Monitoring at work: finalised ICO guidance

The Information Commissioner’s Office (ICO) has published new workplace monitoring guidance.

Following on from its 2022 consultation, the ICO has produced new guidance which replaces the guidance set out its 2011 Employment Practices Code. Aimed at employers across both the public and private sector, the new guidance provides clear direction on how monitoring can be conducted lawfully and fairly. As well as outlining legal requirements, it also includes good practice advice.

Monitoring can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings, or using specialist monitoring software to track activity. If an organisation is looking to monitor workers, it must take steps including:

  • making workers aware of the nature, extent and reasons for monitoring
  • having a clearly defined purpose and using the least intrusive means to achieve it
  • having a lawful basis for processing workers data – such as consent or legal obligation
  • telling workers about any monitoring in a way that is easy to understand
  • only keeping the information which is relevant to its purpose
  • carrying out a Data Protection Impact Assessment for any monitoring that is likely to result in a high risk to the rights of workers, and
  • making the personal information collected through monitoring available to workers if they make a subject access request

The guidance provides an overview of how data protection law applies to the processing of personal data for monitoring workers. It also considers specific types of monitoring practices, including the use of biometric data to monitor timekeeping and attendance.