The data privacy watchdog the ICO has published guidance to help employers fully comply with data protection law if they wish to monitor their workers.
Emily Keaney, Deputy Commissioner – Regulatory Policy at the Information Commissioner’s Office (ICO), says: “Our research shows that today’s workforce is concerned about monitoring, particularly with the rise of flexible working – nobody wants to feel like their privacy is at risk, especially in their own home. As the data protection regulator, we want to remind organisations that business interests must never be prioritised over the privacy of their workers. Transparency and fairness are key to building trust and it is crucial that organisations get this right from the start to create a positive environment where workers feel comfortable and respected.
“We are urging all organisations to consider both their legal obligations and their workers’ rights before any monitoring is implemented. While data protection law does not prevent monitoring, our guidance is clear that it must be necessary, proportionate and respect the rights of workers. We will take action if we believe people’s privacy is being threatened.”
The ICO says that monitoring can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings, or using specialist monitoring software to track activity. To do monitoring, the regulator suggests steps including:
– Making workers aware of the nature, extent and reasons for monitoring.
– a clearly defined purpose and using the least intrusive means to achieve it.
– a lawful basis for processing workers data – such as consent or legal obligation.
– Telling workers about any monitoring in a way that is easy to understand.
– Only keeping the information which is relevant to its purpose.
– Carrying out a Data Protection Impact Assessment for any monitoring that is likely to result in a high risk to the rights of workers.
– Making the personal information collected through monitoring available to workers if they make a Subject Access Request (SAR).
As for covert monitoring the guidance states that it is unlikely that you will be able to justify covert monitoring in most usual circumstances. However, there may be exceptional circumstances where you might be able to justify this. For example, if covert monitoring is necessary to enable you to prevent or detect suspected crime, or gross misconduct. While the guidance on covert includes many shoulds and shouldn’ts, it says that you must carry out a DPIA (data protection impact assessment); if you are considering using a private investigator to collect information on workers covertly, you must have a contract in place that requires them to only collect information in a way that satisfies your obligations under data protection law; and you must only use information gathering covertly for the purpose intended.
A survey alongside the release suggested that older people (aged 55 to 64) are most likely to find monitoring intrusive than the youngest in the workforce. Most, 70 per cent of the public said they would find it intrusive to be monitored by an employer in any way.
Advice
As for general compliance, Vivek Dodd, CEO of an online compliance training service, Skillcast, says: “Being transparent with your staff about monitoring is important for building trust and maintaining a positive work environment. By following these steps and being open and honest with your staff about monitoring practices, you can create an environment of trust and cooperation, where employees understand the need for monitoring and are comfortable with its implementation.”
-
Establish clear policies and guidelines
Create a set of well-defined policies and guidelines that outline the reasons for monitoring and the types of monitoring that will occur. These policies should be easily accessible to all staff members.
-
Communicate the purpose and necessity
Explain to your staff why monitoring is necessary. Ensure they understand that it’s not about invading their privacy but about ensuring compliance, security, and productivity. Be honest about the risks your organisation faces.
-
Involve staff in the process
Whenever possible, involve your staff in discussions about monitoring procedures. Ask for their input and feedback. This can help create a sense of ownership and cooperation.
-
Respect privacy and legal requirements
Make sure that your monitoring activities are in compliance with all applicable laws and regulations. Be aware of privacy laws like GDPR, and ensure your monitoring practices don’t violate these rules.
-
Explain how data will be used
Let your staff know how the data collected through monitoring will be used. Will it be used for performance evaluations, security purposes, or something else? This can alleviate concerns about misuse.
-
Establish consequences for policy violations
Clearly outline the consequences of policy violations and consistently enforce them. Staff should know the potential outcomes if they breach the monitoring policies.
-
Respect employee rights:
Remind employees that they have the right to express concerns or request clarification about the monitoring process as the ‘data subject’. Let them know who to contact should they wish to access the data collected (this is usually your data protection officer)
-
Seek legal counsel
If you’re unsure whether your monitoring practices are compliant, consult with legal experts to ensure that your monitoring practices are compliant with all relevant laws and regulations. Legal advice can help you navigate the complexities of data privacy and employment laws.
