Last week the Information Commissioner’s Office (ICO) published guidance on how employers can monitor workers in accordance with data protection law. If you monitor your workers (for example, through camera surveillance, keystroke monitoring, webcams, or hidden audio recordings) you must do it in a way that is lawful and fair, and not excessive. You’ll also need to be particularly careful when monitoring home workers, as their expectation of privacy is likely to be higher at home than in a workplace.
This blog highlights some of the examples given by the ICO around how to monitor your workers in a way that balances your business interests with their rights and freedoms, and uses the least intrusive ways to achieve your aims.
Contents
Can I monitor my workers?
Yes, provided you do it in a way that is not overly intrusive, and that complies with data protection law. You must identify a lawful basis for your monitoring (we explain this further below) and check whether you are capturing any sensitive information, which requires further protection (such as personal information about racial or ethnic origin, political opinions, religious beliefs, health or disabilities, sexual orientation, biometric or genetic data, and certain other types of information).
The ICO provides the following example to illustrate a type of monitoring that is too intrusive, and suggests a different way of monitoring that could be used:
An employer discovers that some of their remote workers are starting work late, so they start monitoring their devices to check whether they are at their computer, using webcam technology. The ICO would consider this monitoring to infringe data protection law because it is disproportionate, and there would be less intrusive ways to check the workers’ start times (such as checking the times workers log in).
How do I identify a lawful basis for monitoring my workers?
The six types of lawful bases for monitoring workers are:
- Freely given consent (this lawful basis can’t generally be used in an employment relationship, given the imbalance of power between employers and employees).
- Contract (this basis usually can’t be used in an employment relationship, as monitoring is not usually necessary to fulfil an employment contract).
- Legal obligation (you can use this basis if you need to monitor workers to comply with a law). For example, you might monitor your workers’ driving hours, time, speed and distance in order to comply with laws around drivers’ safe working hours.
- Vital interests (this basis is usually used for emergencies, so is very limited in scope).
- Public task (where the monitoring is necessary for performing a task in the public interest).
- Legitimate interests (you can use this basis where the monitoring is necessary for your legitimate interests or those of a third party, unless the workers’ rights override those interests). This is the most flexible lawful basis, and could apply in a wide range of circumstances.
You may not be able to rely on the legitimate interests basis if you monitor workers in a way they don’t understand and wouldn’t reasonably expect, or if it’s likely some workers would object if you explained the monitoring to them.
How can I assess whether my proposed monitoring of workers is permitted under data protection law?
To help you assess whether your monitoring is permitted under data protection law, and not overly intrusive, you can use a Data Protection Impact Assessment (DPIA). You can find a template DPIA as part of our Data Protection Impact Assessment Policy. You’ll need to think about what the purpose of your processing is (ie do you have a legitimate reason for it?), whether the processing is necessary for that purpose, and whether the legitimate interest may be overridden by a worker’s interests, rights and freedoms.
The permitted level of monitoring will also depend on the type of work your workers undertake and the context they work in (eg the ICO points out that a miner would reasonably expect to wear a tracking device in a mine, to protect their health and safety, whereas an office worker wouldn’t reasonably expect to wear a tracking device in an office setting).
Note that if you are collecting and processing special category data through your monitoring, you must have a special category condition as well as a lawful basis for monitoring the worker. These conditions include explicit consent, employment, social security and social protection (if authorised by law), substantial public interest (with a basis in law), and others.
Carrying out a DPIA helps you to assess whether your monitoring is permitted under data protection law. When undertaking any monitoring that is likely to cause a high risk to workers’ and other peoples’ interests, you must carry out a DPIA. Examples of this type of processing include processing workers’ biometric data, keystroke monitoring, performance management, or using profiling or special category data to decide who can access services.
Note that you must only keep the information relevant to the reason you are monitoring the worker; you must also regularly review the information you collect and destroy any unnecessary data.
Where can I find out more?
For further guidance on how to monitor your staff legally, see our Q&A. You can find a policy for completing DPIAs here, which includes a template DPIA. Alternatively, you can purchase this policy as part of our Data protection policy toolkit, which includes all the policies you need to comply with your data protection obligations.
The content in this article is up to date at the date of publishing. The information provided is intended only for information purposes, and is not for the purpose of providing legal advice. Sparqa Legal’s Terms of Use apply.
Marion joined Sparqa Legal as a Senior Legal Editor in 2018. She previously worked as a corporate/commercial lawyer for five years at one of New Zealand’s leading law firms, Kensington Swan (now Dentons Kensington Swan), and as an in-house legal consultant for a UK tech company. Marion regularly writes for Sparqa’s blog, contributing across its commercial, IP and health and safety law content.