ICO Guidance: Lawful Monitoring in the Workplace
The ICO has this week released guidance in relation to monitoring in the workplace after research commissioned by the ICO revealed that 70% of the public would find it intrusive to be monitored by an employer.
Legal obligations including those under data protection law must be complied with as well as employee’s rights considered before employers opt for monitoring.
The new guidance is aimed at employers who have decided to opt for monitoring, and assists with
- providing greater regulatory certainty;
- protecting workers’ data protection rights; and
- helping employers to build trust with workers, customers and service users.
Throughout the guidance the ICO offers advice on what employers must do, should do, and could do to comply, and is useful for employers of all types of businesses.
Monitoring employers can be for a variety of reasons which might include meeting regulatory obligations, health and safety or security, but increasingly data analytics are being used to monitor and make inferences about performance and wellbeing.
The guidance is also very useful for those who employ homeworkers, or for those who work in the home, such as cleaners and nannies, as any monitoring must not intrude excessively into private life. This can present more of a difficulty where employees work from home, as the guidance introduction says, “It is not always easy to distinguish between workplace and private information, especially when workers are based at home. Some workers may also use personal devices for work”. Monitoring must be appropriate, so requiring workers to have their camera on may be deemed excessive, but recording the time that they logged into the work computer system is likely to be within reason.
To lawfully collect and process information from monitoring workers, you must identify a lawful basis. There are six to choose from and you must identify at least one that is appropriate for the type of processing you intend to do. These include consent, contract, legal obligation, vital interest (e.g. in a matter of life and death), public task and legitimate interest.
If you wish to cite legitimate interest, there is then a three-part test to consider:
- Purpose test– is there a legitimate interest behind the processing?
- Necessity test– is the processing necessary for that purpose?
- Balancing test– is the legitimate interest overridden by the person’s interests, rights or freedoms?
If the data that you wish to monitor includes any Special category data (e.g. personal information revealing or concerning a number of specific data including race, political and religious beliefs, health, biometric data and more) there are further obligations to consider.
Posted on 10/05/2023 by Ortolan