The Information Commissioner’s Office (ICO) has published new guidance for employers on monitoring workers lawfully, transparently and fairly. This provides direction to employers on how monitoring can be compliant with data protection law and includes good practice advice to help employers build trust with their workers and respect their rights to privacy.
Monitoring can include tracking calls, messages and keystrokes; taking screenshots; webcam footage or audio recordings and location or activity tracking.
The ICO say if an organisation is looking to monitor workers, it must take steps including:
- Making workers aware of the nature, extent and reasons for monitoring.
- Having a clearly defined purpose and using the least intrusive means to achieve it.
- Having a lawful basis for processing workers data – such as consent or legal obligation.
- Telling workers about any monitoring in a way that is easy to understand.
- Only keeping the information which is relevant to its purpose.
- Carrying out a Data Protection Impact Assessment for any monitoring that is likely to result in a high risk to the rights of workers.
- Making the personal information collected through monitoring available to workers if they make a Subject Access Request (SAR).
The guidance provides an overview of how data protection law applies to the processing of personal data for monitoring workers. It also considers specific types of monitoring practices, including the use of biometric data to monitor timekeeping and attendance.
The ICO is urging all organisations to consider both their legal obligations and their workers’ rights before any monitoring is implemented. While data protection law does not prevent monitoring, the guidance is clear that it must be necessary, proportionate and respect the rights of workers.
The guidance contains checklists that employers can use to check their compliance.
