The Information Commissioners Office (ICO) has published helpful guidance on lawful employer monitoring of staff in and away from the workplace. The information provides advice on how companies can compliantly check in on their workforce, while simultaneously ensuring that they do not fall foul of stringent data protection regulations as well as the fundamental human right to respect for a private and family life.
Can you monitor your workforce?
The guidance makes it clear that monitoring, be it for performance reasons or to ensure compliance with regulatory obligations, is permitted, provided the rights of staff members (being employees, contractors, temporary and agency workers, interns, volunteers and apprentices) are not infringed in the process.
What kind of monitoring is covered by the guidance?
The ICO guidance covers monitoring both in and away from the workplace (so homeworking for example is caught by the regulations), both during and outside of working hours. A range of monitoring technologies are identified, including webcams, timekeeping or access control monitoring, keystroke monitoring and productivity tools which log how staff spend their time. The use of CCTV is also covered.
Which lawful basis/bases for monitoring applies?
As with all processing of personal data, a lawful basis (under Article 6 of the GDPR) of processing must be present before information can be collected. Employers must be clear about the purpose of the monitoring and choose the least intrusive means of doing so. If there is a likelihood that special category data (more sensitive data such as that relating to religious beliefs, health or similar) will be collected, even if just incidentally, the employer must identify a special category processing condition (under Article 9 of the GDPR), as well as a lawful basis. This will often be explicit consent of the worker, however consent must be freely given which is often difficult in an employer/employee relationship due to the imbalance of power. A genuine legitimate interest of the business is another commonly used basis, however this must not outweigh the rights and interests of the worker. The purpose behind the monitoring must also be considered.
Staff members must be notified
Whatever the basis/bases and purpose/s, it must be notified to the worker in order to ensure transparency, usually in the employee privacy notice. For CCTV, consider signage too.
Data minimisation and retention
Further, the employer must not collect more information than is needed to achieve the identified purpose. Similarly, the information collected must not be kept for longer than is necessary for the purpose for which it was originally collected. The retention period must be justified.
Covert monitoring
It is worth noting that the ICO considers that covert monitoring is unlikely to be legally justifiable unless it is being utilised to enable a business to detect or stop suspected criminal activity or gross misconduct. The fact that such covert monitoring may occur should also be notified to workers in the privacy notice.
Data Protection Impact Assessment
The ICO recommends that employers carry out a Data Protection Impact Assessment (DPIA) before carrying out monitoring of their workforce, to demonstrate that sufficient consideration has been given to the fairness of, and purpose behind, the monitoring. A DPIA is mandatory for any monitoring likely to involve special category data, as well as for covert monitoring. The results of any monitoring must be kept secure and only be accessible to those who have a genuine ‘need to know’.
Checklist
The ICO provides a helpful checklist with key points to consider when thinking about the monitoring of a workforce.
It is interesting to consider that a study by the ICO revealed that 70% of the public would find it intrusive to be monitored by an employer. This should be at the forefront of an employer’s mind when considering the fairness and legal basis of the monitoring, or indeed whether they want to monitor their staff at all.
For further advice on monitoring staff and in relation to data protection laws generally, please get in touch.
Madeleine Rhodes MRhodes@redfernlegal.com
