On October 12, 2022, the UK Information Commissioner’s Office (“ICO”) launched a public consultation on its draft guidance on employers’ obligations when monitoring at work (“Draft Guidance”). In addition, the ICO has published an impact scoping document, which outlines some of the context and potential impacts of the Draft Guidance (“Impact Scoping Document”).
The ICO published its current Employment Practices Code in 2011. Since then, the workplace has changed significantly, with technology, employment relationships, data protection law and the COVID-19 pandemic all impacting working practices. In particular, with more workers working remotely than ever before, employers are engaging increasingly in worker monitoring or tracking, using ever more sophisticated tools. The ICO recognizes this, and the Draft Guidance replaces the “Monitoring at work” chapter of the Employment Practices Code to ensure it remains relevant to today’s workplace.
The Draft Guidance is primarily targeted at employers, and aims to help employers comply with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 18”), when monitoring their workforces. The Draft Guidance makes clear that the UK GDPR and the DPA 18 do not prevent an employer from monitoring workers, but outlines a number of requirements for ensuring monitoring activities remain lawful. The Draft Guidance adopts a practical approach, including a number of compliance checklists, and addresses the following key considerations:
- How to lawfully monitor workers: This section provides practical guidance on how employers can lawfully monitor workers by complying with the principles of the UK GDPR. In particular, the guidance provides advice on identifying an appropriate legal basis for processing personal data (including special category data), and complying with notice and accountability requirements, including the need to inform workers about monitoring activities and conduct data protection impact assessments.
- The use of automated processes in monitoring tools: The ICO recognizes that monitoring tools often involve automated processes (e.g., to manage performance or monitor absences, etc.). The Draft Guidance addresses the requirements for utilizing tools that make solely automated decisions that have legal or similarly significant effects on workers, in particular how employers can comply with their obligations under Article 22 of the UK GDPR.
- Specific data protection considerations for different types of monitoring: This section updates the ICO’s previous scenario-based guidance on monitoring workers (as included in the Employment Practices Code) to cover new situations, such as whether employers can monitor telephone calls, emails and messages, work vehicles, device activity, and what employers need to consider when conducting such monitoring activities.
- The use of biometric data for time and attendance control: The Draft Guidance recognizes the increased use of biometric data to monitor and control workers’ access to buildings and systems, and provides guidance on how employers can comply with the principles of the UK GDPR when utilizing biometric data for these purposes.
The public consultation on the Draft Guidance and Impact Scoping Document will remain open until 5pm on January 11, 2023.