HR Hub

Draft guidance on monitoring at work has been published.

The Information Commissioner (ICO) has launched a consultation on its draft guidance on monitoring at work. It’s not exactly ground-breaking but does aim to provide greater regulatory certainty and protect the data protection rights of employees and workers. Once approved, this will replace the guidance set out in the ICO’s 2011 Employment Practices Code.

The guidance explains employers’ legal obligations if an organisation is considering, or is already carrying out, monitoring of workers. It also addresses specific kinds of monitoring. It explains how lawfully to monitor workers and the underlying data protection law principles. It provides guidance on the extent to which the ICO considers it sensible to engage and consult with staff in respect of monitoring, and also addresses some tricky issues such as covert recording. Guidance on data protection impact assessments, security and retention is also included.

Points from the draft guidance that may require employers to review their approach to employee monitoring include:

• The need to identify an ordinary and in some cases a special categories lawful basis for processing data. A special categories condition will be required where monitoring captures special categories data incidentally, even if this is not planned. For example, monitoring emails may involve processing data about an employee’s health, even if this is not the purpose of the monitoring.
• The ICO’s view that monitoring to enforce an organisation’s policies will not be justified if a policy does not reflect what happens ‘on the ground’. If a nominal ban on personal telephone calls is not in fact enforced, for example, it will not be possible to use the policy to justify monitoring telephone calls.
• An emphasis on the importance of transparency and of seeking the views of workers or their representatives before introducing monitoring. Covert monitoring is only likely to be lawful in exceptional circumstances.
• The fact that it would be good practice to conduct a data protection impact assessment (DPIA) before introducing monitoring, even where there is no legal requirement to do so. DPIAs should consider the extent of an employee’s privacy expectations, and the impact of monitoring on people other than employees, such as household members, if an employee is working from home.
• The importance of not using data captured through monitoring for a purpose different from that for which monitoring was originally carried out.

The public consultation on the draft guidance will remain open until 11 January 2023. The ICO is also expected to publish further draft guidance on other parts of the 2011 Code in due course.