In 2021 the UK ICO said that it would revise its Employment Practices Data Protection Code to reflect the UK GDPR and Data Protection Act 2018. It has now published its first topic-specific guidance on employee monitoring in draft form. The draft guidance is open for consultation until 11 January 2023. 

What happened

The ICO published its Employment Practices Data Protection Code (the Code) in 2011. In 2021 it said that it would review the Code to reflect the legal framework in the UK GDPR and Data Protection Act 2018, along with changes to working practices and technological advances over the last decade. The new guidance would be online and topic-specific.

A draft of the employee monitoring guidance is now available, which is open for consultation until 11 January 2023. The consultation invites views on whether the guidance is clear, whether it covers the relevant issues and whether it should provide further examples or cover additional scenarios.

The draft guidance

The core message of the guidance is that employers need to balance their own interests against the degree of intrusion monitoring will entail for employees when deciding whether monitoring is justified. This is unsurprising and reflects the long-standing approach under the Code. Reflecting recent changes in working practices, the guidance emphasises that employees will have significantly greater expectations of privacy where they are working from home than when they are working from an employer’s premises.

The guidance covers both systematic and occasional monitoring. It explains the legal framework for lawful employee monitoring and highlights factors that will be particularly relevant in specific cases, such as email monitoring or video or audio recording. The final section focusses on using biometric data, which the Code did not deal with at all.

Points from the guidance that may require employers to review their approach to employee monitoring include:

  • The need to identify an ordinary and in some cases a special categories lawful basis for processing data. A special categories condition will be required where monitoring captures special categories data incidentally, even if this is not planned. For example, monitoring emails may involve processing data about an employee’s health, even if this is not the purpose of the monitoring.
  • The ICO’s view that monitoring to enforce an organisation’s policies will not be justified if a policy does not reflect what happens “on the ground”. If a nominal ban on personal telephone calls is not in fact enforced, for example, it will not be possible to use the policy to justify monitoring telephone calls.
  • An emphasis on the importance of transparency and of seeking the views of workers or their representatives before introducing monitoring. Employees need to understand the nature, purpose and extent of any monitoring and to be given this information in a way that is accessible and easy to understand. Covert monitoring is only likely to be lawful in exceptional circumstances.
  • The fact that it would be good practice to conduct a data protection impact assessment (DPIA) before introducing monitoring, even where there is no legal requirement to do so. DPIAs should consider the extent of an employee’s privacy expectations, and the impact of monitoring on people other than employees, such as household members, if an employee is working from home.
  • The importance of not using data captured through monitoring for a purpose different from that for which monitoring was originally carried out. However, the ICO recognises that there may be exceptional circumstances where monitoring reveals something that an employer cannot reasonably ignore, such as evidence of criminal activity or gross misconduct.

Next steps

The key points of the guidance are not surprising but highlight the importance of taking a balanced and proportionate approach to employee monitoring. Employers are unlikely to be able to justify intrusive monitoring if less intrusive monitoring would allow them to meet their objectives. As the guidance observes, “just because a form of monitoring is available, does not mean it is the best way to achieve your aims”.

[View source.]

Source link