ICO issues guidance on workplace monitoring
Organisations must consider both their legal obligations and their workers’ rights before they implement any monitoring in the workplace, the Information Commissioner’s Office ("ICO") said to day as it published new guidance.
With the rise of remote working and developments in the technology available, many employers are looking to carry out checks on workers. The ICO guidance aims to help employers fully comply with data protection law if they wish to monitor their workers.
Monitoring can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings, or using specialist monitoring software to track activity.
Research commissioned by the ICO reveals that almost one in five (19%) people believe they have been monitored by an employer – yet only the same percentage would feel comfortable taking a new job if they knew that their employer would be monitoring them. If monitoring becomes excessive, it can intrude into people’s private lives.
Aimed at employers across both the public and private sector, the new guidance provides clear direction on how monitoring can be conducted lawfully and fairly. As well as outlining legal requirements, it also includes good practice advice to help employers build trust with their workers and respect their rights to privacy.
If an organisation is looking to monitor workers, it must take steps including:
- making workers aware of the nature, extent and reasons for monitoring;
- having a clearly defined purpose and using the least intrusive means to achieve it;
- having a lawful basis for processing workers' data – such as consent or legal obligation;
- telling workers about any monitoring in a way that is easy to understand;
- only keeping the information which is relevant to its purpose;
- carrying out a data protection impact assessment for any monitoring that is likely to result in a high risk to the rights of workers;
- making the personal information collected through monitoring available to workers if they make a subject access request.
The guidance provides an overview of how data protection law applies to the processing of personal data for monitoring workers. It also considers specific types of monitoring practices, including the use of biometric data to monitor timekeeping and attendance.
Emily Keaney, Deputy Commissioner – Regulatory Policy at the Information Commissioner’s Office, commented: “Our research shows that today’s workforce is concerned about monitoring, particularly with the rise of flexible working – nobody wants to feel like their privacy is at risk, especially in their own home.
“As the data protection regulator, we want to remind organisations that business interests must never be prioritised over the privacy of their workers. Transparency and fairness are key to building trust and it is crucial that organisations get this right from the start to create a positive environment where workers feel comfortable and respected.
“We are urging all organisations to consider both their legal obligations and their workers’ rights before any monitoring is implemented. While data protection law does not prevent monitoring, our guidance is clear that it must be necessary, proportionate and respect the rights of workers. We will take action if we believe people’s privacy is being threatened.”