one was about something that you touched on towards the end about the use of biometric data. So you talked about the fact that to make sure any consent… to use that was a valid consent, which obviously is quite difficult in the employment sphere under the Data Protection Act, that it was important to give an alternative that did not disadvantage people. So that the request is for an example of what that alternative might look like.

Karin: Okay. So you could take the example of say work laptops that use facial recognition for access. Now you would obviously offer employees the option of signing up to access their laptops with facial recognition, and that is if they consent to the use of their biometric data. But for those that do not consent, the key is to provide an easy alternative option; to make sure that they can still access their laptops but it does not mean that they have to, you know, go through extra hoops to do it.

So instead of making all non‑consenting employees spend 30 minutes in a queue to the IT team to try and remotely get access, you could offer the obvious option of, you know, a simple pin code or a password. So it is more… it is a very much about making sure that the alternative option does not disadvantage them; is not more time consuming; and is as simple to use as the facial recognition option.

Jane: Okay. So the next question is a scenario that, I am sure, many people on the Webinar will have come across. So they have got an employee who is threatening to report them to the ICO for a data breach and the question is, is there anything specific that they should be doing having received that threat?

Karin: Well I think it very much is a case that "it depends on the circumstances". It is the famous line that all of us lawyers tend to provide in the first instance.

Jane: And the best advice!

Karin: (Laughs) and you may want to take specific legal advice on it because obviously it can be quite complicated. But I guess, from an employee relations' point of view the first thing you might want to do is just to acknowledge, you know, the fact that they have flagged this concern and say that "you will look into it". And in terms of what you do with the threat itself – I mean you cannot prevent or you should not be trying to prevent a complaint to the ICO, but instead you might want to look at, "what has actually prompted them to make it?"

You know, is there a potential legitimate data breach that they are referring to? And if there is, you should investigate it, make sure you understand why it happened; how it happened; what data is affected; and what you can do about it, to try and limit the damage. And also what you can do to prevent it from happening in the future.

Another thing, I guess to think about, is that there are reporting obligations if the data breach could lead to risk of harm. So you would not only need to report it to the ICO in a relatively short period – I think it is 72 hours from when you found out about the breach – but you may also need to tell the data subjects, so potentially the employee's data has been compromised.

Well really this requires some sort of assessment of, you know… is the data breach very serious? Or is it just a minor mix up, where not much has happened and there is not really going to be much harm to it? And I guess, strategy wise, it would be worth thinking about whether you want to write to the ICO regardless. Though whether or not you… you know whether or not you have got enough information to know if a report has been made, you might want to act pre‑emptively – send them a letter to say "this is what has happened; this is what we have done to control it; this is what we have done to make sure it does not happen again in the future".

And while it may not prevent the ICO looking at it quite carefully and investigating, at least it might help show them that, actually it is a concern that has been taken very seriously, it has not been ignored and steps have been taken to try and minimise the risk of it happening in the future. And that may disincentivise the ICO from focussing on it may be as much as it may have otherwise done.

Jane: So sort of get on top of the facts and do not be defensive, I suppose?

Karin: Basically yes.

Jane: So there is a couple of questions on the next topic which I will try and squeeze in before we have to finish. It is… a lot of what you talked about was about employers monitoring data of employees, but a couple of people have asked the question of "well, what about the other way round?", and it is a scenario that we see, I would say increasingly, where an employee makes a covert recording of perhaps of a disciplinary meeting or something, where trust may already be low. You know "is that not already a data breach? Is the question and "what can you do about that?".

Karin: Well… I mean… as you say Jane it is a hugely contentious issue and actually you do come across that quite a lot, I think we all do when we are advising on disciplinary hearings or something along those lines, or in the context of, I guess, litigation. I mean, in theory, it is possible that there could be a data breach by the employee if they covertly record a meeting without consulting or without having agreed it. I guess there could equally be an argument that, you know, it might fall in the sort of household exemption because it is a one‑off and it is an individual doing the recording. So there might be an argument to say that actually data protection legislative framework does not actually capture that type of recording.

And I guess in terms of what you can do about it – it may be a disciplinary issue, so it could be a form of misconduct; if not gross misconduct, although probably not gross misconduct in most circumstances but obviously it depends on the facts. It could be a breach of confidentiality and there is an argument to say that it might undermine the implied term "trust and confidence". So it could go back to the gross misconduct point but that might especially be if an employee has been told not to make any recordings. But I guess, in reality, we do not often see employers acting on, you know… taking very serious action against employees who do covertly record because usually there is nothing really to hide anyway.

Jane: Yes.

Karin: Sorry, I was just going to add one more point around litigation because it is a question I get very often about recordings. I often get the question, whether they can be admissible? Whether they can be used in court proceedings? And the short answer is that they might be able to use it in court proceedings, but it does not look very favourably on the person who created the recording so it might go to the question of their character more generally.

Jane: Yes. Okay. Thanks Karin. So we have hit 11:45, so I am going to draw it to a close there. I am sorry we did not get to all of your questions but, as promised, we will come back to you afterwards, if you are one of the people who we were not able to answer a question for.

Please do fill in the questionnaire when you receive it. It will only take a couple of minutes, and I hope that you can join us next Tuesday for our third Webinar where I am going to be talking about unphilosophical belief protection and with a particular focus on the current debate about gender identity and gender critical beliefs.

So I will just say thank you very much to Karin, thank you to Lucy and thank you to all of you for joining us and I hope you have a good, rest of the day. Goodbye.