The Information Commissioner’s Office (“ICO”) has opened a consultation on new draft guidance on monitoring at work (the “Draft Guidance”). The Draft Guidance applies in both the private and public sectors in respect of any worker, a term which is used to include employees as well as non-employee workers, independent contractors and volunteers.
The Draft Guidance was published on 12 October 2022. Once finalised, it will provide a welcome update to the ICO’s existing guidance on monitoring, which is contained in part 3 of the Employment Practices Code published in 2011 and has not been updated since the coming into force of the Data Protection Act 2018, the UK’s implementation of the EU General Data Protection Regulation.
The Draft Guidance covers both systematic monitoring as a matter of course, as well as occasional monitoring for a specific need. It is intended to cover a wide range of monitoring technologies, including those which track internet activity and monitor keystrokes, timekeeping and access control, camera surveillance, webcams and screenshots.
The Draft Guidance helpfully addresses a number of scenarios that are likely to arise in the workplace, including the use of commercially available monitoring tools, the monitoring of emails, messages, telephone calls and device activity, and the use of audio and video recordings.
In most scenarios, the Draft Guidance recommends that employers undertake a data protection impact assessment alongside taking targeted, practical measures to ensure compliance with their data protection obligations. Certain measures highlighted in the Draft Guidance include:
- employers should put in place an acceptable usage policy for their systems and bring it to workers’ attention regularly;
- employers must ensure workers understand what data is being processed during monitoring and ensure they remain aware that monitoring is being conducted. Covert monitoring should be reserved for exceptional circumstances, such as where there are grounds for suspecting criminal activity;
- employers should seek and document the views of workers or their representatives in advance of monitoring, unless there are good reasons for not doing so. Where employers decide not to do so, they should record this decision with a clear explanation;
- when monitoring phone calls, employers should distinguish between network data and content and access content only in exceptional circumstances;
- where monitoring employees to prevent data loss or detect malicious traffic on employers’ systems, as good practice, employers should consider:
- offering unmonitored access for workers, for example, free Wi-Fi, or standalone devices (with confidentiality safeguards) to facilitate some private usage;
- putting measures in place to minimise interception, which risks disproportionate intrusion (for example, visits to health-related websites); and
- documenting the monitoring in a policy which explains when and by whom information about suspicious activity can be accessed;
- where capturing computer or device activity, employers should fully document their justification for carrying out monitoring, including what consideration was given to using less intrusive means;
- where monitoring workers remotely, employers should keep in mind that workers’ expectations of privacy are likely to be higher at home than in the workplace. The risks of capturing family and private life information are higher, so employers should factor this risk into their planning; and
- before undertaking any monitoring which uses information from an outside source, employers should make sure that their purpose (for example, suspicion of criminal activity) justifies the potential adverse impact – they should not search external sources for information about a worker without good reason.
The Draft Guidance also takes account of recent developments in technology and changes in workplace practices. For example, it covers sections on monitoring while working remotely and on the use of biometric data.
The Draft Guidance is open for consultation until 11 January 2023 and can be found here. In the meantime, employers are advised to review their privacy notices, policies and procedures and start to identify where changes may need to be made.