On October 3, 2023, the UK Information Commissioner’s Office (“ICO”) published new Guidance on lawful monitoring in the workplace, designed to help employees comply with their obligations under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA”).
The Guidance aims to provide greater regulatory certainty, protect workers’ data protection rights, and help employers build trust with workers, customers and service users. The Guidance addresses monitoring that takes place both on and off premises and within and outside of work hours. Notably, the Guidance addresses remote workers, and highlights that those working from home likely have a higher expectation of privacy.
The Guidance emphasizes that employers must comply with the data protection principles of the UK GDPR, regardless of the monitoring technology being used, and select the least intrusive means to achieve the purposes of their monitoring. The Guidance also highlights that if workplace monitoring results in the processing of special category data, even if incidentally, employers must identify a permitted purpose for which the data is processed, as set forth in Article 9 of the UK GDPR.
The Guidance encourages employers to monitor workers in ways they reasonably would expect, and to avoid monitoring that could create unjustified adverse effects for workers. The ICO also recommends that employers complete data protection impact assessments (“DPIAs”) with respect to workplace monitoring activities, even when not specifically required under the UK GDPR. The ICO warns against “function creep” with respect to monitoring technologies, emphasizing that employers should not collect more information than is necessary through the use of employee monitoring.
The Guidance further advises employers to seek the views of workers or their representatives when considering the use of monitoring technologies, and involve workers during the early planning stages. The Guidance indicates that covert monitoring (i.e., where employees are unaware of the monitoring taking place) is unlikely to be justifiable in normal circumstances, and generally will only be appropriate in cases of criminal activity, gross misconduct or similar circumstances.
Read the full Guidance here.