On 3 October 2023, the UK Information Commissioner’s Office (“ICO”) finalized its Employment practices and data protection − Monitoring workers guidance (“Guidance”) to account for new types of work, including work from home, and the use of more sophisticated technologies for monitoring. In November 2022, we published a detailed blog post on the ICO’s public consultation.
The finalized Guidance is aimed at employers. It does not prevent employers from engaging in monitoring; rather, it sets out how they can do so in compliance with data protection law. The Guidance defines “monitoring workers” as “any form of monitoring of people who carry out work on [an employer’s] behalf” and can include “monitoring workers on particular work premises or elsewhere” both during and outside working hours. The Guidance is clear that it applies to homeworking. It also applies to a range of monitoring technologies and purposes, including (but not limited to) technologies for monitoring timekeeping or access control; keystroke monitoring to track, capture and log keyboard activity; and productivity tools which log how workers spend their time.
The ICO has not made material changes to the Guidance based on the public consultation. In addition to stating that controllers must comply with the core GDPR requirements when conducting monitoring (e.g., establishing a lawful basis for processing, being transparent with employees), key points of note include:
- Data protection impact assessments (“DPIA”). The Guidance makes it clear that employers must conduct a DPIA before undertaking any processing that may result in a high risk to workers’ and other people’s interests. In particular, controllers must conduct a DPIA before monitoring employees’ emails and messages; processing biometric data of workers; keystroke monitoring of workers; monitoring that may result in financial loss (such as performance management); and using profiling or special category data to decide on access to services.
- Fairness. The ICO emphasizes that employers should only monitor workers in ways they would reasonably expect and not in ways that cause unjustified adverse effects on them. The Guidance gives the example of an employer monitoring how long workers spend using a case management system to assess worker performance. The ICO states that, unless the employer takes into account the work done outside the system, the monitoring is “unfair and inadequate.”
- Special category data (“SCD”). The Guidance states that if the planned monitoring captures special categories of personal data, the controller must identify a lawful basis to process that data under Article 9 GDPR and/or the Data Protection Act 2018, as well as an Article 6 lawful basis, before starting to monitor. The ICO goes on to state that controllers must also identify a lawful basis under both Article 9 and Article 6 GDPR for SCD captured “incidentally” if the nature of the monitoring “makes it likely” that SCD will be collected—e.g., “where monitoring may identify emails between a worker and a healthcare provider or a trade union representative.”
- Biometric data. The Guidance sets out considerations that organizations should bear in mind when processing workers’ biometric data, including fingerprints, iris scanning, retinal analysis, facial recognition templates and voice recognition templates. To process such data, employers must (i) identify a lawful basis; (ii) carry out a DPIA; and (iii) tell workers how the system works, what personal information they are collecting and how it will be used and the nature and purposes of the monitoring.
Further details of the contents of the Guidance are available in our prior blog post.
Maria Oliveira contributed to the preparation of this article.